Technical and Organizational Security Measures

Technical and Organizational Security Measures

Measures of pseudonymization and encryption of personal data

  • All the customer data, including personal data transmitted to or accessed from the Mindtickle platform through a web browser, mobile application, APIs, data connector, and integrations is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048 bit RSA Encryption.
  • User sync through Secure File Transfer Protocol (SFTP) is performed over SSH2 secure tunneling protocol with 2048 bit RSA Encryption.
  • All the customer data, including personal data stored in primary and backup storage of our cloud infrastructure is encrypted at rest with AES 256 encryption.
  • AWS Key Management System (KMS) managed Server-Side Encryption (SSE) keys are used to encrypt data in our cloud infrastructure. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect keys that cannot be retrieved from the service by anyone or transmitted beyond the AWS regions where they were created.
  • Laptops and workstations are encrypted with full disk encryption using FileVault on macOS and Bitlocker on Windows with keys managed through an MDM solution.
  • Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

  • All the customer data, including personal data transmitted to or accessed from the Mindtickle platform through a web browser, mobile application, APIs, data connector, and integrations is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048 bit RSA Encryption.
  • User sync through Secure File Transfer Protocol (SFTP) is performed over SSH2 secure tunneling protocol with 2048 bit RSA Encryption.
  • All the customer data, including personal data stored in primary and backup storage of our cloud infrastructure is encrypted at rest with AES 256 encryption.
  • Upon joining, all new hires are required to sign confidentiality agreements. Further, employees with access to customer data undergo a background check that includes verification of references, education records, professional experience, national identity, drug and criminal records permitted as per local laws.
  • All employees are required to undergo information security and privacy training on an annual basis.
  • Only authorized roles, as defined in the Role-Based Access Control (RBAC), are allowed to access systems processing customer and personal data using a unique username and an alphanumeric password that has at least 8 characters with one special, one lower case, and one upper case character.
  • Only limited individuals are granted access to cloud infrastructure hosting customer and personal data based on the principle of least privilege.
  • As part of the employee and contractor offboarding process, all accesses are revoked and data assets are securely wiped. Further, upon role change, the accesses are reviewed and modified aligned with job responsibilities.
  • Only internal systems allowed through security groups can communicate with applications processing customer and personal data. Further, firewalls are configured at a load balancer level to restrict access and communication with external systems.
  • Changes to the platform, software, applications, and infrastructure are made following the Software Development Life Cycle (SDLC) that includes code reviews and quality checks to ensure workflows designed to create, manage and retrieve personal data are implemented as per the design specifications.
  • Access to modify or delete log files is restricted and segregated such that users who perform privileged activities are unable to manipulate log files.
  • Backup of application data, databases, file contents, and audit logs is performed as per the backup policy that defines the backup scope, frequency, redundancy, failure monitoring, corrective action, retention, restoration, and archival.
  • Personal data stored as part of user-submitted or recorded content, user profile media, and analytics data is uploaded on cloud storage that is automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another geographic region for disaster recovery.
  • Personal data stored as part of the user profile, user progression, and analytics data is uploaded on cloud databases that are automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another geographic region for disaster recovery.
  • Business continuity and disaster recovery plan is defined and follows Recovery Time Objective (RTO) of 12 hours and Recovery Point Objective (RPO) of 1 hour. In addition, an independent third-party audit is performed on an annual basis to conduct disaster recovery testing and validate the effectiveness of the business continuity plan.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Physical and technical events adversely impacting platform security, confidentiality, integrity, availability, and privacy are handled in accordance with the incident management policy.
  • Backup of application data, databases, file contents, and audit logs is performed as per the backup policy that defines the backup scope, frequency, redundancy, failure monitoring, corrective action, retention, restoration, and archival.
  • Personal data stored as part of user-submitted or recorded content, user profile media, and analytics data is uploaded on cloud storage that is automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another geographic region for disaster recovery.
  • Personal data stored as part of the user profile, user progression, and analytics data is uploaded on cloud databases that are automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another geographic region for disaster recovery.
  • Business continuity and disaster recovery plan is defined and follows Recovery Time Objective (RTO) of 12 hours and Recovery Point Objective (RPO) of 1 hour. In addition, an independent third-party audit is performed on an annual basis to conduct disaster recovery testing and validate the effectiveness of the business continuity plan.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Service Organization Control 2 (SOC2) Type 2 assurance audit of platform and processes is performed annually against the Security, Confidentiality, Availability, and Privacy Trust Service Principles and Criteria as per International Standard on Assurance Engagements (ISAE) 3000 to obtain an independent opinion on the suitability of the design and operating effectiveness of the implemented controls.
  • Vulnerability assessment and penetration testing of the web and mobile applications are performed annually through an independent third-party security auditor.
  • An independent third-party audit is performed on an annual basis to conduct disaster recovery testing and to validate the effectiveness of the business continuity plan.
  • Internal security and privacy controls are defined considering the customer contractual commitments, privacy laws, applicable regulations, and generally accepted industry practices.
  • Risk assessment of technical and organizational measures is performed annually to test, assess and evaluate the effectiveness of internal security and privacy controls. Risk assessment activity includes identifying internal and external threats to operations, analyzing associated security and privacy risks, identifying the impact with relevant stakeholders, determining risk mitigation strategy, and deploying controls consistent with the determined risk mitigation strategy.
  • Sub-processors undergo onboarding due diligence and annual review to ensure compliance with security and privacy requirements, service level agreements, laws, and regulations. In addition, sub-processors are required to sign a Data Processing Agreement (DPA) that includes compliance with data protection laws, confidentiality and right to audit clauses, data retention, and access requirements.

Measures for user identification and authorization

  • Accounts with access to systems processing customer and personal data are unique, mapped to individuals, and not shared between users.
  • Only authorized roles, as defined in the Role-Based Access Control (RBAC), are allowed to access systems processing customer and personal data using a unique username and an alphanumeric password that has at least 8 characters with one special, one lower case, and one upper case character.
  • Single Sign-On (SSO) and multi-factor authentication such as one-time password, authentication key codes, or device-based authentication are utilized wherever possible.
  • Only limited individuals are granted access to cloud infrastructure hosting customer and personal data based on the principle of least privilege using Lightweight Directory Access Protocol (LDAP) groups mapped to the IAM access permissions. Applications are granted access to customer and personal data using Identity and Access Management (IAM) policies.
  • Only internal systems allowed through security groups can communicate with applications processing customer and personal data. Further, firewalls are configured at a load balancer level to restrict access and communication with external systems.
  • Access to modify or delete log files is restricted and segregated such that users who perform privileged activities are unable to manipulate log files.
  • Mindtickle platform authenticates users through an account mapped to a unique email ID or through SSO integration with an Identity Provider using SAML 2.0 and provides Role-Based Access Control (RBAC) functionality to restrict platform access.

Measures for the protection of data during transmission

  • All the customer data, including personal data transmitted to or accessed from the Mindtickle platform through a web browser, mobile application, APIs, data connector, and integrations is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048 bit RSA Encryption.
  • User sync through Secure File Transfer Protocol (SFTP) is performed over SSH2 secure tunneling protocol with 2048 bit RSA Encryption.

Measures for the protection of data during storage

  • All the customer data, including personal data stored in primary and backup storage is encrypted at rest with AES 256 encryption.
  • AWS Key Management System (KMS) managed Server-Side Encryption (SSE) keys are used to encrypt data in our cloud infrastructure. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect keys that cannot be retrieved from the service by anyone or transmitted beyond the AWS regions where they were created.
  • Laptops and workstations are encrypted with full disk encryption using FileVault on macOS and Bitlocker on Windows with keys managed through an MDM solution.

Measures for ensuring the physical security of locations at which personal data are processed

  • Datacenter access requests are reviewed and approved based on the principle of least privilege, and time-bound multi-factor authenticated access is granted to specific data layer areas.
  • Datacenter visitors are required to wear an identification badge, make an entry in the access register, and be escorted by authorized staff.
  • Physical access to data centers is logged, monitored, and reviewed periodically to ensure access appropriateness.
  • Physical access points to server rooms are recorded by a Closed Circuit Television Camera (CCTV) and guarded by security staff.
  • Electronic intrusion detection and sound alarm systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents.
  • Data centers are fully power redundant with backup power supply and use mechanisms to monitor and control temperature, humidity, and water leaks. Further, data centers are equipped with smoke detection sensors and fire suppression equipment.
  • Physical entry points to office premises are recorded by a Closed Circuit Television Camera (CCTV) and have an access card verification system at every door, allowing only authorized employees to enter the office premises.
  • Office visitors record an entry in the visitor management system and are escorted by authorized employees.

Measures for ensuring events logging

  • Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.
  • Audit logs maintain detailed information such as timestamps, IP address, application name, specific action taken, request metadata, etc., and are retained for one year.
  • Notifications alerts are sent based on the rules configured in the monitoring systems to identify anomalies, suspicious network behavior, abnormal activities, and threats.

Measures for ensuring system configuration, including the default configuration

  • Baseline systems are selected with hardened security configuration such as restricted remote access only with SSH, disabled remote root login, reduced number of non-critical packages, kernel live patching, and automatic installation of important security updates during initial boot.
  • Baseline systems with hardened security configuration and vulnerability fixes are used in the production environment.
  • After the version upgrade of the operating system, Amazon Inspector scans are performed, vulnerabilities are remediated, and updated virtual machine images are finalized as baseline systems.
  • Amazon Inspector scans are run on the production systems periodically to identify any new vulnerabilities and remediate them in the affected and baseline system.
  • Cloud infrastructure configuration is regularly checked against CIS benchmark containing security configuration best practices.
  • Mindtickle maintains segregation between development, testing, staging, and production environment. Further, data of one customer is logically segregated from other customers using a unique ID associated with each customer. This unique ID persists throughout the data lifecycle and is enforced at each layer of the platform.

Measures for internal IT and IT security governance and management

  • The Mindtickle organization has defined structures, reporting lines with assigned authority, and responsibilities to appropriately meet business objectives ensuring proper segregation of duties, including an information security function headed by the Chief Information Security Officer responsible for ensuring security, availability, confidentiality, and privacy at Mindtickle.
  • There exists an Information Security Team headed by the Chief Information Security Officer. The roles and responsibilities of the members of the information security organization are defined.
  • Mindtickle has formally appointed a data protection officer responsible for overseeing data protection strategy and ensuring compliance with data protection standards.
  • A management committee meeting is held every quarter to discuss and amend the information security processes at Mindtickle.
  • A meeting between the management and the Board of Directors is conducted quarterly to communicate, review and discuss the external assessment results and information needed to fulfill their roles with respect to Mindtickle’s objectives.
  • ​​Mindtickle has defined information security and privacy policies considering customer contractual commitments and applicable data protection laws and regulations for handling and protecting data. These policies are reviewed on an annual basis and are available on the company portal for employee reference.

Measures for certification/assurance of processes and products

  • Service Organization Control 2 (SOC2) Type 2 assurance audit of platform and processes is performed annually against the Security, Confidentiality, Availability, and Privacy Trust Service Principles and Criteria as per International Standard on Assurance Engagements (ISAE) 3000 to obtain an independent opinion on the suitability of the design and operating effectiveness of the implemented controls.
  • Mindtickle complies with the applicable Data Processor requirements outlined in General Data Protection Regulation (GDPR) to help customers meet their obligations as Data Controllers.
  • Mindtickle is certified as Level 1 with Security, Trust and Assurance Registry (STAR), an Open Certification Framework developed by Cloud Security Alliance (CSA) to provide assurance of security processes within Cloud Computing.

Measures for ensuring data minimization

  • The minimum personal data required by the Mindtickle platform is the business email ID to provide a unique user account.
  • Customers have an option to configure the data fields that will be collected from their users and an ability to modify or delete personal data as and when required through the admin site.
  • Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.
  • The only minimum required personal data is shared with the third parties to provide services to the customers.

Measures for ensuring data quality

  • Customers have an option to configure the data fields that will be collected from their users and an ability to modify or delete personal data as and when required through the admin site.
  • Customers can export personal data records to perform data quality checks and perform necessary corrections in the platform.

Measures for ensuring limited data retention

  • The minimum personal data required by the Mindtickle platform is the business email ID to provide a unique user account.
  • Customers have an option to configure the data fields that will be collected from their users and an ability to modify or delete personal data as and when required through the admin site.
  • Personal data is retained as per the contractual terms agreed with the customers and as required by the laws.
  • Audit logs containing personal data are retained for one year and post that, either pseudonymized or deleted.
  • Data processing agreements that include data retention requirements are signed with the third parties with whom minimum required personal data is shared to provide services to the customers.

Measures for ensuring accountability

  • Mindtickle platform authenticates users through an account mapped to a unique email ID or through SSO integration with an Identity Provider using SAML 2.0.
  • Accounts with access to systems processing customer and personal data are unique, mapped to individuals, and not shared between users.
  • Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.
  • Audit logs maintain detailed information such as timestamps, IP address, application name, specific action taken, request metadata, etc., and are retained for one year.
  • Access to modify or delete log files is restricted and segregated such that users who perform privileged activities are unable to manipulate log files.

Measures for allowing data portability and ensuring erasure

  • Customers have an option to configure the data fields that will be collected from their users and an ability to modify or delete personal data as and when required through the admin site.
  • Customers can export the personal data uploaded on the platform through reports or using programmatic APIs.
  • Personal data is retained as per the contractual terms agreed with the customers and as required by the laws.
  • Audit logs containing personal data are retained for one year and post that, either pseudonymized or deleted.
  • Personal data records are removed through a secure data deletion process that irreversibly destroys the data.
  • Data processing agreements that include data retention requirements are signed with the third parties with whom minimum required personal data is shared to provide services to the customers.

MSIRobot