We care about
your safety


Inbot organizes your business contacts and provides reports based on your activity with these business contacts. For this, Inbot needs to access sensitive information in other applications that you use. It never does this without your permission and Inbot treats your data as confidential and in line with the practices outlined in our Terms of Service. Necessarily, Inbot stores data on its servers and we would like to explain to you how this is done and what measures we take to protect your data.

Please contact us at support@inbot.io for any questions

Secure connections

All communication with the Inbot API happens through secure HTTPS connections. We have configured our servers to support forward secrecy and use up to date libraries with patches for recently publicized issues such as the Heartbleed bug of last year. We use a COMODO RSA Extended Validation Secure Server CA certificate and only support recent versions of TLS and do not allow fallbacks to older, known compromised versions such as SSLv3.

Even though connections between the app and the Inbot servers are encrypted, we recommend that users are careful when using public networks such as open WiFi networks. Using VPN software on such network may provide an extra level of protection. Home networks or corporate WiFi networks should be configured to use WPA2 encryption. Finally, if you don't need it disabling your bluetooth connectivity may be a good idea as well.

Passwords

We recommend that you use secure passwords. A secure password consists of a minimum of 10 characters and includes capitalized as well as lower-case letters, numbers and symbols. You can renew your password any time via "Forgot password" functionality.

All user passwords are stored in a responsible way using PBKDF2 based hashes and a randomized salt to ensure we never store the same hash twice. This helps prevent brute force attacks against our data in case hackers were to obtain a copy of our password database, which is the worst nightmare of any web service.

Inbot app updates

New versions of the Inbot app typically include bug fixes, new features and may also include security related fixes. Therefore it is important to stay up to date and accept Inbot updates from the app store when you get prompted for these.

Your connected accounts

When connecting accounts, you give Inbot access to your data. For each account type, we use the vendor recommended way of connected. Typically these connections use SSL connections and credentials are handled via the Oauth 2 protocol which results in an access token that is stored by Inbot. In the case of some accounts, such as Microsoft Exchange, we need to store the user’s password.

In both cases any credentials that we have to store in order to access the user’s connected accounts are stored encrypted using AES. We use the AES/CBC/PKCS5Padding cipher and each encrypted data item is encrypted using a user-specific, encryption key and a randomized salt. These credentials are used only in the scope of ingesting data to inbot automatically.

Access control

All Inbot API requests are protected using the OAuth 2 protocol. API tokens are short lived and need to be refreshed regularly using an OAuth 2 refresh token. Additionally, Inbot implements matrix security for authorization where any API access requires privileges that are granted based on assigned roles.

When needed, Inbot performs tasks on behalf of the user such as for example accessing the user’s connected accounts using the encrypted credentials, and storing metadata this. All such tasks are performed by automated system users that have a minimal set of privileges. Inbot does not have a ‘super‘ or ‘god’ user that has all privileges. Instead privileges are assigned on a need to have basis. Specifically, no Inbot employees or other parties have privileges that would allow them to access user data via the API. Additionally, all API usage is logged and available for auditing.

Third party access to your data

As per our Terms of Service, Inbot does not provide access to your data to third parties without your explicit permission, unless legally required to. We are not in the business of selling your data to third parties for e.g. advertising purposes. Your data belongs to you. Your team’s data belongs to your team. Data you share with your team is owned by the team. Inbot never shares data with your team without your permission.

Data backups

Inbot stores encrypted backups off-site several times per day. Additionally the Inbot infrastructure uses a highly available, replicated and sharded data store that spreads data across servers to ensure that it can recover from hardware failures.

Security of third party services

Inbot is a modern CRM-solution that can be connected to 3rd party apps and services. While Inbot maintains high standards when it comes to your security, we cannot guarantee that third parties will do so as well. Therefore, we recommend that you review third party documentation for this before connecting such services. If in doubt, you can of course ask the Inbot assistant.

Mobile security

Using a mobile device brings certain security risks. Devices can be stolen or lost or otherwise comrpomised. Additionally, hackers may be able to break into your device and access your data. To prevent strangers accessing your private data, we recommend that users keep the system software and applications on the device up to date. Additionally, we recommend encrypting the device and setting a pincode to unlock the device as well as remote wiping capability of the device such as provided by Android and Apple.