Security Policy

Shared Contacts for Gmail® is dealing with contact information, which very often contains personal data., which manipulation is severely regulated.

We are taking data security very seriously and, as a Google Premium Partner, we are required to abide by numerous security rules. In addition to that, our clients include financial institutions, hospitals, and Fortune 500 companies that require us to provide top of the range security processes.

The general approach towards security is following EBIOS methodology (the main method used in France)

The approach to prevent unauthorized access of our customer data are based on the following principles:

Risk Sources 

3 main risk sources are taken care of:

  • Internal individuals: Employees and Contractors
  • External individuals: Providers, Competitors, Authorized Third Parties…
  • Non-human sources: Viruses, Natural Disasters, Flammable Materials…

Assets

Hardware

Data is exclusively hosted on secured servers, provided by Google Cloud (Google Compute Platform Infrastructure) and data does never transit on other types of hardwares (USB, CDs, mobile phones, local computers etc..).

Databases 

Databases hosting our customers’ data are secured and password protected inside the network. Only managers/team leaders have full to the live data. Developers work on staging data and do not have the possibility to access live data.

Database and gateways passwords are secured in a hard-encryption file that is stored on a separate server and that is used once by live server at each deployment. 


Softwares

We are using a minimal number of third-party tools (Mongo DB, Zabbix etc.) and every installation of a new software has to undergo a strict security clearance, including trojans or spywares. Similarly to the Database, only users who need to access these softwares have credentials and authorization to use them.

Network

Our network is exclusively web-based on Google architecture. We have one employee assigned full-time to security management and access permissions.
Infrastructure access (for instance FTP) is protected by 4 level of restrictions :

  • Google Account (only approved Google email IDs can access to the GCP platform)
  • 2-steps authentication of the Google account : Users logging to the GCP infrastructure have to use confirm their identity using SMS authentication.
  • IP addresses : Only a set of whiltlisted IP addresses. Work from Home users have to communicate their IP address every day.
  • An additional 2-step in-house authentication syste, using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users.
  • Measures are also in place to prevent DDos or SQL injections.
  • Our employees are also trained to avoid phishing or “cloud based” viruses (that would request them to log to their Google account to open a file for example)

People

  • All employees and contractors are screened before hire. They sign an NDA and are regularly reminded of the security and privacy measures and the risks and penalties related to data breach.
  • The number of users accessing customer data is strictly limited to security and management staff. 
  • Development and support teams can impersonate users and access their contacts in troubleshooting and support purposes only. 
  • All activity on servers and platforms is logged and monitored. Any abnormal activity will be immediately detected (for instance an employee impersonating several users of the same domain in a short period of time with no obvious reason) and will have to justify such activity.