Product releases follow an agile software development lifecycle and go through design, development, and QA testing approvals before deploying to production.
At Mindtickle, we take data security and privacy seriously. We constantly try to make sure that we meet our contractual and regulatory compliance obligations toward data protection.
Mindtickle is committed to ensuring the protection of our customers’ data and has implemented detailed controls through a security policy.
Our security policy comprehensively covers all the areas of the security program and processes implemented at organizational, technical, and cloud infrastructure levels for data protection.
The information security function is responsible for maintaining practices, changes, and commitments concerning confidentiality, integrity, availability, and privacy.
The data protection officer oversees data protection strategy and ensures compliance with data protection standards.
Information security and privacy policies are available on the company portal for employee reference and are reviewed annually.
The roles and responsibilities of the members of the information security organization are defined.
Information security and privacy policies are approved by management and cover processes and control activities required to address data protection risks.
Employees and contractors are required to undergo information security and privacy training upon hire and a refresher on an annual basis.
Applicable security and privacy requirements are identified through relevant legal, regulatory, and supervisory authorities, specialist security forums, and professional associations.
Risks are reviewed, classified, and tracked to closure by implementing controls consistent with the determined risk mitigation strategy and communicated to relevant stakeholders.
Data processing agreements are signed with the third parties with whom personal information is shared and include clauses for compliance with data protection laws, confidentiality and right-to-audit clauses, data retention, and access requirements.
Risks relevant to fraud, internal control, applicable laws, and customer commitment are identified through annual independent internal reviews and external risk assessments.
Third-party risk and contract reviews are performed during onboarding and renewal to ensure compliance with applicable data protection requirements.
During induction, candidate background check is performed that includes verification of educational qualifications, prior employment records, address, and identity.
Office visitors record an entry in the visitor management system and are escorted by authorized employees.
Access card-based physical access control system is installed at entry points to office premises.
Cloud infrastructure facilities have temperature and humidity control and monitoring systems along with water detection and removal systems.
Upon joining, employees and contractors sign an employment agreement containing obligations related to confidentiality and non-disclosure of proprietary information.
A Closed Circuit Television Camera (CCTV) records physical entry points to office premises.
Cloud infrastructure facilities have smoke detectors, fire extinguishers, and suppression systems.
Cloud infrastructure facilities are power redundant and have a backup power supply.
Application owners grant or revoke access rights to individuals after evaluating job roles, responsibilities, level of access, business requirement, and access duration.
Single sign-on and multi-factor authentication are mandated wherever possible.
Users are forced to change their password at first login and are required to change the password every 90 days, wherever possible.
Application owners perform quarterly access reviews and take necessary corrective actions.
Limited individuals and teams are granted minimum required access to sensitive resources, customers, and personal information in the production environment through group-based identity and access management permissions.
Password policy is set wherever possible to mandate alphanumeric passwords with at least eight characters with one special, one lower case, and one upper case character.
Accesses are reviewed upon role change and updated as per new job responsibilities.
All accesses are revoked on the last working day of employees and contractors.
Endpoint protection software is installed on laptops and desktops for safeguarding against viruses, malware, ransomware, web threats, blocked websites, malicious traffic, and potentially unwanted applications.
Installation of unauthorized and malicious software is restricted on laptops and desktops.
Laptops are configured with an operating systems session timeout of 15 minutes.
Malicious activities and critical events identified in the endpoint protection are notified through configured alerts, and corrective actions are taken as part of monthly reviews.
Data wipe is performed for allocated assets on the last working day of employees and contractors.
Laptops are managed through the mobile device management solution for performing data wipes and pushing operating system policies.
Product releases follow an agile software development lifecycle and go through design, development, and QA testing approvals before deploying to production.
Privacy by design is integrated into the product development lifecycle and release checklist.
Product changes are pushed to the staging environment for obtaining relevant sign-offs and undergo quality assurance testing before deploying to the production environment.
Customer data is not used for testing in the development and staging environments.
Security by design is integrated into the product development lifecycle and release checklist.
Separate teams manage development, testing, and deployment activities to maintain the segregation of duties.
Development, staging, and production environments are maintained separately using a logically isolated virtual private cloud.
Customer data stored in cloud infrastructure is encrypted at rest with AES-256 using AWS Server-Side Encryption (SSE).
Access to cloud infrastructure is secured using TLS encryption and multi-factor authentication over a virtual private network.
Laptops are encrypted using BitLocker on Windows devices and FileVault on macOS devices.
Data communication with servers is encrypted through HTTPS over TLS 1.2 or SFTP over SSH2 with 2048-bit RSA encryption.
Encryption keys used for certificate generation are rotated annually, and previous key pairs are deleted when no longer needed.
Emails are signed using DKIM and authenticated using SPF and DMARC to prevent email address spoofing.
A web application firewall is configured in the production environment to prevent attacks and breaches through data ex-filtration.
Virtual private cloud and load balancers enforce the boundaries of computing clusters in the production environment.
Emails are configured with protection against zero-day threats, ransomware, malware, phishing, and spam.
Firewalls are configured at a load balancer level to restrict access and communication with external systems.
Baseline configuration for cloud infrastructure is maintained through the CIS benchmark.
A vulnerability management service is deployed to continuously find vulnerabilities in operating systems and programming language packages.
Software composition analysis tool is run during code deployment to find vulnerabilities in the third-party and open-source software packages.
Application and infrastructure events are logged, and services are monitored for error rate, availability, performance, response time, anomalies, and usage.
Static application security testing is performed during code deployment to find out vulnerabilities in the programming code.
External penetration testing is performed annually for the platform, which includes web and mobile apps, network endpoints, and APIs.
Audit trail records timestamp, IP address, application name, specific action taken, and request metadata.
Application data stored in the cloud infrastructure is backed up hourly or replicated in real-time across availability zones.
Business continuity plans are maintained to achieve a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour.
Application processing infrastructure is replicated across availability zones.
Disaster recovery testing is performed annually to review business continuity and emergency response plan.
Data processing agreements with third parties have clauses to report suspected or actual breaches.
Reported security incidents and privacy breaches are analyzed to identify the impact, and corrective and preventive steps are taken to fix the root cause.
Security incidents and privacy breaches are communicated to relevant stakeholders, data subjects, customers, and business partners.
Incidents affecting security and privacy are reported to the information security team.
An incident review meeting is conducted to discuss the root cause and formalize corrective, preventive, and detective actions.
Liability insurance is maintained for security breaches and data protection loss.
Personal information provided by customers is processed by using a performance of a contract as a legal basis.
Customers are informed of the type of personal information collected and the methods of collection through the privacy policy and data processing agreements.
Customer data is retained throughout the contract and kept inactive for 180 days after the contract termination date or as per the agreed time duration.
A data processing agreement covering the purpose is offered to customers before collecting personal information.
Customers are provided with an option to select personal information fields to be collected from their users.
Customer data is wiped using irreversible data deletion techniques provided by the data storage services.
The privacy policy provides information about contacting the privacy team or third-party dispute resolution provider with inquiries, complaints, and disputes.
Personal information is retained only for the duration necessary to fulfill the purposes covered in the legal basis of processing.
Personal information is accessed by limited individuals or provided to third parties for the specific purposes mentioned in the consent, privacy policy, and data processing agreements.
Minimum personal information is collected as required for the purposes listed in the privacy policy.
© 2024 Mindtickle Inc. All rights reserved.