Security Policy

At Mindtickle, we take data security and privacy seriously. We constantly try to make sure that we meet our contractual and regulatory compliance obligations toward data protection.

Mindtickle is committed to ensuring the protection of our customers’ data and has implemented detailed controls through a security policy.

Our security policy comprehensively covers all the areas of the security program and processes implemented at organizational, technical, and cloud infrastructure levels for data protection.

3

Information Governance

Information Security Function

The information security function is responsible for maintaining practices, changes, and commitments concerning confidentiality, integrity, availability, and privacy.

Data Protection Officer

The data protection officer oversees data protection strategy and ensures compliance with data protection standards.

Policy Communication

Information security and privacy policies are available on the company portal for employee reference and are reviewed annually.

Roles and Responsibilities

The roles and responsibilities of the members of the information security organization are defined.

Security and Privacy Policies

Information security and privacy policies are approved by management and cover processes and control activities required to address data protection risks.

Training and Awareness

Employees and contractors are required to undergo information security and privacy training upon hire and a refresher on an annual basis.

Risk Management

Risk Identification

Applicable security and privacy requirements are identified through relevant legal, regulatory, and supervisory authorities, specialist security forums, and professional associations.

Risk Mitigation and Communication

Risks are reviewed, classified, and tracked to closure by implementing controls consistent with the determined risk mitigation strategy and communicated to relevant stakeholders.

Data Processing Agreements

Data processing agreements are signed with the third parties with whom personal information is shared and include clauses for compliance with data protection laws, confidentiality and right-to-audit clauses, data retention, and access requirements.

Internal and External Reviews

Risks relevant to fraud, internal control, applicable laws, and customer commitment are identified through annual independent internal reviews and external risk assessments.

Third Party Risk Management

Third-party risk and contract reviews are performed during onboarding and renewal to ensure compliance with applicable data protection requirements.

Organizational Security

Background Check

During induction, candidate background check is performed that includes verification of educational qualifications, prior employment records, address, and identity.

Visitor Management

Office visitors record an entry in the visitor management system and are escorted by authorized employees.

Access Controlled Entry

Access card-based physical access control system is installed at entry points to office premises.

Temperature, Humidity and Water

Cloud infrastructure facilities have temperature and humidity control and monitoring systems along with water detection and removal systems.

Employment Agreement

Upon joining, employees and contractors sign an employment agreement containing obligations related to confidentiality and non-disclosure of proprietary information.

CCTV Monitoring

A Closed Circuit Television Camera (CCTV) records physical entry points to office premises.

Fire Detection and Control

Cloud infrastructure facilities have smoke detectors, fire extinguishers, and suppression systems.

Power Backup

Cloud infrastructure facilities are power redundant and have a backup power supply.

Access Management

Access Permissions

Application owners grant or revoke access rights to individuals after evaluating job roles, responsibilities, level of access, business requirement, and access duration.

SSO and Multi-factor 

Single sign-on and multi-factor authentication are mandated wherever possible.

Password Rotation

Users are forced to change their password at first login and are required to change the password every 90 days, wherever possible.

Access Review

Application owners perform quarterly access reviews and take necessary corrective actions.

Least Privileged Access

Limited individuals and teams are granted minimum required access to sensitive resources, customers, and personal information in the production environment through group-based identity and access management permissions.

Password Policy

Password policy is set wherever possible to mandate alphanumeric passwords with at least eight characters with one special, one lower case, and one upper case character.

Access Change

Accesses are reviewed upon role change and updated as per new job responsibilities.

Access Removal

All accesses are revoked on the last working day of employees and contractors.

Endpoint Security

Malware Protection

Endpoint protection software is installed on laptops and desktops for safeguarding against viruses, malware, ransomware, web threats, blocked websites, malicious traffic, and potentially unwanted applications.

Software Installations

Installation of unauthorized and malicious software is restricted on laptops and desktops.

Session Timeout

Laptops are configured with an operating systems session timeout of 15 minutes.

Malicious Activity Review

Malicious activities and critical events identified in the endpoint protection are notified through configured alerts, and corrective actions are taken as part of monthly reviews.

Data Wipe

Data wipe is performed for allocated assets on the last working day of employees and contractors.

Mobile Device Management

Laptops are managed through the mobile device management solution for performing data wipes and pushing operating system policies.

Product Development

Product Lifecycle

Product releases follow an agile software development lifecycle and go through design, development, and QA testing approvals before deploying to production.

 

Privacy By Design

Privacy by design is integrated into the product development lifecycle and release checklist.

 

Quality Assurance

Product changes are pushed to the staging environment for obtaining relevant sign-offs and undergo quality assurance testing before deploying to the production environment.

 

Use of Customer Data

Customer data is not used for testing in the development and staging environments.

 
 

Security By Design

Security by design is integrated into the product development lifecycle and release checklist.

 

Segregation of Duties

Separate teams manage development, testing, and deployment activities to maintain the segregation of duties.

 

Environment Separation

Development, staging, and production environments are maintained separately using a logically isolated virtual private cloud.

 
 

Cryptographic Controls

Encryption at Rest

Customer data stored in cloud infrastructure is encrypted at rest with AES-256 using AWS Server-Side Encryption (SSE).

Encrypted Access

Access to cloud infrastructure is secured using TLS encryption and multi-factor authentication over a virtual private network.

Laptop Encryption

Laptops are encrypted using BitLocker on Windows devices and FileVault on macOS devices.

Encryption in Transit

Data communication with servers is encrypted through HTTPS over TLS 1.2 or SFTP over SSH2 with 2048-bit RSA encryption.

Encryption Keys

Encryption keys used for certificate generation are rotated annually, and previous key pairs are deleted when no longer needed.

Email Encryption

Emails are signed using DKIM and authenticated using SPF and DMARC to prevent email address spoofing.

Cloud Security

Web Application Firewall

A web application firewall is configured in the production environment to prevent attacks and breaches through data ex-filtration.

 

Virtual Private Cloud

Virtual private cloud and load balancers enforce the boundaries of computing clusters in the production environment.

 
 

Email Security

Emails are configured with protection against zero-day threats, ransomware, malware, phishing, and spam.

 
 

Defence in Depth

Firewalls are configured at a load balancer level to restrict access and communication with external systems.

Hardening and Baselining

Baseline configuration for cloud infrastructure is maintained through the CIS benchmark.

 
 

Product Security

Vulnerability Monitoring

A vulnerability management service is deployed to continuously find vulnerabilities in operating systems and programming language packages.

Third Party Vulnerabilities

Software composition analysis tool is run during code deployment to find vulnerabilities in the third-party and open-source software packages.

Logging and Monitoring

Application and infrastructure events are logged, and services are monitored for error rate, availability, performance, response time, anomalies, and usage.

Secure Code Review

Static application security testing is performed during code deployment to find out vulnerabilities in the programming code.

Penetration Testing

External penetration testing is performed annually for the platform, which includes web and mobile apps, network endpoints, and APIs.

Audit Trails

Audit trail records timestamp, IP address, application name, specific action taken, and request metadata.

Business Continuity

Data Backup

Application data stored in the cloud infrastructure is backed up hourly or replicated in real-time across availability zones.

Recovery Objectives

Business continuity plans are maintained to achieve a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour.

Availability Zone Replication

Application processing infrastructure is replicated across availability zones.

Disaster Recovery Testing

Disaster recovery testing is performed annually to review business continuity and emergency response plan.

Incident Management

Third Party Breaches

Data processing agreements with third parties have clauses to report suspected or actual breaches.

Incident Resolution

Reported security incidents and privacy breaches are analyzed to identify the impact, and corrective and preventive steps are taken to fix the root cause.

 

Incident Communication

Security incidents and privacy breaches are communicated to relevant stakeholders, data subjects, customers, and business partners.

 

Incident Reporting

Incidents affecting security and privacy are reported to the information security team.

Incident Postmortem

An incident review meeting is conducted to discuss the root cause and formalize corrective, preventive, and detective actions.

 

Data Breach Insurance

Liability insurance is maintained for security breaches and data protection loss.

 

Customer Data Privacy

Legal Basis of Processing

Personal information provided by customers is processed by using a performance of a contract as a legal basis.

Type of PII Collection

Customers are informed of the type of personal information collected and the methods of collection through the privacy policy and data processing agreements.

Data Retention

Customer data is retained throughout the contract and kept inactive for 180 days after the contract termination date or as per the agreed time duration.

Data Processing Agreement

A data processing agreement covering the purpose is offered to customers before collecting personal information.

 

Control over PII Collection

Customers are provided with an option to select personal information fields to be collected from their users.

Data Deletion

Customer data is wiped using irreversible data deletion techniques provided by the data storage services.

Data Subject Privacy

Privacy Policy

The privacy policy provides information about contacting the privacy team or third-party dispute resolution provider with inquiries, complaints, and disputes.

Storage Limitation

Personal information is retained only for the duration necessary to fulfill the purposes covered in the legal basis of processing.

Purpose Limitation

Personal information is accessed by limited individuals or provided to third parties for the specific purposes mentioned in the consent, privacy policy, and data processing agreements.

Data Minimization

Minimum personal information is collected as required for the purposes listed in the privacy policy.