Where does Command E store data?
Document data synced from cloud APIs never leaves your laptop. The Command E desktop app fetches documents directly from cloud APIs (i.e. the G Suite API, the Asana API, etc.) to your local laptop. Documents never pass through our servers. Documents are never saved on our servers. We do not have a copy of your documents on our servers.
We spend a lot of time making sure we never see the contents of your documents, ever.
Is the data on my laptop encrypted?
The search index that the Command E desktop app builds is encrypted with 256-bit AES encryption. This application-level encryption sits on top of any encryption your laptop already uses.
API access tokens for cloud APIs are stored in your operating systems secure keychain (Keychain on macOS, Credential Vault on Windows).
Requests to cloud APIs are encrypted using SSL.
What is stored on Command E servers?
The email address you used to sign up for Command E
The name you used to sign up for Command E
Does my data travel through (i.e. "proxy" through) Command E servers?
No. After you authorize a cloud service, the Command E desktop app makes API calls directly from your laptop to the cloud service. None of the API calls (or responses) that sync cloud data travel through Command E servers. Command E servers are utilized to create the initial connection with a cloud account, but once you've authorized a cloud account we don't "proxy" or copy your data through Command E servers.
What data does the browser extension collect?
Data collected from the Command E browser extension never leaves your laptop. The extension talks directly to the Command E desktop app, all within your laptop. We never sync your data to our servers.
Data sent from the browser extension to the Command E desktop app includes:
Browser history, excluding anything accessed via Incognito mode
Any pages you've saved using the "Save to Command E" feature
A list of the open tabs, and the title for each tab
Sending this data from your browser to the Command E desktop app helps with search ranking, builds out your index in Command E, and allows you to find recently visited webpages (i.e. LinkedIn profiles).
Does my usage data go to third parties?
We use a small handful of industry-standard monitoring services—Sentry, Datadog, and Mixpanel—to ensure the Command E desktop app is operating as expected. We do not send the contents of your documents to these services.
Data sent to 3rd parties:
The fact that you did a search, but not the query itself
The fact that you launched a Google Doc from Command E, but not the title or URL of the document you launched
Any bugs, crashes, or error logs that may have happened in Command E, but none of the document data
How do I disclose a vulnerability I've found with Command E?
Please contact Ben Standefer at email@example.com.