Evernote for Windows. (Picture: Evernote.com) Create a local notebook. Local notebooks are a great alternative if you do not want your information to be stored on Evernote’s servers. When using a local notebook, please be aware of the following: The notes in your local notebook will NOT be synchronized between your devices. If you’ve applied passwords to multiple sections in your notebook, you can lock them all at the same time. Right-click the name of any protected (but currently unlocked) notebook section, and then choose Password Protection Lock Protected Sections. OneNote immediately locks all protected sections in the current notebook.

Get organized and productive with the leading note-taking app. Download Evernote for Windows, Mac, iOS, or Android and create your free account.

Introduction

Evernote users trust us with billions of their notes, projects, and ideas. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Security Program

Security is a dedicated team within Evernote. Our security team's charter is protecting the data you store in our service. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, employee awareness, intrusion detection, and assessment activities.

The security team runs an in-house Incident Response (“IR”) program and provides guidance to Evernote employees on how to report suspicious activity. Our IR team has procedures and tools in place to respond to security issues and continues to evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees.

We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our security team continually evaluates new tools to increase the coverage and depth of these assessments.

Network Security

Evernote defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Account Security

Evernote never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use PBKDF2 (Password Based Key Derivation Function 2) with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

While we don’t require you to set a complex password, our password strength meter will encourage you to choose a strong one. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.

Evernote offers two-step verification (“2SV”), also known as two-factor or multi-factor authentication, for all accounts. Our 2SV mechanism is based on a time-based one-time password algorithm (TOTP). All users can generate codes locally using an application on their mobile device or can choose to have the codes delivered as a text message.

Email Security

Evernote gives you a way to create notes in your account by sending emails to a unique Evernote email address. To protect you from malicious content, we scan all email we receive using a commercial anti-virus scanning engine.

When you receive an email from Evernote, we want you to be confident that it really came from us. We publish an enforcing DMARC policy to improve your confidence that email you receive from Evernote is legitimate. Every email we send from the following domains will be cryptographically signed using DKIM and originate from an IP address we publish in our SPF record.

Evernote:

• @evernote.com
• @emails.evernote.com
• @comms.evernote.com
• @discussion-notification.evernote.com
• @mail-svc.evernote.com
• @account.evernote.com
• @notifications.evernote.com
• @messages.evernote.com

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our security team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Our web service authenticates all third party client applications using OAuth. OAuth provides a seamless way for you to connect a third party application to your account without needing to give the application your login credentials. Once you authenticate to Evernote successfully, we return an authentication token to the client to authenticate your access from that point forward. This eliminates the need for a third party application to ever store your username and password on your device.

Every client application that talks to our service uses a well-defined thrift API for all actions. By brokering all communications through this API, we’re able to establish authorization checks as a foundational construct in the application architecture. There is no direct object access within the service and each client’s authentication token is checked upon each access to the service to ensure the client is authenticated and authorized to access a particular note or notebook. Please see dev.evernote.com for more information.

Customer Segregation

The Evernote service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.

Data Retention and Deletion

Evernote retains your content unless you take explicit steps to delete notes and/or notebooks. For information on how to delete notes, please see this help center article. For information on our retention policies, please refer to the section of our privacy policy, titled “Information Deletion”.

Media Disposal and Destruction

We securely erase or destroy all storage media if it has ever been used to store user data. We follow NIST’s guidance in special publication 800-88 to accomplish this. For an example of how we securely destroy broken hard drives, please check out this blog article.

We utilize a variety of storage options in Google’s Cloud Platform (“GCP”), including local disks, persistent disks, and Google Cloud Storage buckets. We take advantage of Google’s cryptographic erasure processes to ensure that repurposing storage does not result in exposing private customer data.

Activity Logging

The Evernote service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. We also collect event data from our client applications. You can view the recent access times and IP addresses for each application connected to your account in the Access History section of your Account Settings.

Transport Encryption

Evernote uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (“HSTS”) for the Evernote service (www.evernote.com). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.

We support STARTTLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from the Evernote service.

We protect all customer data flowing between our data center and the Google Cloud Platform using IPSEC with GCM-AES-128 encryption or TLS.

Encryption at Rest

In late 2016, we began migrating the Evernote service to the Google Cloud Platform (“GCP”). Customer data that we store in GCP will be protected using Google’s built-in encryption-at-rest features. More technically, we use Google's server-side encryption feature with Google-managed encryption keys to encrypt all data at rest using AES-256, transparently and automatically. You can find additional information on how encryption at rest protects your data here.

Resiliency / Availability

We operate a fault tolerant architecture to ensure that Evernote is there when you need it.

In our both our physical data centers and our cloud infrastructure, this includes:

• Diverse and redundant Internet connections
• Redundant network infrastructure including switches, routers, and firewalls
• Redundant application load balancers
• Redundant servers and virtual instances
• Redundant underlying storage

Both Google and our colocation vendor provide fault tolerant facility services including: power, HVAC, and fire suppression.

We provide live and historical status updates on our service availability here: https://twitter.com/evernotestatus and http://status.evernote.com.

We back up all customer content at least once daily. We do not utilize portable or removable media for backups.

Physical Security

We operate the Evernote service using a combination of cloud services and physical data centers.

For our data centers, we secure our infrastructure in a private, locked cage that includes 24x7x365 monitoring. Access to these data centers requires at a minimum, two-factors of authentication, but may include biometrics as a third factor. Each of our data centers has undergone a SOC-1 Type 2 audit, attesting to their ability to physically secure our infrastructure. Only Evernote operations personnel and data center staff have physical access to this infrastructure and our operations team is alerted each time someone accesses our cage, including a video record of the event.

For our cloud services, we use the Google Cloud Platform. Google has undergone multiple certifications that attest to its ability to physically secure Evernote’s data. You can read more about Google Cloud Platform’s security here.

All Evernote data resides inside the United States.

Privacy and Compliance

Please see our privacy center for more information. We do not publish a Service Organization Control (“SOC”) report.

Have you ever asked yourself “is my data in Evernote secure?” If not, you are not alone. Most Evernote users don’t. However, the price of ignorance can be high.

If you, like me, are using Evernote to store all kinds of bits of information you grow very dependent on this service over time. You store everything from meeting minutes to newspaper articles and clothing sizes. All this amounts to valuable information, both measured in invested time and practical usefulness. Here is how you can protect that investment.

What are cloud services

Let’s start with a look at what cloud services really are. Services like Evernote, Todoist, and Google Drive are popularly referred to as the cloud. The technical term is SaaS, short for Software as a Service. Basically, this means that you are paying a monthly fee for a company to access their software on their servers.

Most cloud service companies rent their servers from a 3rd-party company like Amazon Web Services (AWS) or Google Cloud Platform. AWS had a 47% market share in 2017. Google, the giant in so many other markets, had only 4% of this market. Evernote started using the Google Cloud Platform in 2016. For you as an end user, using a third-party service like this means three things:

1. Your data is more secure in terms of protection from hacking and viruses since companies like this have a more professional attitude when it comes to keeping their servers and infrastructure updated, compared to a small software company with a server in the basement.
2. For the same reason as above, servers owned by these companies tend to have a much higher uptime. This means that you, for all practical purposes, have access to your data 24/7.
3. The only downside is that your data are stored at a third party, meaning that you have less control over your data.

The first thing to know is that your data is safe only as long as the SaaS company pay their bills. At the moment they don’t, your data is probably lost forever. Like in any other market, a number of SaaS companies has ceased to exist. I have only experienced this once. In this case, I saw the signs early and stopped using their services before they closed down.

If you want to learn about my experience with Iqtell, read the below blog post.

Why I went from IQTell to Todoist

About Evernote cooperation

Evernote cooperation was founded in 2007. 10 years later, they passed 220 million users. More than five billion notes have been created during those ten years. See more about Evernote in numbers. Evernote has a substantial financial backing. Even after a 40% price hike in 2016, the number of users is growing steadily.

I would like to point out that I think Evernote is a trustworthy company that does a good job of protecting their customer’s data and keeping Evernote secure. You can read more about Evernote security here.

Things that you should not store in Evernote

Before getting into details about how to make Evernote secure, here are some common sense about what you should not store in Evernote or any kind of cloud service.

• Social security numbers
• Picture of your passport
• Medical information
• Usernames and passwords (should be stored only in dedicated, secured password managers)

What you can do to make Evernote secure

Start by paying for Evernote

The most important factor in keeping a cloud service secure is to pay for it. Security is a constant battle. To keep up with the latest threats, all companies need to use a portion of their revenue constantly updating their software.

Add two-step verification

Two-step verification adds an extra layer of protection to your account. Whenever you sign in to Evernote you have to enter both your password and a verification code. This verification code will be sent to your mobile device via text message or an authenticator app.

Keep your devices up to date and synchronized

Evernote Notebook View

Make sure that your computer and mobile devices run the latest version of the Evernote software. Also, make sure that they are synchronized. This is especially important to remember on your computer since you have to start the Evernote application in order to synchronize.

Store your data locally

The main reason I tell people to install Evernote on their Mac or PC is that this enables them to make a personal backup of their data completely outside of Evernote.

Read more about how to back up your Evernote data:

How to set up the ultimate cloud backup and synchronization

Manage the access to your Evernote account

I really like how Evernote integrates with other applications. However, you should be aware that this can be a potential security issue. An important step in keeping Evernote secure is to know which devices, applications, and services that have access to your data.

To see what applications and devices have access to your Evernote Account, go to Settings / Security / Applications. Revoke access to anything you do not strictly need. Remember to revoke all access for devices that you no longer use!

The same goes for services like Google etc. To see what services have access to your Evernote Account, go to Settings / Security / Services. Revoke access to anything you do not strictly need.

Log in with your email address and a unique password

If you log in to Evernote using your Google account service (see above), anyone with access to that account will automatically have access to your Evernote data.

Encrypt text in a note

Evernote does not let you encrypt an entire note or notebook. The only option you have is to encrypt text in a note. Encryption can only be done in Evernote for Windows and Evernote for Mac. To encrypt text, do the following:

Moleskine Evernote Notebook

1. Open a note and highlight the text you want to encrypt.
2. Right-click or control-click the highlighted text and select “Encrypt Selected Text.”
3. Enter a password and click OK.

To decrypt the text, click on the encrypted text and select ‘Show encrypted text’. You will be prompted for your password.

Create a local notebook

Local notebooks are a great alternative if you do not want your information to be stored on Evernote’s servers. When using a local notebook, please be aware of the following:

1. The notes in your local notebook will NOT be synchronized between your devices.
2. Your local notebook will only be as secure as your hard drive or mobile device.
3. Unless you make regular backups, this is data waiting to be lost.

Use common sense

No matter how much you do to make Evernote secure, no service will ever be 100% failsafe or secure. The following advice is applicable for everything on the internet, not only Evernote:

• Do not store anything online that might harm you or your business if it gets into the wrong hands.
• Do not store any data anywhere without a backup.
• Password protect any device with access to Evernote or other cloud services.

Sign up for Evernote Premium *

Disclosure: Links marked with * are affiliate links. This means that if you buy a product using this link, I may get a small commission. I would never recommend a product without trying it and liking it myself.