Mindmarker Security

GDRP Processor Security Controls

Mindmarker is a successful service provider with customers in many countries and takes the protection of its customers’ data very seriously. In order to provide an enhanced level of protection, Mindmarker has invested in a high level of information security and has also adopted the best practice controls defined in a number of information security codes of practice.

A key component of these controls is the clear definition of the split of responsibilities between the service provider and customer. It is also important that the technical, procedural and physical controls implemented by Mindmarker as part of its services are understood by the customer so that an informed assessment of the risks to its personal data can be made.

This is particularly important in the context of the European Union General Data Protection Regulation (GDPR) which places a number of obligations on the processor of personal data which must be contractually required by the controller.

The purpose of this document is to describe in outline the controls that are in place, or are offered on an optional basis, within our processing environment.

Processing Service Specifications

The following information is provided in order to help our customers make an informed choice about the level of information security they believe is needed to protect the personal data they place with us, based on an assessment of risk for their particular business, industry and set of circumstances.

The information provided is intended to reflect an appropriately useful level of detail about our security defences, without divulging specifics that may be of value to an attacker. Further detail may be available to authorized customers under a non-disclosure agreement on request.

Information security policies

Mindmarker information security policies are written to take account of the specific needs of providing cloud services including:

  • Extensive use of virtualization
  • The multi-tenanted nature of our services
  • Risks from authorized insiders
  • Protection of cloud customer data
  • The need for effective communication with our customers

All policies are version-controlled, authorized and communicated to all relevant employees and contractors.

Organisation of information security

Roles and responsibilities for the management of the cloud environment are clearly defined as part of contract negotiation so that customer expectations are aligned appropriately with the way that service will be delivered.

In addition, a clear split of responsibilities between Mindmarker and our suppliers, including cloud service providers that supply supporting services, is established and maintained.

Human resource security

A comprehensive program of awareness training is delivered on an ongoing basis to all Mindmarker employees to emphasize the need to protect customer cloud data appropriately. We also require our contractors to provide appropriate awareness training to all relevant employees.

Asset management

An audited procedure is in place for the return and removal of cloud customer assets when appropriate. This procedure is designed to assure the protection of customer data in general and particularly personal data.

Access control

We provide a comprehensive, user-friendly administration interface to authorized customer administrators that allows them to control access at the service, function and data level. User registration and deregistration and access rights management is achieved via this interface.

Documented procedures for the allocation and management of secret authentication information, such as passwords, ensure that this activity is conducted in a secure way.

The use of utility programs within the customer cloud environment by Mindmarker employees is strictly controlled and audited on a regular basis.

Where we operate a multi-tenanted environment, cloud customer resources are subject to strict segregation from each other, so that no access is permitted to any aspect of another customer’s environment, including settings and data.

Virtual machine hardening, including the closing of un-needed ports and protocols, is implemented as standard practice and each virtual machine is configured with the same degree of protection for malware as physical servers.

Cryptography

Transactions between the user (including administrators) and the cloud environment are encrypted using TLS by default. Customer data is encrypted at rest using keys managed by Mindmarker.

Physical and environmental security

Mindmarker has procedures in place for the secure disposal and reuse of resources when no longer required by the cloud customer. These procedures will ensure that customer data is not put at risk.

Operations security

Mindmarker makes customers aware of planned changes that will affect the customer cloud environment or services. This information is published regularly via

email to affected customer administrators and will include the type of change, scheduled date and time and, where appropriate, technical details of the change being made. Further notifications will be issued at the start and end of the change.

The capacity of the overall cloud environment is subject to regular monitoring by Mindmarker engineers to ensure that our capacity obligations can be fulfilled at all times.

Mindmarker ensures data is replicated and backed up in multiple durable encrypted data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across availability zones and infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary.

In addition, the following policies have been implemented and enforced for data resilience:

  • Seven days worth of backups are kept for the production database in a way that ensures restoration can occur easily. Snapshots are taken and stored to a secondary service no less often than daily. All production data is stored on a distributed file storage facility.
  • Because we leverage private cloud services for hosting, backup and recovery, Mindmarker does not implement physical infrastructure or physical storage media within its organization. Mindmarker does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
  • By default, all backups will be protected through access control restrictions on Mindmarker product infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections.

Activity and transaction logs are recorded in the cloud environment and can be provided upon request to customer administrators. These include details of logins/logouts, data access and amendments/deletions.

The cloud environment is subject to regular vulnerability scanning using industry-standard tools. Critical security patches are applied in accordance with software manufacturers’ recommendations.

Operational activities which are deemed critical and in some cases irreversible (such as deletion of virtual servers) are subject to specially controlled procedures which ensure that adequate checking is performed prior to completion. We also recommend that customer put their own procedures in place in these areas.

System acquisition, development and maintenance

Secure development procedures and practices are used within Mindmarker, including separation of development, test and production environments, secure coding techniques, static code analysis and comprehensive security acceptance testing.

Supplier relationships

In the delivery of certain services, Mindmarker makes use of peer cloud service providers in a supply chain arrangement. These suppliers are subject to regular second party audit to ensure that they have defined objectives for information security and carry out effective risk assessment and treatment practices.

All supplier relationships are covered by contractual terms which meet the requirements of the GDPR.

Information security incident management

Where Mindmarker believes it is appropriate to inform the customer of an information security event (before it has been determined if it should be treated as an incident) we will do this to the nominated customer administrator or deputy. Similarly, the customer may report security events to our support desk where they will be logged and the appropriate action decided. Information about the progress of such events may be obtained from the support desk.

Mindmarker will report information security incidents to the customer where it believes that the customer service or data has or will be affected. We will do this to the nominated customer administrator or deputy as soon as reasonably possible and will share as much information about the impact and investigation of the incident as we believe to be appropriate for its effective and timely resolution. An incident manager will be appointed in each case who will act as the Mindmarker point of contact for the incident, including matters related to the capture and preservation of digital evidence if required.

We prioritise incident management activities to ensure that the timescale requirements of the GDPR for notification of breaches affecting personal data are met.

Information security aspects of business continuity management

Mindmarker plans for and regularly tests, its response to various types of disruptive incident that might affect cloud customer service. The architecture of our cloud services is designed to minimize the likelihood and impact of such an incident and we will make all reasonable efforts to avoid any impact on customer cloud services.

Compliance

The legal jurisdiction of the cloud service provided will depend upon the country in which the contract is made. Where the data of EU citizens is held, Mindmarker will comply with the requirements of the General Data Protection Regulation and/or the EU/USA Privacy Shield. Evidence of our compliance to these requirements is available on request.

Records collected by Mindmarker as part of its provision of the cloud service will be subject to protection in accordance with our information classification scheme and asset handling procedures.