Gmelius Legal

We're Gmelius, a Swiss registered company whose mission is to transform Gmail into your company's workspace. Our headquarters are based in Geneva, Switzerland.

Gmelius is an official Google Partner.

Learn more

Privacy

GDPR / DPA

Security

Please note that your use of and access to our services (defined below) are subject to the following terms; if you do not agree to all of the following, you may not use or access the services in any manner. If you have any questions, comments, or concerns regarding these terms or the Services, please contact us.

By using the gmelius.com web site ("Service"), or any services of Gmelius (e.g., the browser extension), you are agreeing to be bound by the following terms and conditions ("Terms of Service"). IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY, ITS AFFILIATES AND ALL USERS WHO ACCESS OUR SERVICES THROUGH YOUR ACCOUNT TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY, ITS AFFILIATES AND USERS ASSOCIATED WITH IT. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.

Gmelius reserves the right to update and change the Terms of Service from time to time without notice. Any new features that augment or enhance the current Service, including the release of new tools and resources, shall be subject to the Terms of Service. Continued use of the Service after any such changes shall constitute your consent to such changes. You can review the most current version of the Terms of Service at any time at: https://gmelius.com/terms/

Global Terms

You must be at least 13 years old to use this Service. If you are aged 16 or under‚ please get your parent/guardian's permission beforehand.
You must be a human. Accounts registered by "bots" or other automated methods are not permitted.
You are responsible for maintaining the security of your account. Gmelius cannot and will not be liable for any loss or damage from your failure to comply with this security obligation.
You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright laws).
Unless you have the express written permission from Gmelius, you may not distribute Gmelius or any portion thereof to any third parties.
You may not disassemble or reverse engineer Gmelius for any purpose, other than for reviewing the code for personal review, and at all times are bound by Gmelius Terms of Service.

Payment, Refunds, Upgrading and Downgrading Terms

Free users are not required to provide a credit card number or use any payment service. Optional paid services are available on the Website (any such services, an "Upgrade"). By selecting an Upgrade you agree to pay Gmelius the monthly or annual subscription fees indicated for that service. Payments will be charged on a pre-pay basis on the day you sign up for an Upgrade and will cover the use of that service for a monthly or annual subscription period as indicated.
Unless you notify Gmelius before the end of the applicable subscription period that you want to cancel an Upgrade, your Upgrade subscription will automatically renew and you authorize Gmelius to collect the then-applicable annual or monthly subscription fee for such Upgrade (as well as any taxes) using any credit card or other payment mechanism we have on record for you.
Upgrades can be cancelled at any time from your Gmelius Account page. Downgrading your Service may cause the loss of content, features, or capacity of the Service. Gmelius does not accept any liability for such loss.
A refund is available only within 30 days of the original purchase date.

Cancellation and Termination

Gmelius, in its sole discretion, has the right to suspend or terminate your Gmelius account and refuse any and all current or future use of the Service, or any other Gmelius Service, for any reason at any time. Such termination of the Service will result in the deactivation of your account and cancellation of any existing subscription. Gmelius reserves the right to refuse service to anyone for any reason at any time.

Modifications to the Service and Prices

Gmelius reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice.
Prices of all Services are subject to change. Changes will be displayed on the Gmelius website (gmelius.com) or the Service itself.
Gmelius shall not be liable to you or to any third party for any modification, price change, suspension or discontinuance of the Service.

You are strictly prohibited from, and agree that you will not, adapt, edit, change, modify, transform, publish, republish, distribute, or redistribute Gmelius or any elements, portions, or parts thereof, including without limitation, to any elements, portions, or parts of Gmelius software (in any form or media) without Gmelius' prior written consent. You agree not to use any automated data collection methods, data mining, robots, scraping or any data gathering methods of any kind on Gmelius different Services.
The look and feel of the Service is copyright (c) Gmelius. All rights reserved. You may not duplicate, copy, or reuse any portion of the HTML/CSS, Javascript, or visual design elements or concepts without express written permission from Gmelius.
If Gmelius discovers that you have used its copyrighted or other protected intellectual property in contravention of the terms described above, Gmelius may bring legal proceedings against you, seeking monetary damages and an injunction against you. You could also be ordered to pay legal fees and costs.

Suggestions to Gmelius

If you submit suggestions to Gmelius through feedback or otherwise, you acknowledge and agree that: (i) your suggestions do not contain confidential or proprietary information; (ii) Gmelius is not under any obligation of confidentiality with respect to the suggestions; (iii) Gmelius shall be entitled to use or disclose (or choose not to use or disclose) such suggestions; (iv) Gmelius may have something similar to the suggestions already under consideration; (v) your suggestions become the property of Gmelius without any obligation of Gmelius to you; and (vi) you are not entitled to any compensation or reimbursement of any kind from Gmelius under any circumstances.

General Conditions

Your use of the Service is at your sole risk. The service is provided on an "as is" and "as available" basis.
Support for Gmelius services is available in English and in French, only via email.
You understand that Gmelius uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the Service.
You must not modify, adapt or hack the Service or modify another website so as to falsely imply that it is associated with the Service, Gmelius, or any other Gmelius service.
You agree not to reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without the express written permission by Gmelius.
We may, but have no obligation to, remove Content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violates any party's intellectual property or these Terms of Service.
Verbal, physical, written or other abuse (including threats of abuse or retribution) of any Gmelius customer, employee, member, or officer will result in immediate account termination.
You must not upload, post, host, or transmit unsolicited email, or "spam" messages.
You must not transmit any worms or viruses or any code of a destructive nature.
Gmelius does not warrant that (i) the service will meet your specific requirements, (ii) the service will be uninterrupted, timely, secure, or error-free, (iii) the results that may be obtained from the use of the service will be accurate or reliable, (iv) the quality of any products, services, information, or other material purchased or obtained by you through the service will meet your expectations, and (v) any errors in the Service will be corrected.
You expressly understand and agree that Gmelius shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if Gmelius has been advised of the possibility of such damages), resulting from: (i) the use or the inability to use the service; (ii) the cost of procurement of substitute goods and services resulting from any goods, data, information or services purchased or obtained or messages received or transactions entered into through or from the service; (iii) unauthorized access to or alteration of your transmissions or data; (iv) statements or conduct of any third party on the service; (v) or any other matter relating to the service.
The failure of Gmelius to exercise or enforce any right or provision of the Terms of Service shall not constitute a waiver of such right or provision.

Applicable Law

This Agreement shall be governed in all respects by the substantive laws of Switzerland. Any controversy, claim, or dispute arising out of or relating to the Agreement shall be subject to the jurisdiction of the competent courts of the Canton of Geneva, the jurisdiction of the Swiss Federal Court being expressly reserved.

At Gmelius, we take your privacy extremely seriously (and we mean it). We believe you should always know what data we collect from you and how we use it, and that you should have meaningful control over both. We want to empower you to make the best decisions about the information that you share with us.

This Privacy Policy covers our treatment of personally identifiable information (“Personal Information”) that we may gather when you are accessing or using our Services, but not to the practices of companies we don't own or control, or people that we don't manage.

Who are we?

We're Gmelius, a Swiss registered company CHE-411.148.873 whose mission is to research, develop and release products that transform your inbox into an advanced communication platform. Our headquarters are based in Geneva, Switzerland.

Data Collection

Our company's overriding policy is to collect as little user information as possible. Gmelius may retrieve and store your:

Name;
Email address;
Profile picture or Gravatar;
Timezone and language;
Gmail signatures and aliases;
List of labels and calendars;
Gmelius configuration and data (e.g., settings, subscription details, templates, notes, campaigns);
Thread IDs, Draft IDs, Message IDs if linked to a Gmelius feature (e.g., shared label, sequence).

We only communicate with Google servers through the Gmail's API (OAuth). You can revoke access at any time. We store the subject and recipients of your tracked emails in order to notify you of opens and display related activities. Once using our Services, we may communicate with you if you've provided us the means to do so. For example, we may send you promotional email offers, or email you about your use of the Services. Also, we may receive a confirmation thanks to a tracking pixel when you open an email from us. This confirmation and helps us make our communications with you more interesting and improve our services.

Your choices

You have a choice about whether or not you wish to receive information from us. If you do not want to receive communications from us about our products and services, then you can select your choices by ticking the relevant boxes situated on your Account page. You have a choice to access and export all your Gmelius data from the Gmelius dashboard. You have a choice to rectify at any time your personal information by contacting Gmelius support. You have a choice to delete all data associated with your Gmelius account by heading to your Account page.

Data Use

We do not have any advertising on our site. Any of the information we collect from you may be used in one of the following ways:

To personalize your experience, i.e, your information helps us to better respond to your individual needs;
To improve our Services, i.e., we continually strive to improve our service based on the information and feedback we receive from you;
To improve customer service, i.e., your information helps us to more effectively respond to your support needs.

Any data that we do have will never be shared except under the circumstances described below in Data Disclosure.

Data Disclosure

We do not sell or trade your personal information. We may transfer or share your personal information with trusted and GDPR-compliant third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety.

Data Protection

We protect your data throughout the data flows of the Gmelius product, from account creation and integration through Google's OAuth service, to encryption of data in transit to Gmelius servers (using browser-based TLS) and encryption of that data at rest (using AES-256), to a variety of administrative, physical, and technical safeguards designed to create a secure environment for our customers' data. We're an official Google Cloud partner. All Gmelius applications include failover and backup instances and our infrastructure respects and maintains industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP ATO and PCI DSS v3.2.

Third Party Analytics Services

We may use third party analytics services. Currently, we use the analytics services of Google Analytics which is configured to anonymize your IP addresses and not transmit any personally identifiable information (PII), and Mixpanel, Inc. Mixpanel's analytics services allow us to learn how you use our services by giving us the ability to collect information based on your interaction with our Services. Mixpanel does this in part using a first party cookie placed on your device from Gmelius' server. Some information is automatically collected from or about you when you use our Services. The Mixpanel analytics services may also by default collect the following from your usage of our Services: the time of an event, how you came to Gmelius' site, what search engine and search keywords you may have used to get to our site, information about the device you are on such as your operating system, and browser, as well as your city/country location, and unique anonymized IDs for push notifications. The emails we send to you through Mixpanel's services may contain web beacons to track on our behalf when you open and act upon such emails. For more information on Mixpanel's privacy practices, please refer to their Privacy Policy.

Third Party Payment Services

We rely on third parties to process credit card transactions and do not store your credit card details. Currently, we use the service of Stripe, Inc. (certified PCI level 1). For more information on Stripe's privacy practices, please refer to their Privacy Policy.

Links to Other Web Sites

This Privacy Policy applies only to the Services. The Services may contain links to other web sites not operated or controlled by Gmelius (the “Third Party Sites”). In addition, our Services include social media features, such as links to our Facebook, Google+, Twitter, and LinkedIn pages. Your interactions with our information on such Third Party Sites are governed by the privacy statement of the provider of such Third Party Site. The policies and procedures we described here do not apply to the Third Party Sites. The links from the Services do not imply that Gmelius endorses or has reviewed the Third Party Sites. We suggest contacting those sites directly for information on their privacy policies.

16 or Under

We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian's permission beforehand whenever you provide us with personal information.

Modifications to Privacy Policy

The Services and our business may change from time to time. As a result, at times it may be necessary for Gmelius to make changes to this Privacy Policy. Gmelius reserves the right to update or modify this Privacy Policy at any time and from time to time. We will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this Site of any material changes to this Privacy Policy. Please review this policy periodically, and especially before you provide any Personal Data. Your continued use of the Services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

Applicable Law

Gmelius is committed to complying with the General Data Protection Regulation (“GDPR”), and enabling our customers to comply with the latter data protection law. We follow a strict Privacy by Design framework and maintain a robust privacy and security program that we continually assess and improve. We understand the GDPR has robust requirements and obligations for both data controllers and data processors and we are committed to helping our customers use Gmelius in a compliant manner. Our DPA is available below so that our customers can be confident that their data is processed in a lawful and transparent manner.

This GDPR Data Processing Addendum (“DPA”) forms part of the Master Services Agreement or Terms of Use available at [https://gmelius.com/terms](https://gmelius.com/terms) or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and Gmelius (Gmelius SA / Gmelius AG) (“Gmelius”), pursuant to which Customer has accessed Gmelius' Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

If the Customer entity entering into this DPA has executed an order form or statement of work with Gmelius pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.

This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

In the course of providing the Application Services to Customer pursuant to the Agreement, Gmelius may process personal data on behalf of Customer. Gmelius agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

Data Processing Terms

In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/679)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

The terms “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation.

The parties agree that Customer is the data controller and that Gmelius is its data processor in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Gmelius pursuant to the Agreement.

The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Gmelius' website or through an Ordering Document and provided by Gmelius to Customer via www.gmelius.com or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases.

In respect of personal data processed in the course of providing the Application Services, Gmelius:

Shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Gmelius). If Gmelius is required to process the personal data for any other purpose provided by applicable law to which it is subject, Gmelius will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest.
Shall notify Customer without undue delay if, in Gmelius' opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
Shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, damage, theft, alteration, access or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
May hire other companies to provide limited services on its behalf, provided that Gmelius complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Gmelius has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Gmelius remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Gmelius transfers personal data will have entered into written agreements with Gmelius requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer in Appendix A of this DPA. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing Gmelius support. Gmelius will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Gmelius reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Gmelius, terminate the Agreement.
Shall ensure that all Gmelius personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause.
At the Customer’s request, shall use commercially reasonable efforts, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GPDR (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data).
Shall take reasonable steps at the Customer’s request to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Gmelius.
At the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer. See: How to permanently delete my account?
May transfer personal data from the EEA to the US for the purposes of this DPA. Gmelius agrees it will provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks. Note that Gmelius is a Swiss company and that the Privacy Shield framework is for U.S. businesses only.
Shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Gmelius in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Gmelius is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (a) the provision by Gmelius of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (b) interviews with Gmelius’ IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Gmelius’ IT system, data hosting sites or centers, or infrastructure will be permitted. Before the commencement of any such audit, Customer and Gmelius shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Gmelius with information regarding any non-compliance discovered during the course of an audit. Customer may not audit Gmelius more than once annually. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Gmelius expends for any such audit, in addition to the rates for services performed by Gmelius.
If Gmelius becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Gmelius in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Gmelius shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
Gmelius shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.

Data Subjects

Any users of the Customers extension, web and mobile applications or any identifiable person to whom personal data is processed by Gmelius on behalf of data controller other than anonymous data. An up-to-date list of data types can be found in our Privacy Policy.

Data Processing Activities

The provision of Application Services by Gmelius to Customer.

Term

This DPA shall remain in effect as long as Gmelius carries out Personal Data processing operations on behalf of Customer or until the termination of the Gmelius Contract (and all Personal Data has been returned or deleted in accordance with Section 8 above).

Last Updated: Apr. 3, 2019

Appendix A

List of Sub-Processors

Sub-Processor	Country	Purpose	GDPR-compliant
Google, Inc.	USA	Cloud Infrastructure, Logging, Analytics	Yes
Drift, Inc.	USA	Helpdesk & Support	Yes
HelpScout, Inc.	USA	Helpdesk & Support	Yes
Stripe, Inc.	USA	Payment Gateway	Yes
Mixpanel, Inc.	USA	Analytics	Yes
Sendgrid, Inc.	USA	Email Delivery Service	Yes
Cloudflare, Inc.	USA	DNS & CDN	Yes
APIHub, Inc.	USA	Business Intelligence	Yes

Gmelius transforms Gmail into your company's workspace. We take our customers' privacy and security very seriously. This page provides an overview of our security policies and technology.

Authentication and Permissions

When a user installs Gmelius, we create a Gmelius account for the user and link it with the user's Google account. We ask the user for permission to connect to her or his Google account and authenticate that connection via Google Apps OAuth. This means that each users' Gmelius account has the same industry-leading login security as their Google account. Users can add 2-factor authentication via Google if they choose.

Gmelius requests access to the following Google information so that our features can work:

Read, send, delete, and manage your email

Gmelius requests these permissions so we can provide you with features like open, click, and reply tracking, shared labels, campaigns.

Manage your basic mail settings

Gmelius needs access to your mail settings so we can replicate your existing preferences, including email aliases and email signatures.

Manage your calendars

Gmelius enables you to synchronize your Gmelius Kanban boards with specific calendars, making possible to link a card or task with a calendar's event.

Data Collection

Upon installation, we ask the user for consent to connect to her or his Google account and authenticate that connection via Google Apps OAuth. This is a two-step process. In the first step, Gmelius notifies the user that use of the Gmelius products are subject to the terms of the Gmelius Terms of Service and Privacy Policy, each of which describes how we process a user's data. The user must then click “Activate Gmelius” to proceed to the second step. In the second step, Google Apps provides notice of the types of information that will be accessible by Gmelius and the scope of the authorization the user is giving to Google and to Gmelius to enable the connection, and the user must click “Allow” to proceed with using the Gmelius product.

Our company's overriding policy is to collect as little user information as possible. Gmelius may retrieve and store your:

Name;
Email address;
Profile picture or Gravatar;
Timezone and language;
Gmail signatures and aliases;
List of labels and calendars;
Gmelius configuration and data (e.g., settings, subscription details, templates, notes, campaigns);
Thread IDs, Draft IDs, Message IDs if linked to a Gmelius feature (e.g., shared label, sequence).

We also store the subject and recipients of your tracked emails in order to notify you of opens and display related activities.

Data Protection

We're an official Google Cloud partner and use Google Cloud Platform ("GCP") to persistently store user data meaning we do not store data on our premises. All Gmelius applications include failover and backup instances and our infrastructure respects and maintains industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP ATO and PCI DSS v3.2. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see Google Cloud.

All user data is tagged with a project-specific token, and a customer must have access to the corresponding API key and secret in order to retrieve that data via API. This provides logical separation between data belonging to multiple clients. Gmelius is the sole tenant on our infrastructure. A user's data may reside on database systems which house data belonging to other users, but our logical controls (token, key and secret) separates one client from another client's data.

Data Confidentiality and Retention

We do not rent, sell or trade your Personal Information to third parties. We may disclose some of your Personal Information with specific trusted third-parties or sub-processors as specified in our Privacy Policy.

Access to user data by Gmelius employees is limited to an as-needed basis, e.g., to resolve customer issues. When such access is required, only personnel with a direct need will access the Gmelius-related data, and such access will be limited as much as possible. Breach of this policy by a Gmelius employee is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.

A Gmelius user can delete at any time ĥer or his Gmelius account and remove all data associated with that account from the Gmelius Account page.

Incident Response and Remediation

We monitor our systems 24/7/365 with a variety of performance measurement and error-checking tools. When problems are detected, our ops team is notified immediately, and the issues are investigated. We work closely with our hosting providers to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.

Our system operations are logged, and the logs are stored for at least a 7-day period in the cloud. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.

When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email. Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimize any damage.

Imprint

Gmelius. (Gmelius SA / Gmelius AG)
Chemin du Pré-Fleuri, 3
CH-1228 Plan-les-Ouates
Geneva, Switzerland
Contact us
Registration number: CHE-411.148.873