Security Policy

At Mindtickle, we take data security and privacy seriously. We constantly try to make sure that we meet our contractual and regulatory compliance obligations toward data protection.

Mindtickle is committed to ensuring the protection of our customers’ data and has implemented detailed controls through a security policy.

Our security policy comprehensively covers all the areas of the security program and processes implemented at organizational, technical, and cloud infrastructure levels for data protection.

Governance and Policies

Information Governance

Information Security Function

The information security function is responsible for maintaining practices, changes, and commitments concerning confidentiality, integrity, availability, and privacy.

Roles and Responsibilities

The roles and responsibilities of the members of the information security organization are defined.

Data Protection Officer

The data protection officer oversees data protection strategy and ensures compliance with data protection standards.

Security and Privacy Policies

Information security and privacy policies are approved by management and cover processes and control activities required to address data protection risks.

Policy Communication

Information security and privacy policies are available on the company portal for employee reference and are reviewed annually.

Training and Awareness

Employees and contractors are required to undergo information security and privacy training upon hire and a refresher on an annual basis.

Risk Management

Risk Management

Risk Identification

Applicable security and privacy requirements are identified through relevant legal, regulatory, and supervisory authorities, specialist security forums, and professional associations.

Internal and External Reviews

Risks relevant to fraud, internal control, applicable laws, and customer commitment are identified through annual independent internal reviews and external risk assessments.

Risk Mitigation and Communication

Risks are reviewed, classified, and tracked to closure by implementing controls consistent with the determined risk mitigation strategy and communicated to relevant stakeholders.

Third Party Risk Management

Third-party risk and contract reviews are performed during onboarding and renewal to ensure compliance with applicable data protection requirements.

Data Processing Agreements

Data processing agreements are signed with the third parties with whom personal information is shared and include clauses for compliance with data protection laws, confidentiality and right-to-audit clauses, data retention, and access requirements.

Organizational Security

Background Check

During induction, candidate background check is performed that includes verification of educational qualifications, prior employment records, address, and identity.

Employment Agreement

Upon joining, employees and contractors sign an employment agreement containing obligations related to confidentiality and non-disclosure of proprietary information.

Visitor Management

Office visitors record an entry in the visitor management system and are escorted by authorized employees.

CCTV Monitoring

A Closed Circuit Television Camera (CCTV) records physical entry points to office premises.

Access Controlled Entry

Access card-based physical access control system is installed at entry points to office premises.

Fire Detection and Control

Cloud infrastructure facilities have smoke detectors, fire extinguishers, and suppression systems.

Temperature, Humidity and Water

Cloud infrastructure facilities have temperature and humidity control and monitoring systems along with water detection and removal systems.

Power Backup

Cloud infrastructure facilities are power redundant and have a backup power supply.

Access Management

Risk Identification

Applicable security and privacy requirements are identified through relevant legal, regulatory, and supervisory authorities, specialist security forums, and professional associations.

Internal and External Reviews

Risks relevant to fraud, internal control, applicable laws, and customer commitment are identified through annual independent internal reviews and external risk assessments.

Risk Mitigation and Communication

Risks are reviewed, classified, and tracked to closure by implementing controls consistent with the determined risk mitigation strategy and communicated to relevant stakeholders.

Third Party Risk Management

Third-party risk and contract reviews are performed during onboarding and renewal to ensure compliance with applicable data protection requirements.

Third Party Data Processing

Data processing agreements are signed with the third parties with whom personal information is shared and include clauses for compliance with data protection laws, confidentiality and right-to-audit clauses, data retention, and access requirements.

Endpoint Security

Malware Protection

Endpoint protection software is installed on laptops and desktops for safeguarding against viruses, malware, ransomware, web threats, blocked websites, malicious traffic, and potentially unwanted applications.

Malicious Activity Review

Malicious activities and critical events identified in the endpoint protection are notified through configured alerts, and corrective actions are taken as part of monthly reviews.

Software Installations

Installation of unauthorized and malicious software is restricted on laptops and desktops.

Data Wipe

Data wipe is performed for allocated assets on the last working day of employees and contractors.

Session Timeout

Laptops are configured with an operating systems session timeout of 15 minutes.

Mobile Device Management

Laptops are managed through the mobile device management solution for performing data wipes and pushing operating system policies.

Product Development

Product Lifecycle

Product releases follow an agile software development lifecycle and go through design, development, and QA testing approvals before deploying to production.

Security By Design

Security by design is integrated into the product development lifecycle and release checklist.

Privacy By Design

Privacy by design is integrated into the product development lifecycle and release checklist.

Segregation of Duties

Separate teams manage development, testing, and deployment activities to maintain the segregation of duties.

Quality Assurance

Product changes are pushed to the staging environment for obtaining relevant sign-offs and undergo quality assurance testing before deploying to the production environment.

Environment Separation

Development, staging, and production environments are maintained separately using a logically isolated virtual private cloud.

Use of Customer Data

Customer data is not used for testing in the development and staging environments.

Cryptographic Controls

Encryption at Rest

Customer data stored in cloud infrastructure is encrypted at rest with AES-256 using AWS Server-Side Encryption (SSE).

Encryption in Transit

Data communication with servers is encrypted through HTTPS over TLS 1.2 or SFTP over SSH2 with 2048-bit RSA encryption.

Encrypted Access

Access to cloud infrastructure is secured using TLS encryption and multi-factor authentication over a virtual private network.

Encryption Keys

Encryption keys used for certificate generation are rotated annually, and previous key pairs are deleted when no longer needed.

Laptop Encryption

Laptops are encrypted using BitLocker on Windows devices and FileVault on macOS devices.

Email Encryption

Emails are signed using DKIM and authenticated using SPF and DMARC to prevent email address spoofing.

Cloud Security

Web Application Firewall

A web application firewall is configured in the production environment to prevent attacks and breaches through data ex-filtration.

Defence in Depth

Firewalls are configured at a load balancer level to restrict access and communication with external systems.

Virtual Private Cloud

Virtual private cloud and load balancers enforce the boundaries of computing clusters in the production environment.

Hardening and Baselining

Baseline configuration for cloud infrastructure is maintained through the CIS benchmark.

Email Security

Emails are configured with protection against zero-day threats, ransomware, malware, phishing, and spam.

Product Security

Vulnerability Monitoring

A vulnerability management service is deployed to continuously find vulnerabilities in operating systems and programming language packages.

Secure Code Review

Static application security testing is performed during code deployment to find out vulnerabilities in the programming code.

Third Party Vulnerabilities

Software composition analysis tool is run during code deployment to find vulnerabilities in the third-party and open-source software packages.

Penetration Testing

External penetration testing is performed annually for the platform, which includes web and mobile apps, network endpoints, and APIs.

Logging and Monitoring

Application and infrastructure events are logged, and services are monitored for error rate, availability, performance, response time, anomalies, and usage.

Audit Trails

Audit trail records timestamp, IP address, application name, specific action taken, and request metadata.

Business Continuity

Data Backup

Application data stored in the cloud infrastructure is backed up hourly or replicated in real-time across availability zones.

Availability Zone Replication

Application processing infrastructure is replicated across availability zones.

Recovery Objectives

Business continuity plans are maintained to achieve a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour.

Disaster Recovery Testing

Disaster recovery testing is performed annually to review business continuity and emergency response plan.

Incident Management

Third Party Breaches

Data processing agreements with third parties have clauses to report suspected or actual breaches.

Incident Reporting

Incidents affecting security and privacy are reported to the information security team.

Incident Resolution

Reported security incidents and privacy breaches are analyzed to identify the impact, and corrective and preventive steps are taken to fix the root cause.

Incident Postmortem

An incident review meeting is conducted to discuss the root cause and formalize corrective, preventive, and detective actions.

Incident Communication

Security incidents and privacy breaches are communicated to relevant stakeholders, data subjects, customers, and business partners.

Data Breach Insurance

Liability insurance is maintained for security breaches and data protection loss.

Customer Data Privacy

Legal Basis of Processing

Personal information provided by customers is processed by using a performance of a contract as a legal basis.

Data Processing Agreement

A data processing agreement covering the purpose is offered to customers before collecting personal information.

Type of PII Collection

Customers are informed of the type of personal information collected and the methods of collection through the privacy policy and data processing agreements.

Control over PII Collection

Customers are provided with an option to select personal information fields to be collected from their users.

Data Retention

Customer data is retained throughout the contract and kept inactive for 180 days after the contract termination date or as per the agreed time duration.

Data Deletion

Customer data is wiped using irreversible data deletion techniques provided by the data storage services.

Data Subject Privacy

Privacy Policy

The privacy policy provides information about contacting the privacy team or third-party dispute resolution provider with inquiries, complaints, and disputes.

Purpose Limitation

Personal information is accessed by limited individuals or provided to third parties for the specific purposes mentioned in the consent, privacy policy, and data processing agreements.

Storage Limitation

Personal information is retained only for the duration necessary to fulfill the purposes covered in the legal basis of processing.

Data Minimization

Minimum personal information is collected as required for the purposes listed in the privacy policy.

MSIRobot