Security Overview
Introduction
Evernote users trust us with billions of their notes, projects, and ideas. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.
Security Program
Security is a dedicated team within Evernote. Our security team's charter is to protect the data users store in our service.
The team contributes to designing secure features, monitors and responds to security alerts, and periodically assesses our infrastructure and applications for vulnerabilities. Our security engineers continually evaluate new tools to increase the coverage and depth of these assessments and the security of our users’ data.
We monitor our systems and infrastructure for signs of suspicious activity or potential threats. We receive real-time security alerts from a variety of sources. Each alert is promptly reviewed, and we take swift action to investigate, contain, and remediate any identified risks.
Evernote delivers a robust Security Awareness Training program within 30 days of new hires and annually for all employees. We also have a set of information security policies, which are delivered to all employees right after hiring.
All employee accounts are secured with mandatory two-factor authentication (2FA) or passkeys to ensure strong protection against unauthorized access.
Access is limited to a least privilege model: our team members only have visibility on what’s required for them to carry out their jobs. In addition, access is granted for a limited time and is scoped to the minimum number of services needed. Permissions are subject to frequent internal assessment, technical enforcement, and monitoring to ensure compliance.
At Evernote, we take endpoint security seriously to ensure that all employee devices accessing sensitive systems are protected. Every device used by Evernote employees is:
- Managed through Mobile Device Management (MDM). This allows us to enforce security policies, remotely monitor compliance, and manage device configurations.
- Protected with Enterprise-Grade Anti-Malware. All devices are equipped with up-to-date anti-malware solutions that detect and block threats in real-time.
- Automatically Updated. We enforce automatic operating system and software updates to ensure devices are always running the latest security patches.
To stay ahead of evolving threats, Evernote leverages Open-Source Intelligence(OSINT) tools to proactively monitor the Internet for potential security risks and emerging threats. This real-time threat intelligence enables us to act swiftly in identifying and mitigating risks before they can impact our systems or users. Combined with automated alerting and manual analysis, our OSINT-driven approach is a key part of our layered defense strategy.
Product Security
Securing our Internet-facing web service is critically important to protecting our users’ data. Our security team drives an application security program to improve code security hygiene and periodically assesses our service for common application security issues. Assessments are performed through yearly penetration tests executed by an external provider and through a public bug bounty program on HackerOne. Any findings as a result of assessments are tracked for remediation and addressed by following a risk-based approach. Penetration test reports are available on request with an appropriate NDA in place.
As part of our commitment to maintaining the highest security standards, we undergo the Google CASA (Cloud Application Security Assessment) Tier 2 evaluation on an annual basis. This is a solid assessment framework developed by Google, grounded in the industry-recognized OWASP Application Security Verification Standard (ASVS). It provides a comprehensive and consistent set of requirements to strengthen the security of any application. The assessment includes advanced security testing such as Dynamic Application Security Testing (DAST), ensuring that our systems are proactively evaluated and continuously hardened against potential threats.
We have alerts and controls set to prevent critical operations or notify us when they’re performed, and we have audit logs enabled for any action or operation performed on critical infrastructure resources, like production databases.
We use a secure, centralized system to manage and control access to application secrets. Fine-grained access controls and detailed audit logging help ensure that secrets are only accessible to authorized systems and employees when needed. All secrets are encrypted both at rest and in transit, with strict authentication and authorization policies governing access.
At Evernote, security is built into every step of our development process. Our software engineering team carefully reviews and tests all code changes to ensure stability and quality, and code reviews are mandatory for any deployment to production. For features that impact security, our dedicated security team is involved early, collaborating on design decisions and conducting focused, security-oriented code reviews. Security-relevant functionalities are covered by end-to-end tests to avoid introducing bugs or flaws.
To ensure the security of our software supply chain, Evernote uses trusted third-party tools to continuously monitor and detect the use of vulnerable versions of dependencies. These tools scan our codebase to identify known security issues in open-source libraries and frameworks. When a vulnerability is detected, our engineering team is alerted promptly, allowing us to prioritize updates or mitigations as needed.
The testing, staging, and production environments are logically separated. No users’ data is present in any development or test environment.
Our web service authenticates all third-party client applications using OAuth. OAuth provides a seamless way for users to connect a third-party application to their Evernote account without needing to give the application their login credentials. Once the user logs in to Evernote successfully, we return an authentication token to the client application to authenticate their access from that point forward. This eliminates the need for a third-party application to ever store our users’ login credentials.
Every client application that connects to Evernote uses a well-defined thrift API for all actions. By brokering all communications through this API, we’re able to establish authorization checks as a foundational construct in the application architecture. There is no direct object access within the service, and each client’s token is checked upon each access to the service to ensure the client is authenticated and authorized to access a particular note or notebook. Please see our developer documentation for more information.
Network Security
The Evernote service is entirely hosted on the Google Cloud Platform (“GCP”). Evernote defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business needs and strongly authenticate that access.
All infrastructure resources, including those related to the network, are tracked and defined using Terraform, our choice to implement infrastructure-as-a-code.
Evernote uses multiple DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Fastly’s sophisticated CDN with built-in DDoS protection as well as native GCP tools and application-specific mitigation techniques. We monitor and block common types of attacks at the edge, aiming to prevent malicious traffic from reaching our servers at all.
Account Security
Evernote never stores users’ passwords in plaintext. Instead, we securely store a cryptographic hash, so that actual passwords remain protected even in the unlikely event of a breach.
To help keep our users’ Evernote accounts secure, we prevent the use of easily guessable passwords—including those that contain common words or have appeared in known data breaches, as identified by the Have I Been Pwned database. If a password is recognized as weak or compromised, the user will be prompted to reset it for their safety. Additionally, our login endpoints are protected by CAPTCHA technology, adding an extra layer of defense against automated password guessing and brute-force attacks.
Evernote offers two-step verification (“2SV”), also known as two-factor or multi-factor authentication, for all accounts. Our 2SV mechanism is based on a time-based one-time password algorithm (TOTP). All users can generate codes locally using an application on their mobile device.
Email Security
Evernote gives you a way to create notes in your account by sending emails to a unique Evernote email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.
When you receive an email from Evernote, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from Evernote is legitimate. Every email we send from the following domains will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.
Evernote:
- @evernote.com
- @account.evernote.com
- @accounts.evernote.com
- @comms.evernote.com
- @communications.evernote.com
- @mail-svc.evernote.com
- @messages.evernote.com
- @notifications.evernote.com
- @nsvc.evernote.com
Customer Segregation
The Evernote service is multi-tenant and does not segment one user’s data from other users’ data. We consider our users’ data private and do not permit other users to access it unless the data owner explicitly shares it.
Media Disposal and Destruction
We utilize a variety of storage options in the Google Cloud Platform, including local disks, persistent disks, and Google Cloud Storage buckets. We take advantage of Google’s cryptographic erasure processes to ensure that repurposing storage does not result in exposing private users’ data.
Activity Logging
The Evernote service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. We also collect event data from our client applications. In the Access History section of the Account Settings, users can view the recent access times and IP addresses for each application connected to their account.
Transport Encryption
Evernote uses industry-standard encryption to protect users’ data in transit. We force HTTPS for all services using TLS. Encryption is managed by Fastly through our CDN and by the Google Cloud Platform in certain cases.
We support STARTTLS for both inbound and outbound email. If an user’s mail service provider supports TLS, their email will be encrypted in transit, both to and from the Evernote service.
Encryption at Rest
Evernote uses infrastructure from Google Cloud for data center hosting. The users’ data that we store in the Google Cloud Platform is protected using Google’s built-in encryption-at-rest features. More technically, we use Google's server-side encryption feature with Google-managed encryption keys to encrypt all data at rest using AES-256, transparently and automatically. It’s possible to find additional information on how encryption at rest protects data in Google Cloud’s documentation.
Resiliency / Availability
Evernote is deployed on public cloud infrastructure. Services are deployed to multiple zones for availability and are configured to scale dynamically in response to measured and expected load. We operate a fault-tolerant architecture to ensure that Evernote is always available when users need it.
In the event of a major region outage, Evernote has the ability to deploy to a new hosting region. We have dedicated monitoring to spot downtime and promptly react to any kind of incident.
Our cloud infrastructure provider offers fault-tolerant facility services including power, HVAC, and fire suppression.
We provide live and historical status updates on our service availability on our service status page.
We regularly back up all users’ content. We do not utilize portable or removable media for backups.
Physical Security
We operate the Evernote service using Google Cloud Platform. Google has undergone multiple certifications that attest to its ability to physically secure Evernote’s data. It’s possible to read more about Google Cloud Platform’s security on their cybersecurity overview page.
Third-party Security
Evernote understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security meets a suitable standard. If they do not meet our requirements, we do not proceed with them.
Privacy and Compliance
All Evernote data resides inside the United States. Please see our privacy center for more information.