Annex 2: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
We have a great responsibility at Fastmail to keep your email and personal
information secure.
We continually review our policies and processes, and take new measures wherever
possible to further secure your data. On this page, we list some of the things
we do to maintain not just the confidentiality, but also the availability and
integrity of your data.
1: Pseudonymisation and encryption of Personal Data
Customer data
We know that email is free-form and could contain all kinds of information about
our customers and other people they correspond with, including data of the most
confidential sort. Due to the nature of our business (hosting, receiving and
sending free-form emails), our systems process large amounts of data that is
potentially highly confidential.
For this reason, we treat all Personal Data belonging to our customers
(“your data”) as Customer Confidential, which is the highest level of
protection within our data modelling and classification.
To provide the services we offer, it is necessary for our computer systems to
process unencrypted and unobfuscated data (for example: to build the search
indexes which allow fast message retrieval, or to push alarm notifications for
calendar events). This document details technical and organisational security
controls in place to secure your data.
Encryption Key Management
Encryption keys are long and extremely complex passwords, created in software
that we use to encrypt storage, backups and other systems at Fastmail.
Keys used within Fastmail systems are reliably managed, securely generated,
securely stored, and revoked, and rotated if ever thought to be compromised.
All encryption keys are retained solely under the control of Fastmail, which
means that even if access to encrypted data were to occur, without access to
our encryption keys, it would be unreadable.
2: Backup and restoring Personal Data
Customer data and internal system backups
Fastmail not only backups and encrypts your data at rest, but backup our own
system to ensure that if the event of a system failure, we can restore all the
systems that allow you to access your data.
Backup verification
Backing up your data is only useful if that backup can be restored. Fastmail
verify backups using integrity checks that ensure the data backed up is readable
and is exactly the same as the data in your inbox.
Backup and disaster recovery testing
As well as testing the recovery processes for customer data, Fastmail internal
systems span across numerous components. Each one of these components and
systems undergo a range of different recovery tests, and disaster recovery
scenarios. These ongoing processes across our platform reduces the chance that
any single outage will stop you from accessing your data.
3: Testing, assessing and evaluating our security
Bug bounty
We run a tight ship, but we're only human and humans can make mistakes. That's
why we run a bug bounty program to encourage responsible
disclosure of security issues and to reward security researchers who take the
time to help us keep Fastmail safe.
External and Internal Audit
Fastmail undergoes external audits by vendors, including penetration tests
against our systems to ensure that we meet or exceed industry standards.
Our internal staff are always testing and improving the security at Fastmail,
which is a never-ending process. The continuous improvement of our software and
system is the responsibility of all Fastmail staff.
4: User identification and authorisation
Secure authentication systems
Fastmail enforce username and password authentication, and highly recommend Two
Factor Authentication (2FA). We also support advanced authentication methods
such as U2F or YubiKey OTP, with allow you to log on using a secure USB device,
as well as supporting SMS account recovery methods.
Fastmail help pages include a password security page, and a two factor
authentication page to ensure that you can select an authentication method
appropriate for you.
User identification processes
Fastmail has both detailed policies and processes in place to verify our users.
These include the existing authentication processes used when you access your
mail, as well as additional verification processes. We require internal
escalation to senior staff that ensure we do not interact with unverified
individuals until we are absolutely certain that they are, in fact, who they
claim to be. These processes are reinforced with both information security and
privacy training.
Remote logout
Fastmail provides you with a remote logout feature, which allows you to log out
of device that was used to access your email. It may be a lost or misplaced
device, a computer at an internet café, library, or a friend’s house.
This ensures you have complete control over all devices that can access your
data.
5: Protection of data during transmission
Secure access to mail
We mandate all connections to our servers use
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
encryption, for all email client connections including webmail, the
Fastmail official app,
and IMAP/POP/SMTP email client access. This prevents eavesdropping, tampering,
and message forgery on any communication between your computer or phone and our
servers.
We have full support for
Perfect Forward Secrecy (PFS)
with our encrypted connections, which ensures that even if we were somehow
compromised in the future, no previous communication could be decrypted. All
connections in supporting browsers have been protected by PFS since July 2012.
A Strict Transport Security
header is sent with all of our webpages. This tells all modern browsers to
only connect to us over an encrypted connection, even if you have a
bookmark, click a link or type a URL to an unencrypted page at our site.
Encrypted sending/receiving
Whenever you send a message to someone outside of Fastmail we have to send it
across the open internet. Since
January 2010
we have fully encrypted all connections between us and the receiving server
whenever the other server supports it, preventing passive eavesdropping,
tampering or forgery. Similarly, we have accepted encrypted connections for mail
delivery to our servers since
April 2009,
and we encourage all servers connecting to us to use it.
6: Protection of data during storage
Password encryption
Where you are using a password to access our systems, we store that password in
a non-reversible encryption scheme using current best practices.
Where we are storing a password used to access other systems on your behalf (for
example, POP links and calendar links) the password is stored with reversible
encryption using a key that is stored separately from the encrypted data. These
are stored in Hardware Security Modules (HSM), specialist dedicated hardware
designed specifically for the secure storage of encrypted data.
On-disk encryption
All your data is stored on encrypted disk volumes, including backups. We believe
this level of protection strikes the correct balance between confidentiality and
availability.
At this stage, some system log data (which could contain personal information)
is temporarily stored on un-encrypted disks on individual servers, however, we
have a plan to bring encryption to all system logging as well.
7: Physical security
Physical data centre security
Our main servers are located at 365 Data Centers in Bridgewater, New Jersey,
USA. Their facility is a high-security, video-monitored location with backup
power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical
support.
365 does a whole lot more to ensure security, including their hardware,
best-practices, and routines. You can read all about them
on their homepage.
Our secondary site in Seattle has equivalent physical security.
We use “remote hands” staff from the data centres to perform routine maintenance
on our servers (e.g., replacing hard disks or installing new machines), however
they do not have logins, encryption keys, or the ability to access your data.
Our data centre vendors provide us with power, cooling, and network links
(public internet) but do not manage or have permitted access to our internal
network between servers. All public internet-facing machines have a firewall.
All data transfer between our datacentres is over an encrypted VPN (virtual
private network) managed by us.
8: Event logging
Tracking and logging staff access
While Fastmail staff may need to access your data when providing support that
you have requested, on top of the obfuscation controls to ensure that staff view
only the least possible amount of data to do their jobs, all access by staff
across all system are logged.
Access to core systems by administrators, which includes direct access to
customer data, is also strictly logged and audited, to ensure that access to
systems that store and process your data is highly restricted.
Viewing who logged into your account
Fastmail allows you to
view details
around the most recent access into your account. You can see how your account
was accessed, successful and failed attempts, time and date, as well as
technical details such as the IP address and the device or verification method
used.
This allows you to take appropriate measures should you believe someone is
trying to gain access into your account.
9: Secure configuration of our software and systems
We only allow necessary communications
Many unexpected forms of attack come from failing to close potential
vulnerabilities, including database port access, SSH port access, and so forth.
We use kernel-level firewalling to only allo
connections to the services provided by each machine.
Content security policy
Within our web interface we set a
Content Security Policy
header, which ensures that only scripts we've written can be run. This means
that a potentially malicious email that somehow managed to slip through our
filters would still not be able to do anything dangerous.
We use isolated domains to separate out untrusted content from the pages we
generate. For example, when you open an attachment, it opens at
fastmailusercontent.com
rather than fastmail.com
. Thanks to browser
cross-origin security restrictions, this means that a rogue attachment can never
access any of your data.
Similarly,
user websites are
hosted on subdomains of user.fm
, keeping them isolated from our site as well.
We keep track of software updates
Software contains bugs. We track the software we use and any security
vulnerabilities, and upgrade as soon as an issue is reported.
10: Embedded privacy controls by default
Image loading
When accessing your email through our web interface, we protect your privacy by
fetching all referenced images through our servers. This prevents the owner of
the image from being sent additional information about you such as your internet
address (which reveals your rough location), browser information, and sometimes
even tracking cookies.
Privacy controls
You have choices regarding the information we collect and how it's used. You can
review and adjust privacy settings in your account. Some of our products offer
specific privacy settings. For example, you can manage your contact information,
such as your name, email address, and phone number. You can also delete certain
information, or your entire Fastmail account should you wish to do so.
Staff access to your data
We limit staff access to customer data as stringently as their roles allow,
strongly adhering to the principles of both least privilege, and need to know.
Due to the nature of their jobs, it is necessary for our operations staff to
have access to the systems where customer data is processed. The staff who do
require access to production servers for their jobs are aware of their
responsibility to protect the confidentiality of your data, and only access that
data where it’s required either to provide customer support or for operational
necessity.
Our systems are designed to allow our support and operational staff to perform
their duties without being exposed to your data: where possible, obfuscated data
is presented (like to debug display problems). Your explicit consent is sought
if viewing unobfuscated data is necessary to solve customer service issues.
Due to the nature of their jobs, it may be necessary for our security and fraud
staff to have access to deobfuscated customer data or other personal
information.
Sometimes we anonymize your information, for example creating a test case that
reproduces a bug found with your data, by making a case that will trigger the
same bug without containing any confidential or personally identifying
information. When performing business analytics (how customers use our service)
we only work with anonymised or unidentifiable data.
12: Vendor and third-party security
We use software systems that take security seriously
We use Debian and
Joyent SmartOS as our operating systems
because they both take their security responsibilities and updates seriously. In
most cases, an update for a security problem will be available within hours of
the original report.
13: Ensuring data minimisation
Limited access to customer data
Fastmail actively develops polices, processes, and technical solutions that
limit the exposure of customer data to our staff. We take steps to ensure that
only the data relevant to the issue at hand is exposed to our staff, and even
then, access is logged.
Data minimisation with third parties
When Fastmail uses a third party to provide services, if not completely
encrypted or anonymized, the minimal amount of data is provided, and where
possible this includes not disclosing any personal information if is not
required to provide a service. For example, when we use bug tracking or support
software, we only record information required to address a support issue.
14: Ensuring data quality
The personal information attached to your account can be updated at any time. We
provide tools via the portal that ensure that your Personal Data is up to date,
and accurate.
Data integrity
One benefit of encryption, both at Fastmail and in general, is that it not only
secures your data but also ensures that data has not been tampered with. As a
result of the encryption used to transmit, store, and back up your data, we
ensure your data is not tampered with or modified, and that its integrity is
protected.
15: Ensuring limited data retention
Destruction of customer data
Some of the features of our products are designed specifically around not losing
data, so as long as you want us to retain your data, it is replicated to
multiple systems and backed up with encryption.
When you request destruction of your data by deleting specific items or closing
your account, the data is removed in a time-delayed manner. This both allows you
to change your mind (undo, or restore from backup), and allows for the
possibility that if your account is compromised and the attacker tries to delete
everything, we can recover your data.
We also collect some data which is personally identifiable as a side effect of
the system monitoring and logging which we require for our operational
stability. This is not permanently recorded.
Destruction of system logs
System logs are retained for 180 days before being deleted. We have a legitimate
interest in having those logs available both to ensure the reliable operation of
our systems, and to provide evidence of activity when users report unexpected
states in their account.
Emails, contacts, calendars, and other Personal Data including notes that have
been deleted in Fastmail or Pobox Mailstore are kept on disk for self-service
restore for between 7 and 14 days after deletion.
Destruction of backup and search index data
The backup copies of email and search indexes are pruned on an “as-needed” basis
based on the ratio of space that would be saved by re-compacting them. At the
moment there is no guarantee that a particular message will be purged on a
timeline, however our support can perform an immediate prune for a particular
account on request.
Destruction of data after account closure
After an account is terminated, data and backups are purged within a timeframe
of between 37 days to 1 year after closure depending on how long the account was
active for, and whether the account was explicitly closed or lapsed due to lack
of payment.
16: Ensuring accountability
Internal policies
Fastmail develops, internally distributes, and adheres to internal policies with
clear allocation of responsibilities, and enforce all the security measures
detailed within this document.
Vendor contracts
Fastmail holds our vendors accountable by ensuring they commit to the same level
of security and privacy that we do though contracts and Data Protection
Agreements.
17: Allowing data portability and ensuring erasure
Self-service data export
Fastmail ensures data portability through the ability to download and export a
copy of all of your data and content in your Fastmail account if you want to
back it up or use it with a service outside of Fastmail.
Self Service Account Closure
Fastmail allows users to erase their data through self-service account closure.
This will remove your account as well as any backups of your account.
18: Data transfer to third parties
Transfer of confidential data with third parties
Fastmail’s value proposition is “service in exchange for money”. We don’t ever
sell or monetize confidential data, or aggregate customer data.
As part of our commitment to open source, we do sometimes share statistical data
(for example the average size of emails, or the percentage of email traffic
which is encrypted or written in particular languages) which is useful in the
broader email community to help drive software design.
We also share reports of spam, including spam false positives and false
negatives with our partner organisations who provide us with spam prevention
feeds.
We use third-party hosted services for bug tracking, support, exception
alerting, and communications. While we don’t send bulk data through any of these
services, small pieces of your data may wind up in core dumps, in support ticket
updates, inside bug descriptions (we obfuscate where possible, but sometimes the
raw data is needed) or in chat messages where colleagues work together to solve
problems.
Onward Transfer
Onward transfer, simply put, is passing on data entrusted to us.
While Fastmail always notifies our users of services that may receive your data,
even in those cases Fastmail will not engage in any onward transfer, or suspend
ongoing transfers, unless those parties can demonstrate the same level of
protection of your Personal Data that we provide.
We make sure that these third parties give us more than their word, and these
protections are typically enforced by contracts, which may also include Data
Protection Agreements (DPAs), so you can be assured that we will never transfer
as aspect of your data to anyone who does not take your privacy as seriously as
we do.
Limitations to email encryption
While communication between your computer and our servers is encrypted, any
email that you send to another server may have to pass over the internet in an
unencrypted form if the destination server doesn’t accept encrypted
communications. (We encrypt it wherever possible).
The only way to ensure end-to-end security with email is to use email
encryption software such as
Pretty Good Privacy (PGP)
or
Secure/Multipurpose Internet mail Extensions (S/MIME).
Both of these systems require the creation of certificates, run on your
computer, and are attached to your email client to encrypt/decrypt messages.
Providing secure end-to-end encryption via webmail is impossible. There are
basically two options, both flawed:
- Keep a private key on the server and encrypt email on the server
Although all traffic between the server and client may be encrypted via TLS, and
then the email itself is encrypted on the server before being sent to the world,
the unencrypted email is still available on the server between the TLS and
encryption stages.
- Use Java or JavaScript to encrypt email in the browser
This method can't prevent someone using malicious scripts to send encrypted
messages back to the server, as well as the encryption key, for the server to
decrypt.
Since the JavaScript client is sourced from our servers, any in-browser code
has the same security profile as code running on our servers.