Enabling you to work securely and efficiently is why Push exists. We respect your privacy because it’s the right thing to do, and because privacy is an integral part of information security.
Here’s how we keep you and your data safe while using Push.
Your browsing activity is never sent to Push.
Push only monitors the online apps associated with your work email. We do not monitor your browsing history or your personal logins.
The Push browser extension shares the following information with your security team:
Push browser extension version
The URL of apps you log into using your work account
The account username associated with those logins
Basic details for the integrations you authorize using your Microsoft or Google work account, including the type of permissions granted to the integration. A common example would be an integration that accesses your work calendar in order to schedule meetings.
When you log into an app via your browser using your company username and a password, the extension also collects a shortened salted hash of your password, which is stored locally in the browser and never sent anywhere. This information is not shared with your security team.
Salting and hashing a password refer to the processes of adding additional random characters to a password before running it through an algorithm that converts the plain text into a long string of characters that obscures the original password. Essentially, this ensures that neither Push, your security team, an attacker, nor anyone else can view your passwords.
If you prefer to keep your work and personal browsing activity completely separate, we recommend using a separate browser profile for personal browsing.
Your passwords are never sent anywhere.
To find weak or reused passwords associated with your work accounts, Push performs local password hygiene checks within your browser to make sure you’re using a secure and unique password. Your passwords are never sent anywhere.
If your security team uses the Push feature to find passwords that have been exposed in a data breach, powered by the Have I Been Pwned service, only the first 5 characters of a password hash are sent to HIBP. The service never sees the full hash of the passwords being checked.
Learn more in our help articles:
How does the Push browser extension securely track reused passwords?
How does Push evaluate passwords containing words restricted by an administrator?
Your data belongs to you and your organization, not us.
Push collects only the data it needs to provide you with our service and nothing else. We do not sell your data, and we do not keep it any longer than is necessary. In GDPR terms, Push acts as the data processor, not the data controller.
Push does not prevent you from installing software or using apps.
Push cannot block you from installing software, using online apps, or adding browser extensions in accordance with your existing IT policies.
Your offline activity is your business.
Push only monitors logins to apps performed in your browser using your work account. It does not access or collect information about any other activity on your device, and cannot make any changes to your device.