Security overview

Introduction

Evernote users trust us with billions of their notes, projects, and ideas. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Security Program

Security is a dedicated team within Evernote. Our security team's charter is protecting the data you store in our service. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, employee awareness, intrusion detection, and assessment activities.

The security team runs an in-house Incident Response program and provides guidance to Evernote employees on how to report suspicious activity. Our IR team has procedures and tools in place to respond to security issues and continues to evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees.

We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our security team continually evaluates new tools to increase the coverage and depth of these assessments.

Network Security

Evernote defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

We protect our service against distributed denial of service (DDoS) attacks using an on-demand mitigation service.

Account Security

Evernote never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use PBKDF2 (Password Based Key Derivation Function 2) with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

While we don’t require you to set a complex password, our password strength meter will encourage you to choose a strong one. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.

Evernote offers two-step verification (2SV), also known as two-factor authentication, for all accounts. Our two-step verification mechanism is based on a time-based one-time password algorithm (TOTP). All users can generate codes locally using an application on their mobile device while premium and business users can choose to have the codes delivered as a text message.

Email Security

Evernote gives you a way to create notes in your account by sending emails to a unique Evernote email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.

When you receive an email from Evernote, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from Evernote is legitimate. Every email we send from @evernote.com and @email.evernote.com will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our security team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Our web service authenticates all third party client applications using OAuth. OAuth provides a seamless way for you to connect a third party application to your account without needing to give the application your login credentials. Once you authenticate to Evernote successfully, we return an authentication token to the client to authenticate your access from that point forward. This eliminates the need for a third party application to ever store your username and password on your device.

Every client application that talks to our service uses a well-defined thrift API for all actions. By brokering all communications through this API, we’re able to establish authorization checks as a foundational construct in the application architecture. There is no direct object access within the service and each client’s authentication token is checked upon each access to the service to ensure the client is authenticated and authorized to access a particular note or notebook. Please see dev.evernote.com for more information.

Customer Segregation

The Evernote service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it. See the Product Security section for how we enforce our authorization model for access to private and shared content.

Data Destruction

Evernote retains your content unless you take explicit steps to delete notes and/or notebooks. Deactivating a personal account or revoking access to a business account does not automatically remove content.

For personal notes and notebooks, you can remove your content by deleting all the notes in a notebook and then deleting all the notes residing in your trash. Deleting a notebook automatically moves all the notes associated with that notebook to your trash. When a note is deleted, all references and connections to the data in that note are removed from our databases.

Media Disposal and Destruction

We never repurpose storage media for use outside our production environment if it has ever been used to store user data. We have procedures to securely destroy storage media by degaussing and physically smashing prior to disposal. Additional details can be found on our blog.

Customer Account Access

Evernote, like most cloud services, has an administrative tool. This tool allows our customer service and platform administration teams to resolve customer issues. We limit who has access to customer data within this administration tool based on business need and strongly authenticate that access.

We periodically review employee access to customer accounts to identify administrative abuse and minimize the situations where we might need to access account content in the future.

Activity Logging

The Evernote service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. These logs also include successful and unsuccessful login events. Due to the nature of our client / server architecture, we cannot reliably know whether a synced note was viewed. We do not automatically collect activity logs from our software clients. You can view the recent access times and IP addresses for each application connected to your account in the Access History section of your Account Settings.

Transport Encryption

Evernote uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (HSTS) for the Evernote service (www.evernote.com). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.

We support STARTTLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from the Evernote service.

We operate two data centers in the US and transmit data between them using a dedicated network link that isn’t connected to the Internet. We encrypt all traffic flowing across this link using GCM-AES-128 encryption via the MACsec protocol.

Encrypted Text Within a Note

If you are using an Evernote desktop client, such as Windows Desktop and Evernote for Mac, you can encrypt any text inside a note to add an extra level of protection to private information. Evernote uses AES (Advanced Encryption Standard) with a 128-bit key to encrypt text you select.

When you encrypt text, we prompt you for a passphrase. We take your passphrase along with a unique salt and use PBKDF2 with 50,000 rounds of SHA-256 to derive a 128-bit AES key. We use this key, along with an initialization vector, to encrypt your data in CBC (Cipher Block Chaining) mode.

We never receive a copy of this key or your passphrase and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your passphrase, we cannot recover your data.

Resiliency / Availability

We operate a fault tolerant system and network architecture to ensure that Evernote is there when you need it, wherever you may be. This includes:

  • Diverse and redundant Internet connections.
  • Redundant network infrastructure including switches, routers, load balancers, and firewalls.
  • Scalable system architecture built using a large number of independently operating shards, each servicing a small slice of our user base.
  • Shards architected as pairs of redundant servers, providing hot standby capabilities should a single server fail.
  • Servers engineered with redundant power, redundant network hardware, and storage deployed in a RAID configuration.

Our colocation vendor provides fault tolerant facility services including: power, HVAC, and fire suppression.

We provide live and historical status updates here: https://twitter.com/evernotestatus and http://status.evernote.com.

We back up all customer content at least once daily and replicate those backups to our backup data center via a private network link. This process ensures that we can recover from a complete site failure in our primary data center. We do not utilize portable or removable media for backups.

Physical Security

When you sync your notes to our servers, they are being stored in a private, locked cage at one of our data centers. These data centers are staffed and monitored 24x7x365. Access to the data center requires at a minimum, two-factors of authentication, but may include biometrics as a third factor.

Each of our data centers has undergone a SOC-1 Type 2 audit, attesting to their ability to physically secure our infrastructure. Only Evernote operations personnel and data center staff have physical access to this infrastructure and our operations team is alerted each time someone accesses our cage, including a video record of the event.

All Evernote data resides inside the United States. Our primary and backup data centers are both located on the west coast in geographically diverse regions.

Privacy and Compliance

Please see our privacy policy for information about our Safe Harbor compliance. We do not publish a Service Organization Control (SOC) report.