1. We must comply with HIPAA. Would SaneBox enter into a Business Associate Agreement (BAA)?
We would absolutely enter into a BAA.
2. What controls are in place to prevent or detect a user’s credentials from being accessed by an employee at SaneBox?
The network associated with the machines with those credentials is not directly accessible from the Internet. The bastion host to access that network is protected by individual account credentials. That bastion host in turn is remotely accessible only via an authenticated VPN connection. The production machines that house that data are protected by their own credentials. The credentials themselves are secured by an industry standard encryption system. All encryption keys are protected and isolated by a secure credential store system. Only select senior engineering staff have access to the necessary corporate credentials.
3. What controls are in place to prevent or detect a change in configuration from pulling only headers to pulling full body of emails?
All access to and console commands on production machines is logged and the log is reviewed daily. All software changes to our base system are reviewed and tested by members of senior engineering staff.
4. What criteria would define a data breach at SaneBox?
Our intrusion detection system and access logs would alert us of an attempt. But, a data breach would require both a network breach and a breach of our secure credential store system.
5. What requirements does SaneBox have to notify users of its service of a data breach?
Once any system breach was detected by our intrusion detection system or by our daily review of access logs, we would take steps to review if any machine with customer data was accessed. Once we have identified that a breach of customer data happened we would notify all affected customers.
6. What data gets shared with third-parties?
We use various third-party processors to monitor for errors, logging, etc. We sometimes transmit personal data to these providers. For example, your email address, your contacts’ email addresses, message subjects, and message dates. Any such third-party has a Data Processing Agreement with SaneBox. We go to great lengths to remove personal data from anything transmitted to a third-party, sending only what is strictly necessary to maintain a smooth running service.
7. Can the contents of my emails or attachments be read?
It is possible for both our systems and humans to read the contents of your emails and attachments. Unfortunately, the IMAP protocol does not contain granular access controls to prevent this. SaneBox reads the contents of email messages in order to process SaneReminders emails, to process SaneAttachments, and in certain circumstances to process moving messages from SaneSnooze folders back into your inbox. If you did not use SaneReminders, SaneAttachments, and configured your SaneSnooze folders in a particular way, SaneBox would not ever read the contents of your emails.
Have further questions?
If you have other questions, you can contact our support team at support@sanebox.com or visit our Privacy page!