Evernote

0

The Evernote family of products help you remember and act upon ideas, projects and experiences across all the computers, phones and tablets you use. Evernote is based in Redwood City, California USA and has been operating since 2007. You can contact real, live, support people via their online support forum. Evernote encrypts all data in transit between your computer and their servers, but they may not encrypt your data while it is on their servers. Evernote service is hosted in a data centre in Santa Clara, CA USA that has been independently audited to ensure your data is stored securely while still being easily available to you. However, Evernote does not list their expected service availability (the % of the time their service is expected to be accessible online). Evernote allows you to import a very wide variety of data in to its services. It is more difficult to export Evernote files locally. Upon termination, your Evernote may remain available to you for 30 days. Evernote does not specify whether or not your files will be deleted.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Evernote
Company Website https://evernote.com/
Company Phone Number Not available
Company Email Address Not available
Physical Address 305 Walnut Street
Redwood City, CA 94063 USA

What services does this disclosure apply to?
Evernote –http://evernote.com/
Skitch –http://evernote.com/skitch/
Penultimate –http://evernote.com/penultimate/
Evernote Web Clipper – http://evernote.com/webclipper/
Evernote Hello – http://evernote.com/hello/
Evernote Food – http://evernote.com/food/
Evernote Clearly – http://evernote.com/clearly/
Evernote Peek – http://evernote.com/peek/
Evernote Business-http://evernote.com/business/

What country holds legal jurisdiction over the service(s)?
United States

How long has your company been operating?
Since 2007.

How long has your company been providing the service(s) covered in this disclosure?
The main Evernote services has been provided since 2008.

Is your company currently profitable?
Evernote has received $251M (USD) in total venture funding as of March 2013.
http://www.crunchbase.com/company/evernote

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
We provide online chat support for Evernote Premium users, Monday through Friday between 9:00 AM and 5:00 PM, US Pacific Time. Chat is currently only available in English.

Email window instructions read: To open a support inquiry or report a problem, please enter your email address. Inquiries from Evernote Premium users will receive a priority response (within one business day, Monday-Friday).
http://evernote.com/contact/support/

What channels are available for communication with clients?
Online Support Portal
http://evernote.com/contact/support/

Chat (for Premium users)
https://www.evernote.com/Chat.action

Which is your preferred channel for client communications?
Unfortunately, due to to cost and security considerations, we’re unable to provide phone or remote desktop. Additionally, our support department often requires things like files and screenshots from a user’s computer.

However, we do offer real-time chat support for Premium subscribers between the hours of 9:00am and 5:00pm, Pacific Time. Chat is currently only available in English. To access this feature, visit Evernote’s support site and click “Chat with Evernote” to begin chatting with a support representative.
https://support.evernote.com/link/portal/16051/16058/Article/1657/Does-Evernote-offer-phone-or-chat-support

Do you collect any information from client communications?
Not available

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
Yes.
Visit status.evernote.com or evernote.com/support to view the current status of the Evernote service at any time. Evernote also posts updates to a Twitter handle (@evernotestatus) about outages, status updates, etc.

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Yes.
Visit status.evernote.com or evernote.com/support to view the current status of the Evernote service at any time. Evernote also posts updates to a Twitter handle (@evernotestatus) about outages, status updates, etc.

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
Not available

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
No

return to the top

Security

Are logs kept of client logins and locations?
No

Does your service support password/account recovery?
Yes:
If you forgot your password, follow these steps:
From a browser, go to the Evernote Web login
Click “Forgot Your Password” link
Enter your email address or account username
Check your email for a link to reset your password. You may need to check your Spam folder or a corporate email filter for this message.
https://support.evernote.com/ics/support/KBAnswer.asp?questionID=4380&hitOffset=220+47&docID=24266

Does the service monitor for any suspicious account activity?
Not available

Does your service offer two-step or multi-factor authentication?
Two-Factor authentication is not yet available for Evernote. We are working on an approach that gives you increased security without making Evernote harder to use. We plan on rolling out several related security and protection enhancements in the near future.
https://support.evernote.com/link/portal/16051/16058/Article/4382/Does-Evernote-support-Two-Factor-Authentication

Does your service offer login via other services?
Not available

Does your service secure all client data in transit?
User authentication (i.e. username + password) is always performed over SSL when you communicate with Evernote. This uses 1024-2048 bit RSA keys and a symmetric session key that’s negotiated between your client/browser and our server.

The data in user notes is also transferred via SSL.

https://support.evernote.com/ics/support/KBAnswer.asp?questionID=1652

Does your service secure client data at rest?
If you encrypt text within a note, we derive a 64-bit RC2 key from your passphrase and use this to encrypt the text. This is the longest symmetric key length permitted by US Export.

https://support.evernote.com/ics/support/KBResult.asp?searchFor=password+recovery

Does your service allow clients to collaborate with 3rd parties?
Yes

Does your primary system reside in a data center with a security certification?
The data center where the Evernote service operates is SAS 70 (Type II) and SSAE16 SOC-1 (Type 2) certified and requires two-factor authentication for admittance. All access to the data center is limited in scope of personnel and regular audit reviews are conducted.
http://evernote.com/business/resources/security_and_privacy/

Does your backup/disaster recovery system reside in a data center with a security certification?
The data center where the Evernote service operates is SAS 70 (Type II) and SSAE16 SOC-1 (Type 2) certified and requires two-factor authentication for admittance. All access to the data center is limited in scope of personnel and regular audit reviews are conducted.
http://evernote.com/business/resources/security_and_privacy/

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
No.
You retain copyright and any other rights you already held in your Content before you submitted, posted or displayed it on or through the Service. But you do have to grant Evernote a limited license, as described below, so we can make your data accessible and usable on the Service. Other than this limited license and other rights you grant in these Terms, Evernote acknowledges and agrees that we do not obtain any right, title or interest from you under these Terms in any of your Content.
http://evernote.com/legal/tos.php

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Yes .
You retain copyright and any other rights you already held in your Content before you submitted, posted or displayed it on or through the Service. But you do have to grant Evernote a limited license, as described below, so we can make your data accessible and usable on the Service. Other than this limited license and other rights you grant in these Terms, Evernote acknowledges and agrees that we do not obtain any right, title or interest from you under these Terms in any of your Content.
http://evernote.com/legal/tos.php

Does client use of your service generate any metadata or other statistical information?
Yes. Evernote’s web site and applications also collect and receive information from your computer or mobile device, including the activities you perform within your account, the type of hardware and software you are using (for example, your operating system or browser), and information obtained from cookies (see our Cookie Information Page for more information). When you access Evernote via an Evernote Software application, that application will request access to certain information on your computing device. For more information on these application permissions, please visit our Data Usage page.
http://evernote.com/legal/privacy.php

We use cookies to help recognize and remember you when you are logged into Evernote so we can remember your settings and preferences, such as your language and region or your logged-in state. These cookies also may help us provide services you have asked for, such as watching a video or commenting on our user forum. These cookies do not track your browsing activity on non-Evernote websites

We use another tool, similar to Google Analytics, from Chartbeat to measure information about how users navigate our website, particularly the Evernote Trunk. The Chartbeat cookies can provide us with real-time data about users are using our site. For example, they can tell us if someone is a new user to our site or a repeat user. They also can give us information about user engagement on our site, such as where on our site users are spending the most time.
We also use a marketing automation service called Marketo. Marketo uses cookies to provide information on how a user interacts with our web site and marketing emails. Marketo provides valuable information on a user’s visit to Evernote web pages, completion of Evernote web forms, and interaction with both marketing and sales emails. These cookies allow us to refine our marketing efforts and provide more relevant information to users.
http://evernote.com/legal/cookies.php

return to the top

Data Location

Where are the primary systems that host client data located?
Santa Clara, California, USA
http://evernote.com/business/resources/security_and_privacy/

Where are the backup/disaster recovery systems that host client data located?
Not available

Are there any other systems that host client data on behalf of your service?
No

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Yes. They have access to their data via the Evernote website or via Evernote desktop/mobile apps.

Can the client freely download their data from the service during the contract period?
Yes.
This is not accomplished as easily as uploading data. If you utilise the Evernote desktop application on a Windows or Apple computer, it will automatically save a local copy of all notes. Evernote files can also be duplicated into another service (such as dropbox) by utilising 3rd party applications (such as CloudHQ)
http://discussion.evernote.com/topic/34772-video-of-how-to-backup-export-evernote-to-dropbox-or-skydrive-box-or-google-drive/

Can the client easily import/upload their data from a competing service provider into your service?
Yes.
Collect information from anywhere into a single place. From text notes to web pages to files to snapshots, everything is always at your fingertips.
http://evernote.com/evernote/

Does your services include an API to access client data?
Evernote provides a rich API that developers can use to create custom applications and services. For more information, see the following pages on our Web site: Evernote’s Developer Home Page API
http://dev.evernote.com/start/core/

You will need the following information in order to build an OAuth client (consumer) that works with Evernote:
Temporary credential request URI: https://evernoteHost/oauth
Resource owner authorization URI: https://evernoteHost/OAuth.action
Token request URI: https://evernoteHost/oauth
Security: HTTPS for all requests
Supported signature methods: PLAINTEXT & HMAC-SHA1
Supported OAuth parameter locations: HTTP Authorization header & request URI query parameters
http://dev.evernote.com/start/core/authentication.php

Following termination of the service, will the client be able to access their data?
Yes.
You may close your account with our Service at any time, for any reason (or no reason), and you don’t even have to give us notice. However, if you desire to deactivate your account you need to take certain specific steps, which are described here.
In most cases, in the event we elect to close your account , we will provide at least 30 days advance notice to you at the email address you have provided to us, so you have a chance to retrieve any Content stored on Evernote’s servers (unless we determine that we are legally prohibited from enabling you to do so). After the expiration of this notice period, you will no longer be able to retrieve Content contained in that account or otherwise use the Service through that account.
http://evernote.com/legal/tos.php

Following termination of the service, is all client data deleted?
Not available

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Yes Your privacy in your Content is a paramount concern for us, and we hope that we never need to examine anyone’s Content. However, there are limited circumstances in which we may have the need to review part or all of your Content, as discussed in our Privacy Policy.
http://evernote.com/legal/tos.php

As a rule, Evernote employees do not monitor or view your personal information or Content stored in the Service, but it may be viewed if we believe our Terms of Service have been violated and confirmation is required, if we need to do so in order to respond to your requests for user support, or we otherwise determine that we have an obligation to review it as described in our Terms of Service. Your Notes also may be viewed where necessary to protect the rights, property or personal safety of Evernote and its users, or in order to comply with our legal obligations, such as responding to warrants, court orders or other legal process.
http://evernote.com/legal/privacy.php

Does your company use client data or information for any business function (other than the provision of the service)?
We believe it is necessary to investigate potential violations of our Terms of Service, to enforce those Terms of Service, or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud or potential threats against persons, property or the systems on which we operate the Service.
We determine that the access, preservation or disclosure of information is required or permitted by law to protect the rights, property or personal safety of Evernote and our users or is required to comply with applicable laws, including compliance with warrants, court orders or other legal process.
We need to do so in connection with the sale or reorganization of all or part of our business, as permitted by applicable law.
http://evernote.com/legal/privacy.php

Does your company use client data or information to generate revenue (other than the provision of the service)?
No

Do you access client data in any additional circumstance not yet specified in this disclosure?
Some applications that work with our Service may ask for permission to access your Content or other information about your account. Those applications will provide you with notice and request your consent in order to obtain such access or information. Please consider your selection of such applications, and your permissions, carefully.
http://evernote.com/legal/privacy.php

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
If Evernote learns of a security system breach, we may attempt to notify you and provide information on protective steps, if available, through the email address that you have provided to us or by posting a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing.
http://evernote.com/legal/privacy.php

Do you notify clients if their data has been lost or compromised?
If Evernote learns of a security system breach, we may attempt to notify you and provide information on protective steps, if available, through the email address that you have provided to us or by posting a notice on our web site. Depending on where you live, you may have a legal right to receive such notices in writing.
http://evernote.com/legal/privacy.php

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
Each user’s data is stored on a logical server. Each server has fully redundant RAID hard drives. Each server is paired with a full-time, hot-failover mirror server into a logical “shard”. All data from the data center is backed up daily and stored in a secure location remote from the data center. All of your data is also stored locally on your device (if you’re using the Windows or Mac client or iPhone with offline notebooks enabled), which can be encrypted and / or backed up as the user desires. So your data is stored in at least five physical locations (RAID drives on each server, two servers per shard, offsite backup) plus your local computer(s). It’s pretty unlikely that it could all be lost. New shards can be added quickly to scale the system.
http://blog.evernote.com/blog/2010/04/27/thinkwasabi-interview-with-evernote-ceo-phil-libin/

What method is used to perform service/client data backups?
Each user’s data is stored on a logical server. Each server has fully redundant RAID hard drives. Each server is paired with a full-time, hot-failover mirror server into a logical “shard”. All data from the data center is backed up daily and stored in a secure location remote from the data center. All of your data is also stored locally on your device (if you’re using the Windows or Mac client or iPhone with offline notebooks enabled), which can be encrypted and / or backed up as the user desires. So your data is stored in at least five physical locations (RAID drives on each server, two servers per shard, offsite backup) plus your local computer(s). It’s pretty unlikely that it could all be lost. New shards can be added quickly to scale the system.
http://blog.evernote.com/blog/2010/04/27/thinkwasabi-interview-with-evernote-ceo-phil-libin/

How long is backup data retained for?
If you delete information and material from a notebook and then sync your account, it will no longer be accessible to you or others who may access the Service, but residual copies of your deleted Content may continue to exist on Evernote’s back-up and archiving systems for up to one year due to the nature of those systems’ operations.
http://evernote.com/legal/privacy.php

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.