2020 update: Please note that this blog post is outdated.
First of all, thank you to everyone who has asked us question about use of your account information in Spark. Below, you can find a description of how Spark works as of now.
Almost all things in Spark happen on the device itself. However, there are some functions that require server side email processing to work. In Spark, these are:
1. Push Notifications about new emails.
2. Read Receipts.
3. Sending emails from Apple Watch.
Spark's server needs to check and send emails from your email account for these functions to work. And to achieve this, we need to store your email account's access token. For services with OAuth authentication, like Gmail or Outlook, it's special application specific token that you can revoke at any moment from your email account in the web. For services like Yahoo, AOL and Exchange accounts, this access token is your email login and password.
Given a choice, we would prefer to not have access to your login and password information, because it's a huge responsibility to store them safely. However, since many email services still haven't implemented OAuth, we have to.
To make everything as safe as possible, we are not using our own servers but rely on the most advanced and secure solution available in the industry — Amazon AWS. This is where almost any well known tech company — Dropbox and AirBnB, for example — is storing and processing their users' data.
All connections to our servers are protected with TLS. The Amazon AWS databases are encrypted, and to make things even more secure we additionally encrypt your password in the database. It makes it totally unreadable by a human being.
When you delete Spark from all your devices, we remove all your account information from our database as soon as we are aware.
This is pretty much it.