Gmelius provides a lightweight and collaborative client relationship management (CRM) software built around email and seamlessly integrated into Gmail and Google Inbox. We take our customers' privacy and security very seriously. This page provides an overview of our security policies and technology.
Authentication and Permissions
When a user installs Gmelius, we create a Gmelius account for the user and link it with the user's Google account. We ask the user for permission to connect to her or his Google account and authenticate that connection via Google Apps OAuth. This means that each users' Gmelius account has the same industry-leading login security as their Google account. Users can add 2-factor authentication via Google if they choose.
Gmelius requests access to the following Google information so that our features can work:
Read, send, delete, and manage your email
Gmelius requests these permissions so we can provide you with features like open, click, and reply tracking, send later, and snooze/follow-up.
Manage your basic mail settings
Gmelius needs access to your mail settings so we can replicate your existing preferences, including undo send, email aliases, and email signatures.
Manage your calendars
Gmelius enables you to synchronize your Gmelius Kanban boards with specific calendars, making possible to link a card or task with a calendar's event.
We protect your data throughout the data flows of the Gmelius product, from account creation and integration through Google's OAuth service, to encryption of data in transit to Gmelius servers (using browser-based TLS) and encryption of that data at rest, to a variety of administrative, physical, and technical safeguards designed to create a secure environment for our customers' data.
We're an official Google Cloud partner and use Google Cloud Platform ("GCP") to persistently store user data meaning we do not store data on our premises. All Gmelius applications include failover and backup instances and our infrastructure respects and maintains industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP ATO and PCI DSS v3.2. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption.
All user data is tagged with a project-specific token, and a customer must have access to the corresponding API key and secret in order to retrieve that data via API. This provides logical separation between data belonging to multiple clients. Gmelius is the sole tenant on our infrastructure. A user's data may reside on database systems which house data belonging to other users, but our logical controls (token, key and secret) separates one client from another client's data.
Data Confidentiality and Retention
Access to user data by Gmelius employees is limited to an as-needed basis (e.g., to resolve customer issues). When such access is required, only personnel with a direct need will access the data, and such access will be limited as much as possible. Breach of this policy by a Gmelius employee is a serious matter, requiring investigation and appropriate disciplinary action, up to and including termination as well as legal action.
A Gmelius user can delete at any time ĥer or his Gmelius account and remove all data associated with that account from the Gmelius Account page.
Incident Response and Remediation
We monitor our systems 24/7/365 with a variety of performance measurement and error-checking tools. When problems are detected, our ops team is notified immediately, and the issues are investigated. We work closely with our hosting providers to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.
Our system operations are logged, and the logs are stored for at least a 7-day period in the cloud. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.
When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email. Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimize any damage.