Skip to main content


Keeping our clients’ data secure is the absolute priority at Drag. Our goal is to provide a secure environment, whilst maintaining an uncompromised overall user experience.

To report a vulnerability or other security concern, send an email to [email protected].

Frequently Asked Questions

Here are some common security questions. You can also browse the full security section of our Help Center.

– Does Drag store my emails? We do not store the content of your emails. When using Drag, all of your emails are fetched or sent via the Gmail API directly. We also use Gmail’s OAuth to connect to your email account so we do not have access to your password either. You can revoke Drag’s access to your account at any time.

– Why does Drag request permissions to my account? Drag needs certain permissions to your Gmail account in order to work properly. For example, the permission to archive emails to be able to perform this action when you click on the “archive” button on Drag boards. We fully disclose the users’ information we collect, as well as how we use, protect and share them in our privacy policy.

– Is Drag compliant with Google Cloud Security Policies? Our systems fully comply with the Google Cloud Security Policies and are subject to a series of security checks throughout their lifecycles. Every new version of our Chrome extension is manually reviewed by the Google internal audit team to verify that no security policies have been violated and, upon approval, maintained within the Chrome store.

– Is Drag’s security posture audited? We are audited yearly by a third party security company appointed by Google itself. We are happy to share our latest certificate of approval. Click on the button below if you would like to request it.

– Where is Drag incorporated? Drag is operated by DRAGAPP.COM LIMITED, a U.K. Limited company.

Request access to Security Audit



Compliant with the EU GDPR (General Data Protection Regulation).


Google’s CASA (Cloud Application Security Assessment) certified.


Drag does not sell the personal information we collect.

End-to-End Security

Drag is hosted entirely on Amazon Web Services (AWS), providing end-to-end security and privacy features built-in. Our team takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, please refer to

Data Center Security

Drag’s customer data is hosted by Amazon Web Services (AWS), which is certified SOC 2 Type 2, in Virginia, United States.

AWS maintains an impressive list of reports, certifications, and third-party assessments to ensure complete and ongoing state-of-the-art data center security.

AWS infrastructure is housed in Amazon-controlled data centers throughout the world, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. More information on AWS data centers and their security controls can be found here.

Application Security

All Drag web application communications are encrypted over TLS 1.2, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions. All data for Drag is encrypted at rest using AES-256 encryption.

Drag maintains ongoing PCI compliance, abiding by stringent industry standards for storing, processing, and transmitting credit card information online.

Drag actively monitors ongoing security, performance, and availability 24/7/365. We run automated security testing on an ongoing basis. We also contract a third party for penetration testing.

Our full privacy policy is here:

Infrastructure Security

Drag’s infrastructure is hosted in a fully redundant, secured environment, with access restricted to operations support staff only. This allows us to leverage complete data and access segregation, firewall protection, and other security features.

  • Secure communication with servers over HTTPS protocol, using encryption key stored locally in users’ machines. Access key is acquired only by users through Google’s OAuth.
  • Database encrypted at rest and protected by 16+ alphanumeric characters key.
  • AWS Key Management Services (KMS) in place to securely manage cryptographic keys with access to Gmail API.

Our technical team is fully trained to implement security best practices.

Secure by design

Most shared inboxes in the market have built their architecture so that when an email is sent to a shared inbox, a copy of the email is sent to every individual user’s inbox. This means that you can’t stop users from forwarding emails externally, for example. Or, if someone leaves the company or a specific team, every email sent to the shared inbox will still be in their inbox.

Needless to say, this dramatically increases the risk of data security breach.

With Drag, if someone leaves your company, they immediately lose access to any future and historical emails in a shared inbox. We do not duplicate emails across multiple inboxes. Technically, Drag shares the account permissions to access a specific inbox, which can be revoked at any time, with immediate effect.


google workspace


Cloud hosting, authentication and storage


Payment Gateway

Amazon Web Services

Cloud Infrastructure


Email Delivery Service


Email Delivery Service and CRM


Code repository

Crisp IM

Helpdesk & Support

Security controls

Architecture, design and threat modeling

  • Application uses a single vetted authentication for communication between application components, including APIs, middleware and data layers, are authenticated.

Authentication verification

  • Application uses approved cryptographic algorithms and internal secrets, API Keys stored in the secured environment.

Session management verification

  • Application handles all the cookie attributes in a secure way of implementation.

Access control verification

  • Directory browsing is disabled for directory metadata which can reveal any sensitive information.

Validation, sanitization and encoding verification

  • Application has defenses against HTTP
    parameter pollution attacks, all the security
    HTTP headers are properly implemented.

Stored cryptography verification

  • Application protects against cryptographic breaks whether it’s random number, encryption or hashing algorithms, key lengths, rounds, ciphers.

Error handling and logging verification

  • Application protects sensitive data from being cached in server components and application caches.

Data protection verification

  • Data stored in the browser storage is securely managed by the application.

Communications verification

  • Connections to and from the server use trusted TLS certificates.

Malicious code verification

  • Application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys.

Business logic verification

  • Application has anti-automation controls to protect against denial of service attacks.

File and resources verification

  • Files obtained from untrusted sources are stored outside the web root, with limited permissions.

API and web service verification

  • Application APIs do not expose sensitive information such as API Key, session tokens, etc.

Configuration verification

  • Application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts.
Request more information
Close Menu