Security

1. User Data Security

1.1 Transport Security

Acompli system enforces TLS for all communication channels over public network. The mobile app uses certificate pinning to establish trust with the Acompli server farm. To further ensure data safety of all our users we only support certificates signed by well-known CAs when communicating with any external servers such as Exchange servers.

1.2 At Rest Security

100% of Acompli user data is encrypted at rest using hardware-accelerated strong cryptography.

1.3 User data isolation

Each individual user’s data set is isolated with multi-level permission checks. Every API call for data access within Acompli system requires proprietary auth tokens with tamperproof design.

2. User Credential Security

User credentials are required to access users’ data. Credentials come in the form of passwords for some server types such as Exchange, or limited-scope OAuth tokens for others such as Gmail. Each user’s credentials are double-encrypted using a server per-account unique key and then using a client device unique key, therefore the credentials can only be unlocked by the collaboration of both the server and the app at runtime.

3. User data retention

Some user data are retained in Acompli system during the lifetime of a user account, always encrypted at rest. A user can choose to completely purge his/her account from the mobile app, in which case all user data will be wiped clean throughout the Acompli system, from both the mobile device and the server farm. Exchange accounts also support end-to-end data purge can also be initiated from the Exchange server via mobile policy “remote wipe” either by the user or by an IT administrator.

4. Mobile device security

The Acompli mobile app takes full advantage of iOS 8 security design. In order to maximize data protection users should choose an alpha-numeric device passcode of at least 6 characters.