Keeping our clients’ data secure is the absolute priority at Drag. Our goal is to provide a secure environment, whilst maintaining an uncompromised overall user experience.
To report a vulnerability or other security concern, send an email to [email protected].
Compliant with the EU GDPR (General Data Protection Regulation).
CASA TIER 2
Google’s CASA (Cloud Application Security Assessment) certified.
Drag does not sell the personal information we collect.
Drag is hosted entirely on Amazon Web Services (AWS), providing end-to-end security and privacy features built-in. Our team takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
Data Center Security
Drag’s customer data is hosted by Amazon Web Services (AWS), which is certified SOC 2 Type 2, in Virginia, United States.
AWS maintains an impressive list of reports, certifications, and third-party assessments to ensure complete and ongoing state-of-the-art data center security.
AWS infrastructure is housed in Amazon-controlled data centers throughout the world, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. More information on AWS data centers and their security controls can be found here.
All Drag web application communications are encrypted over TLS 1.2, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions. All data for Drag is encrypted at rest using AES-256 encryption.
Drag maintains ongoing PCI compliance, abiding by stringent industry standards for storing, processing, and transmitting credit card information online.
Drag actively monitors ongoing security, performance, and availability 24/7/365. We run automated security testing on an ongoing basis. We also contract a third party for penetration testing.
Drag’s infrastructure is hosted in a fully redundant, secured environment, with access restricted to operations support staff only. This allows us to leverage complete data and access segregation, firewall protection, and other security features.
- Secure communication with servers over HTTPS protocol, using encryption key stored locally in users’ machines. Access key is acquired only by users through Google’s OAuth.
- Database encrypted at rest and protected by 16+ alphanumeric characters key.
- AWS Key Management Services (KMS) in place to securely manage cryptographic keys with access to Gmail API.
Our technical team is fully trained to implement security best practices.
🔑 Secure by design
Most shared inboxes in the market have built their architecture so that when an email is sent to a shared inbox, a copy of the email is sent to every individual user’s inbox. This means that you can’t stop users from forwarding emails externally, for example. Or, if someone leaves the company or a specific team, every email sent to the shared inbox will still be in their inbox.
Needless to say, this dramatically increases the risk of data security breach.
With Drag, if someone leaves your company, they immediately lose access to any future and historical emails in a shared inbox. We do not duplicate emails across multiple inboxes. Technically, Drag shares the account permissions to access a specific inbox, which can be revoked at any time, with immediate effect.
Amazon Web Services
🔒 Security controls.
Architecture, design and threat modeling
- Application uses a single vetted authentication for communication between application components, including APIs, middleware and data layers, are authenticated.
- Application uses approved cryptographic algorithms and internal secrets, API Keys stored in the secured environment.
Session management verification
- Application handles all the cookie attributes in a secure way of implementation.
Access control verification
- Directory browsing is disabled for directory metadata which can reveal any sensitive information.
Validation, sanitization and encoding verification
- Application has defenses against HTTP
parameter pollution attacks, all the security
HTTP headers are properly implemented.
Stored cryptography verification
- Application protects against cryptographic breaks whether it’s random number, encryption or hashing algorithms, key lengths, rounds, ciphers.
Error handling and logging verification
- Application protects sensitive data from being cached in server components and application caches.
Data protection verification
- Data stored in the browser storage is securely managed by the application.
- Connections to and from the server use trusted TLS certificates.
Malicious code verification
- Application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys.
Business logic verification
- Application has anti-automation controls to protect against denial of service attacks.
File and resources verification
- Files obtained from untrusted sources are stored outside the web root, with limited permissions.
API and web service verification
- Application APIs do not expose sensitive information such as API Key, session tokens, etc.
- Application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts.