Enterprise-grade security and privacy controls are at the heart of the Time To Reply’s infrastructure and cloud platform. Time To Reply strives to earn customer trust by enforcing world-class security practices and standards.
We keep customer data both private and secure through a multi-layered physical and network-level security hierarchy.
Time To Reply is in no way involved in the email flow and has no effect on the successful or unsuccessful delivery of emails. User’s email will continue to perform as normal, and independently of Time To Reply.
Time To Reply is a Cloud-based email analytics tool that shows businesses how long it takes their
staff to respond to emails. Our Website and Software is owned and controlled by Time to Reply Limited, a company incorporated in the United Kingdom.
The system works by ingesting email header information and processing this information to
produce email reply time reports and other email performance metrics.
Time To Reply works with o365, Gmail/GSuite, IMAP, MS Exchange and Mimecast. Depending
on which one of these options is chosen, Time To Reply works differently in terms of how it
ingests the data, the procedure required to add a mailbox, and how it connects to those
Each option is explained in this document.
Once the data has been ingested, the data resides on Time to Reply’s Amazon Web Services
(AWS) servers. The data is stored in a database that is not accessible via the public internet.
Usernames and password data (where this is gathered) is encrypted and the keys are stored in a separate database. Data that is transferred between Time to Reply and 3rd parties such as the Gmail API, o365 API, Mimecast API or Nylas API is done so over SSL.
Time To Reply only views and stores the header information of emails. Time To Reply does not
view nor store the body or attachments of any email.
Before submitting your personal information to our Website and/or Software, please read this Policy carefully to learn about our privacy practices. By visiting Time To Reply’s Web site, www.timetoreply.com, you are accepting the practices described herein.
- What information we collect from you
- How we use your information
- With whom we share your information
- How you can access your information
- Your choices with respect to the collection and use of your information
- How we protect your information
- Children’s privacy
- External links
- How you can contact us
What information we collect from you
We receive and store any information you enter on our Website, Live Chat, email and/or Software, including your first and last name, company name, telephone number, e-mail addresses, username and password.
Time To Reply is a email analytics and email response time software tool. Once a mailbox has been added to our Software to be tracked, we ingest and store the following meta information from your email headers:
We do not ingest or store the body or an email or any attachments.
Our software connects to different mailboxes using different methods. These methods are listed below:
In order to ingest email from an o365 mailbox Time to Reply connects via the MS Graph API using OAuth 2.0 protocol (https://graph.microsoft.com). To add a mailbox, the user simply enters an Agent’s name and email address, and then clicks “Add”. Note: no password is required. An email will be sent to the email address that has been added, and which includes an “activation” link. The owner of the email address would be required to click the activation link, follow the steps to grant permission to Time to Reply, and Time to Reply’s software begins tracking their email performance. An alternative option is to use Time To Reply’s o365 Bulk Add option. This allows the user to authenticate once with an o365 admin user’s credentials, “tick” the mailboxes they would like to track, and then add them to Time To Reply without each mailbox needing to authenticate one-by-one.
Gmail / GSuite
In order to ingest email from a Gmail/Gsuite mailbox Time to Reply connects via the Gmail REST API using OAuth 2.0 protocol (https://developers.google.com/gmail/api/guides/). To add a mailbox, the user simply enters the Agent’s name and email address and then clicks “Add”.
Note: no password is required. An email will be sent to the email address that has been added, and which includes an “activation” link. The owner of the email address would be required to click the activation link, follow the steps to grant permission to Time to Reply, and Time to Reply’s software begins tracking their email performance.
The scope that Time To Reply Limited uses from the Gmail API is:
https://www.googleapis.com/auth/gmail.metadata Read resources metadata including labels, history records, and email message headers, but not the message body or attachments.
In order to ingest email from an IMAP mailbox, Time to Reply connects to the mailbox in the same way as Outlook / Mac Mail does. To add a mailbox, Time to Reply requires a username and password, a mail server address and a port number. The password is encrypted and stored separately from the encryption key.
Microsoft (MS) Exchange
In order to connect to MS Exchange mailboxes (self-hosted or cloud hosted) Time to Reply uses a 3rd party service called Nylas. Nylas is an API service that allows services such as Time To Reply to access MS Exchange mailboxes securely. Their security document can be found here: https://www.nylas.com/security/. To add an MS Exchange mailbox, a user would need to enter their mailbox username, password and mail server address. These credentials are entered into the Nylas system and are stored by Nylas and not by Time To Reply. Time To Reply has no access to these credentials which are securely stored within the Nylas secure environment. Once the mailboxes have been added, Time to Reply polls the MS Exchange mailboxes and analyses the email header information.
In order to ingest email header information from Mimecast, Time to Reply connects to Mimecast via their API. This connection option is currently in invite-only beta. Please contact email@example.com for more information.
This website uses Google AdWords
COOKIES DO NOT IN ANYWAY IDENTIFY YOU OR GIVE ACCESS TO YOUR COMPUTER. The cookie is used to say “This person visited this page, so show them ads relating to that page.” Google AdWords Remarketing allows us to tailor our marketing to better suit your needs and only display ads that are relevant to you.
Information About Others.
You will have the opportunity to provide contact information for other people through our Website. You should obtain the consent of other individuals prior to providing Time To Reply with their personal information.
Information from Other Sources.
We also may periodically obtain both personal and non-personal information about you from affiliated entities, business partners and other independent third-party sources and add it to other information about you. For example, if you visit Time To Reply by “clicking-through” from a site operated by one of our business partners, and you have registered with that partner, then information about you that you have provided to that partner may be shared with us, such as contact information and demographic information. As another example, if you access third-party services, such as social media services, through our Web site or before coming to our Website, we may collect information such as your user name, password, and other information made available to us through those services in order to improve and personalize your use of our Web site.
We automatically collect some information about your computer when you visit Time To Reply. For example, we will collect session data, including your IP address, Web browser software, and referring Web site. We also may collect information about your online activity, such as content viewed and pages visited. One of our goals in collecting this automatic information is to help us understand the interests of our users and customize your user experience.
Cookies and Other Web Technologies.
- To help us customize the content, website experience, and advertisements provided to you on our websites and on other websites across the Internet. For example, when you access a web page, a cookie is automatically set by us, our service providers, or our partners to recognize your browser as you navigate on the Internet and to present you with information and advertising based on your apparent interests.
- To help measure and research the effectiveness of website features and offerings, advertisements, and e-mail communications (by determining which e-mails you open and act upon).
The Help portion of the toolbar on most browsers should tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable most types of cookies. Please note that if you refuse to accept cookies, you may not be able to access many of the tools offered on our sites.
Our sites also may use Web beacons (also known as clear gifs, pixel tags or Web bugs), which are tiny graphics with a unique identifier, similar in function to cookies, that are placed in the code of a Web page. We use Web beacons to monitor the traffic patterns of users from one page within our sites to another, to deliver or communicate with cookies, to understand whether you have come to our site from an online advertisement displayed on a third-party website, and to improve Website performance. We also may allow our service providers to use Web beacons to help us understand which emails have been opened by recipients and to track the visitor traffic and actions on our Website. This helps us measure the effectiveness of our content and other offerings.
Call Recording and Monitoring.
How we use your information
Time To Reply uses the information we collect from you for the sole purpose of providing you with our email analytics service and to generate email response time performance metrics for your account.
Your information is not accessible by any other customer.
Your identifiable information will never be shared with a 3rd party and if Time To Reply decides to use customer data to develop industry benchmark statistics the data will be anonymized and aggregated to protect your data privacy.
Data will only be transferred to a 3rd party if necessary to provide or improve the user-facing features of Time To Reply to provide email analytics and email response time performance metrics for your company.
Data may also be transferred if necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to users.
All other transfers or sales of the user data is prohibited.
Your data will not be transferred or sold to any 3rd party for serving ads, including retargeting, personalized, or interest-based advertising; and no humans are allowed to read your data, unless
- We first obtained your affirmative agreement for specific message headers;
- It is necessary for security purposes (such as investigating a bug or abuse);
- It is necessary to comply with applicable law; or
- Its use is limited to internal operations and the data (including derivations) have been aggregated and anonymized.
These prohibitions apply to the raw data obtained from Restricted Scopes and data aggregated, anonymized, or derived from them.
All Time To Reply employees, agents, contractors, and successors are bound to comply with the Google API Services: User Data Policy.
With whom we share your information
Time To Reply may share your information with the following entities:
- Time To Reply Resellers for the sole purpose of selling and supporting Time To Reply.
- If you use Time To Reply to track MS Exchange server mailboxes, we use a 3rd Party solution called Nylas.com to connect to MS Exchange servers via their secure API.
We also may share your information:
- In response to subpoenas, court orders, or other legal processes; to establish or exercise our legal rights; to defend against legal claims, or as otherwise required by law. In such cases, we reserve the right to raise or waive any legal objection or right available to us.
- When we believe it is necessary to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property, or safety of Time To Reply, our customers, or others; and in connection with our Terms and Conditions and other agreements.
- In connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
Other than as set out above, you will be notified when personal information about you will be shared with third parties, and you will have an opportunity to choose not to have us share such information.
How you can access your information
We take reasonable steps to ensure that your information is relevant to its intended use, accurate, and complete. You can access and update your contact information by emailing us using firstname.lastname@example.org.
You can log in to your Time To Reply account using your username and password that you create when you sign up.
You can close your Time To Reply account by contacting us at the email address listed below.
We will send you an e-mail to confirm your request. Please note that after you close an account, you will not be able to sign in or access any of your personal information. However, you can open a new account at any time.
Your choices with respect to the collection and use of your information
- As discussed above, you can choose not to provide us with any information, although it may be needed to take advantage of certain product features offered on Time To Reply.
- You can add or update information or close your account as described above.
- As a registered Time To Reply customer, you can modify your subscription choices at any time by emailing us.
- You can unsubscribe from any email correspondence or system notifications using the link provided in all promotional or notification emails.
- The Help portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Please note that if you refuse to accept cookies from timetoreply, you will not be able to access certain portions of our site.
How we protect your information
Please view the Time To Reply security document for a detailed explanation of how we protect your data and our security policies: https://timetoreply.com/wp-content/uploads/2019/02/Time-To-Reply-Security-And-Privacy-Document-2.pdf
Who Owns Your Data?
You own the data associated with your account. And, at any time, you can securely remove your data from our servers by logging into your account and requesting such deletion or by emailing email@example.com.
We only access the header information associated with your emails. The actual email body and attachments of your emails are never downloaded or accessed within our computer systems.
When you cancel your subscription all personally identifiable data is securely deleted from our servers.
If for any reason, Time to Reply Limited. decides to close Time To Reply, all users will be contacted by email and their account information will be securely deleted from our servers in a timely manner.
Time To Reply is a general audience site and does not offer services directed at children. Should an individual whom we know to be a child under age 13 send personal information to us, we will delete or destroy such information as soon as reasonably possible.
Time To Reply adheres to a high level of operational excellence. Time To Reply has multiple interlocking policies for incident response, audits, and privacy. We believe security practices should be transparent to customers, and these measures are outlined below.
Incident Response Policy
As part of our basic service to all customers, all Severity Level 1 and Business Critical incidents are closely monitored and responded to 24/7, 365 days a year. Our dedicated Infrastructure Security teams are constantly monitoring both our infrastructure, as well as alerts from upstream vendors, throughout all our Operation Centers. We use notification and alert systems to immediately identify and manage risks and threats. Time To Reply network status and incidence reports are posted on the live site and on the dashboard should we experience any Severity Level 1 and Business Critical incidents
Time To Reply uses https://portswigger.net/burp to scan our systems for security vulnerabilities. All access to production clusters is logged and audited regularly. The production cluster is accessible only to Time To Reply operational staff and engineers, whose primary responsibility is the construction and maintenance of the Time To Reply software system. We also perform regular security audits of our own code, third-party libraries, and our infrastructure automation. We update any software dependencies we have, so as to remain up to date with all the latest security patches at all times.
Encryption and Access Control
Time To Reply utilizes multiple application-level security mechanisms and features to ensure customer data safety. Each account’s data set is isolated with multi-level permission checks. All API calls require OAuth2 authentication tokens only granted by Microsoft, Google or Nylas, and user data is encrypted.
Time To Reply ensures user information and identity protection through our adherence to the OAuth protocol. User Authentication to email back-ends (i.e. Gmail, Microsoft Exchange) is completed via OAuth2 where possible, and encrypted password-based Auth otherwise. OAuth2 is the top industry-standard secure authentication protocol that provides developers with individual revocable tokens per e-mail account.
Time To Reply uses TLS 1.2 to encrypt bidirectional session traffic between our application and our end users’ browser. Customer Data Backups: Time To Reply does not keep backups of customer data. In the event of a loss of data, Time To Reply will re-ingest your account data directly from your mail server. It is the customers’ responsibility to backup their own mail server data. As long as the data is on their mail server Time to Reply will be able to restore users’ email analytics data on Time To Reply.
Time To Reply has procedures and controls in place to appropriately limit access to customer data and mitigate the risk of insider threats. Access is granted on a least-privilege basis and all requests require management approval. All access is logged and regularly audited to ensure policies are followed. Customer data may be accessed in the event that a customer account enters a failure state that requires accessing email data for debugging purposes. This data is not accessed for debugging unless an error cannot be resolved without doing so; all private data is excluded from system logs.
Network Transport and Storage
Time To Reply implements best practices for maintaining service-wide network security. We deploy the latest technology to provide uninterrupted service and guard against attack. Internal sync infrastructure is isolated from the public Internet within separate VPCs, blocking all inbound connections and persistence and storage layers are encrypted and secured behind VPN and firewalls.
Time To Reply adheres to industry standard practices for securing and maintaining our infrastructure, with additional protection being afforded by our firewalls. Each system uses firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.
Denial-of-Service (DOS) Prevention
Time To Reply implements best practices for preventing DoS attacks and uses Cloudflare to assist in preventing DoS attacks: https://www.cloudflare.com/ddos/ Distributed Denial-of-Service (DDOS) Prevention: Time To Reply data centers are hosted at AWS, and AWS uses a variety of proprietary DDoS mitigation techniques to guard against the risk of attacks. In addition, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity and to ensure network availability and Time To Reply makes use of Cloudflare for additional protection: https://www.cloudflare.com/ddos/
Automated systems deploy new code to Time To Reply clusters in real time, to ensure smooth transitions between software updates with no downtime.
All web traffic between the user’s mail server and Time To Reply is encrypted using TLS (Transport Layer Security) to protect customer data. The only exception is if the user specifically chooses not to make use of this by connecting to IMAP without encryption. Time to Reply’s systems enforce TLS communication channels over public networks, and only support certificates signed by well-known CAs. The TLS protocol provides data encryption and authentication between the customer’s mail server and Time To Reply servers and prevents third parties from gaining illegitimate access to information.
Infrastructure and Physical Security
All Time To Reply physical infrastructure and data centers are housed in state-of-the-art secure facilities with industry standard access controls and physical security measures. Time To Reply is hosted at Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1. SSAE 16, or more formally, Statement on Standards for Attestation Engagements No.16, is key guidance for reporting on internal controls for service organizations. SSAE 16 is used for reporting on the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2 and SOC 3. SOC 1 is focused toward an organization’s internal controls over financial reporting, while SOC 2 and SOC 3 cover reporting for the security, availability, processing integrity, confidentiality, and privacy for service organizations, including cloud and data center providers. AWS is certified to ISO 27001, which describes a systematic approach to managing sensitive information so that it remains secure. ISO 27001 covers a risk management process that encompasses people, processes, and IT systems. AWS is also Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS), enabling customers to run applications on AWS’s PCI-compliant infrastructure for storing, processing, and transmitting credit card information in the cloud. Additional AWS physical security measures include:
At each AWS hosting site, Time To Reply servers are secured at all times by trained security guards, and access is authorized strictly on a least privileged basis. The data centers use state-of-the-art electronic surveillance to monitor any suspicious activity.
AWS CloudTrail provides logs of all user activity to the Time To Reply servers. Time To Reply employees can monitor and track what actions were performed on each of the Time To Reply resources, and by whom.
Time To Reply have no access using username and password, and can only access the server through SSH by using a security key. Any other SSH access is disabled.
Multiple Redundancy Zones
AWS spans multiple geographic regions and Availability Zones, which allow Time To Reply servers to remain resilient in the event of most failure modes, including natural disasters or system failures. In addition, each AWS data center has independent power grids, as well as redundant power, HVAC and fire suppression systems. The AWS data centers use state-of-the-art practices for fault tolerance at each level of the system infrastructure, including Internet connectivity, power, and cooling.
How you can contact us