Connected Email is a feature that allows a user to connect their email account to Beamery so all candidate emails are automatically synced and appear on their timelines in the Beamery profile. It is easily configured in Settings and typically only requires providing your email address and then logging in to your email account. The connectivity is managed via API through a 3rd party called Nylas.
Customers typically raise questions about how this feature works and what role Nylas play in the solution. This FAQ is contains common customer questions and with answers. If your question is not on this page, then please also check the Nylas Trust Center or check on their listing on the Cloud Security Alliance’s STAR Registry as you may find your question answered there.
FAQ
Q: Where can I find Nylas’ SOC 2, ISO or HIPAA reports?
A: Nylas provides a Trust Center which contains all compliance reports, policies, security monitoring, subprocessors and an FAQ. They also provide a listing on the Cloud Security Alliance’s STAR Registry which includes a download questionnaire with common cloud security questions
Q: Does Nylas process or store the email messages?
A: Nylas stores mail, contact and calendar data in a cache for 30 days so that Beamery can access them quickly & securely. Nylas also caches files, attachments, and copies of the raw RFC-2822 MIME message in an Amazon S3 bucket for 1 day. If any data or files are requested that are not held within the cache then Nylas sends a request to the provider's mail server to re-retrieve the original data.
Q: Where does Nylas store data?
A: Nylas operates data centres in both the USA & EU where data is stored. Beamery currently only uses the US data centre
Q: What happens once Nylas’ 30 day cache expires? How does content get re-synched and stored again in the cache? If so is it the whole mailbox or just new content?
A: Nylas monitors for changes as shown in this Nylas sync diagram. If a Beamery user drills-down to read a message which was last accessed more than 30 days ago it is re-retrieved by supplying a message ID and re-retrieving the message from the original mailbox via Nylas.
Q: Is data encrypted at all times?
A: Nylas Encryption Policy outlines the approved cryptographic libraries, and this can be found at Trust Center . Data at rest is encrypted using AES-256 or equivalent and data in transit using TLS v1.2+. Backups are stored in AWS S3 and encrypted using AWS provided encryption mechanisms, which are based on AES 256.
Q: Where is the encryption key located?
A: We use cloud KMS to manage encryption keys hosted in the same data centre as the data is stored. Where envelope encryption is used (e.g. for application-level encryption of end-user credentials), cloud KMS is used to manage the key encryption keys (KEKs). KMS never exposes the keys themselves. We follow the Principle of Least Privilege when granting user and service account permissions for KMS encrypt/decrypt operations.
Q: What user credentials are held by Nylas?
A: Nylas connects to the users mailbox through oAuth, so doesn't have access to credentials. The oAuth access token is given to Nylas when the user authenticates through the platform, and is renewed until access is revoked (like a user disconnecting or changing their password). After that, the user needs to re-authenticate to reconnect.
Q: How long is the link with the mailbox maintained for?
A: The connection is maintained as long as the user grants access to the application. If access is revoked by the user then Nylas immediately loses access to sync new messages from that mailbox until the user reconnects
Q: Can mailboxes which require MFA be connected?
A: MFA is supported through the oAuth consent flow.
Q: Does Beamery only sync emails between users and candidates through Nylas?
A: No, all mail is synched when a users connects their mailbox. There is no option to filter based on sender or recipient
Q: How far back in time does Beamery sync mailbox content?
A: Once a user connects their mailbox all content is synced for the last 730 days (2 years).
Q: Do I have the option to disconnect the mailboxes of users from my company if I have any concerns about the usage? If this is not possible can Beamery disconnect mailboxes?
A: Mailboxes can only be connected and disconnected by the individual user via their Beamery Settings. Individual users can be disconnected via a request to Beamery’s Product Support team. There is currently no option to disconnect mailboxes in bulk.
Q: What are Beamery’s responsibilities to the customer In the event of a data breach with Nylas?
A: Nylas is required to notify Beamery's security team of any significant changes or Security incidents without undue delay and within 72 hours, according to the Data Processing Addendum (DPA) in their contract with Beamery. Beamery is responsible for all acts and omissions of its subprocessors as per its contract with Customers. If there is a breach that just affects Nylas, Nylas conducts the investigation and alerts Beamery. Beamery shall notify its customer. Nylas will provide Beamery with the findings of the inquiry and the conclusion of the technical evaluation; if necessary, Nylas may also disclose OS and application logs. Where appropriate, Beamery will assist Nylas in its investigation and give the customer regular updates.
(Note - no breaches have occurred in the time period on record (past 24 months) )
An independent third party audits Beamery's incident response strategy annually in accordance with ISO 27001, SOC2, and GDPR.You can access our Security artefacts document, which includes our certifications, reports, CAIQ responses, technical and security deep dives, and a thorough description of the organisational and technical measures employed by Beamery.
Q: As a customer we have a direct relationship with Beamery, how can we ensure that Nylas maintain their security standards?
A: Beamery has a strong vendor management system in place to make sure that third party due diligence and supplier security are carried out with the utmost care and conform to standards like SOC2, ISO, and GDPR, which are no less stringent than our own. To ensure we stay on top of the requirements, we also make sure that all critical sub processors are reviewed at least once a year and can confirm that the most recent diligence was completed in Feb '2023 for Nylas. Customers are also able to complete a Third Party information Security Assessment (TPSIA) with Beamery