Terms & Policies

Security


Last Revised: 9 February, 2023
Effective Date: 9 February, 2023

The security and privacy of your information is important to us, and we maintain a variety of appropriate technical and procedural safeguards to protect your personal data in an effort to prevent loss, misuse, unauthorised access, disclosure, alteration, or destruction.

No person employed by, or affiliated with Sortd, has access to personal data about you, unless we believe, they have a legitimate business need to access that information in order to provide products or services to you or to do their jobs (such as customer support). No Sortd staff have routine access to your email.

Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can guarantee against any interception or any other type of misuse.

These Terms form part of Sortd's Privacy Policy.

Google Services Disclosure

Sortd makes use of various Google Services and as such uses Google APIs. Sortd's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Google’s requirements mean that in order to access some of Google’s APIs (Gmail, in particular) Sortd undergoes an annual independent security audit, wherein Sortd needs to satisfy Google security and privacy requirements.

Authentication

Sortd uses the industry standard OAuth process to authenticate you and access your Google account and as such Sortd does not know, see or store, your access credentials. All communication between Sortd’s applications and Sortd backend systems, as well as the communication between Sortd and Google’s systems, is secured with TLS (SSL) v1.2 (or higher) encryption.

You however must keep your password/login credentials confidential and not disclose it to any other person. Disclosure, of your login credentials, intentional or otherwise, will negate any security we put in place. Consequently, you are responsible for all uses of the Service by any person using your password. Therefore, please advise us immediately if you believe your login credentials has been misused.

Authorisation and Permissions

During the OAuth process you will be asked to give Sortd permission to access your Google account. These permissions are required in order for the Service(s) to provide the functionality of the Sortd offering.

Additional permissions may be requested depending on which Sortd tools you make use of; for example the Sortd Chrome Extension will ask for permissions that are unique to Chrome Extensions, whereas the mobile application(s) and Gmail Add-on will ask for different sets of permissions.

Google OAuth Permissions

These are the initial permissions you grant when logging in to the Service for the first time and are required in order to make use of the Services.

These permissions enable the Service to access to your Google account, through Google controlled interfaces for activities which cannot be done simply through the Gmail website. These permissions also allow Services to obtain some basic information about you, such as your email address and name.

By providing these permissions Google provides Sortd security tokens, using the industry standard OAuth mechanism. Sortd never receives your Gmail password, and you can revoke the Sortd security tokens (and hence permissions) at any time via the Google security tools.

Email Permissions

During the OAuth process Sortd will request permissions to Gmail, which Google may display as, the ability to:

  • Read, compose, send, and permanently delete all your email from Gmail
  • Have Offline access

These permissions are required in order to allow the Service to interact with your email and to perform offline actions such as sending reminders even when you are not in front of your computer using the Service.

The permissions are required, because of the way the permissions system works on Gmail. Sortd does NOT read the content of your email, additionally Sortd will never delete your email unless you specifically ask it to, or it is performing a shared email email sync which causes the old email to be replaced by a newer updated version of the shared email thread.

Sortd Chrome Extension Permissions

The main component of Sortd is implemented as a Chrome Extension, which requires permissions in order to be installed into your Chrome browser.

The Chrome Extension will request the following permission:

  • Read and change your data on app.sortd.com and mail.google.com


This permission allows Sortd to load when you open Gmail (mail.google.com) and interact with the Sortd backend services (app.sortd.com).

Sortd Gmail Add-on Permissions

These are the permissions that you are requested to provide when you install the Sortd Gmail Add-on.

The Sortd Gmail Add-on allows Sortd to provide functionality inside the Gmail mobile application on Android and iOS (and web browser, if you don’t have the Chrome Extension installed).

The Add-on will ask for the following permissions, which are inherent to all Gmail add-on’s and not specific to Sortd:

  • View your email message metadata when the add-on is running
  • Run as a Gmail add-on
  • Connect to an external service
  • View and manage data associated with the application

Why does Sortd need so many Permissions?

Much of the functionality that Sortd Services provide require access to Gmail via the Gmail API. This is a backend system that Google makes available for services such as Sortd to provide enhanced capabilities, over and above what is ordinarily available in Gmail. The Gmail API requires each Google user to permit access to their email. Google has a rigorous verification program, that Sortd Services have to go through, that ensures that the permissions Sortd requests are inline with the functionality provided, as well as the security and privacy of our mutual users.

Furthermore, it should be noted that Sortd does not store your email content, but only certain email metadata such as the MessageId, Sender, Subject and Date are stored in Sortd and only when certain Sortd features are used.

Sortd does not store the actual email content (body), but may store the email metadata mentioned above in cases such:

  • the email message is added to a Sortd Board, and/or
  • the email message is ‘snoozed’ or has a reminder set on it

Simply reading email inside Sortd does not result in Sortd storing any data of any kind.

In certain cases, Sortd does, however, need to access and modify bodies of emails such as for the purpose of providing the email tracking feature. In this case, when enabled by the user, Sortd specifically adds a tracking pixel to the bodies of emails just prior to the the email being sent.

Additionally, Sortd provides shared email functionality which is enabled on Shared Boards (available on Team subscriptions only). In the case that an email has been added to a Shared Board, that email thread will sync the to the Gmail Inbox(es) of all members of the Shared Board. If that email is updated (e.g. email reply) Sortd will temporarily store the email (including the body and attachments) being synced, until all Gmail Inboxes are up to date. This is required to ensure durability and ensure that no email is lost, but the process is normally complete within a matter of seconds, after which the email is deleted permanently from Sortd’s infrastructure.

How is my Data Secured?

All Sortd’s services and applications run in a virtual private cloud (VPC) hosted in the USA on Amazon Web Services (AWS) infrastructure; All systems and data stores have failover and backup instances and all user data persisted, is stored in an encrypted form. Additionally, all networks and servers have firewalls and restricted access permissions, to permit only the minimum network traffic necessary to run the services.

Sortd does not store credit card details as we rely on third parties to process credit card transactions. Currently, we use the service of Stripe, Inc. (certified PCI level 1). For more information on Stripe's privacy practices, please refer to their privacy policy.

For more information on AWS security and compliance policies they can be viewed here and here respectively.

How does Sortd handle Incidents?

We monitor our systems continuously with a variety of performance measurement and error-checking tools. When problems are detected, our operations team is notified, and the issues are investigated.

We implement best security practices where ever possible such as those promoted by AWS and the Centre for Internet Security (CIS) to ensure that underlying systems remain secure, and any security breaches are investigated, patched and remediated promptly.

When a serious incident occurs, or a long interval of downtime is anticipated, we notify our users via our blog, Twitter and/or email. Should a security breach occur, we will promptly notify affected users of the nature and extent of the breach, and take steps to minimise any damage.

Vulnerability Disclosure

Sortd has now formalised our policy for accepting vulnerability reports in our products. We hope to foster an open  partnership with the security community, and we recognise that the work the community does is important in continuing to ensure safety and security for all of our customers.

For more Information please see the Sortd Vulnerability Disclosure Program.