I understand the security of your company's data is extremely important. This page describes select measures we employ to ensure your data is safe. If you have any questions, please don't hesitate to contact us. — Abram Isola, Inkit Co-Founder & CTO
- Systems are hosted in ISO 27001 and FISMA certified data centers managed by Google.
- Physical access is strictly controlled both at the perimeter and at building ingress points.
- Data centers employ on-site security staff, video surveillance, and intrusion detection systems.
- Data centers are housed in nondescript facilities.
- Physical security verified by third-party auditors.
For more information on physical security, please visit https://cloud.google.com/security/.
System and Operational Security
- Security policies and procedures are regularly reviewed as part of the Google SSAE 16 / ISAE 3402 Type II audit process.
- Access to systems are logged and tracked for auditing purposes.
- Regular system patching processes are implemented to provide ongoing protection from exploits.
- There is a firewall in place to prohibit unauthorized system access.
- Inkit’s intrusion detection systems provide an additional layer of protection against unauthorized system access.
File System and Communication
All access to Inkit's website and services is restricted to HTTPS encrypted connections.
User passwords are secured with PBKDF2-SHA256. They are never stored in the database in plain text and are not readable by staff. Passwords do provide access to Inkit's website and services, however, it is the responsibility of the end user to protect their password with care. Inkit currently does not offer two-factor authentication or SSO integration options.
Inkit never collects or stores passwords for external applications. Integrations with third-party apps is done via either OAuth or API keys.
Like Google, Inkit does not encrypt customer data on a disk because it would not increase security. The reason that Inkit does not encrypt customer data on a disk is that the Inkit website, services, and workers need to decrypt the data on demand. This would slow down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, Inkit focuses on making our machines and network as secure as possible.
Customer data is stored on Inkit's production servers. If data is removed from production servers, Inkit does not retroactively delete data from our backups, as Inkit may need to restore data if it was removed accidentally.
Inkit’s default encryption provides the highest level of security that is currently possible with existing technology. Inkit encrypts mailers both when they're stored (data at rest) and when they're being sent (data in motion). Like most security-conscious providers, Inkit uses Transport Layer Security (TLS) to encrypt mailers in transit.
No Inkit staff will access customer data unless required for support or technical reasons. In cases where a staff member must access customer data in order to perform support, Inkit will request your explicit consent each time, except when responding to a critical security issue or suspected abuse.
When working a support issue, Inkit will do our best to respect your privacy as much as possible. Inkit would only access the minimum data and settings needed to resolve your issue. Inkit staff would not have access to clone or export your data.
Credit Card and Banking Information Safety
When customers purchase a paid Inkit subscription, their credit card data is neither transmitted through nor stored on Inkit systems. Instead, Inkit depends on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.
Keeping customer data safe and secure is Inkit’s top priority. Inkit takes threats very seriously and works hard to protect our customers and their data. Customer input and feedback on Inkit’s security is greatly appreciated.
Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at firstname.lastname@example.org. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.
Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if acting accordingly.