Vendor Security Policy

Mindtickle has defined below technical and organizational measures that are contractually bound to all the vendors that are processing customer or organizational personally identifiable information (PII).

These measures are designed to ensure an appropriate level of security is implemented, considering the data processing’s nature, scope, context, and purpose and the risks to the rights and freedom of natural persons.

Measures of pseudonymization and encryption of personal data

  • All the Customer Data, including personal data transmitted through a web browser, mobile application, APIs, data connector, and integrations, is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048-bit RSA encryption.
  • All the Customer Data, including personal data stored in primary and backup storage, is encrypted at rest with AES 256 encryption.
  • Encryption keys with which Customer Data is encrypted shall be stored securely so that no one can retrieve keys from the service. In case the keys need to be retrieved, only limited individuals should be able to access those with specific authorization for a defined period. Further, the keys should be rotated at least on an annual basis.
  • Laptops and workstations storing and accessing customer data are encrypted with full disk encryption.
  • Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

  • All the Customer Data, including personal data transmitted through a web browser, mobile application, APIs, data connector, and integrations, is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048-bit RSA encryption.
  • All the Customer Data, including personal data stored in primary and backup storage, is encrypted at rest with AES 256 encryption.
  • All new hires with access to Customer Data must sign confidentiality agreements. Further, employees with access to Customer Data undergo a background check that includes verification of references, education records, professional experience, national identity, and drug and criminal records permitted as per local laws.
  • All employees with access to customer data are required to undergo information security and privacy training on an annual basis.
  • Only authorized roles, as defined in the Role-Based Access Control (RBAC), are allowed to access systems processing customer and personal data using a unique username and an alphanumeric password with at least eight characters with one special, one lowercase and one uppercase character.
  • Only limited individuals are granted access to infrastructure hosting customers and personal data based on the principle of least privilege and need-to-know basis.
  • As part of the employee and contractor offboarding process, all accesses are revoked, and data assets are securely wiped. Further, the accesses are reviewed, modified, and aligned with job responsibilities upon role change.
  • Only internal systems allowed through security groups can communicate with applications processing customer and personal data. Further, firewalls are configured to restrict access and communication with external systems.
  • Changes to the software, applications, and infrastructure are made following the Software Development Life Cycle (SDLC), which includes code reviews and quality checks to ensure workflows designed to create, manage and retrieve personal data are implemented as per the design specifications.
  • Access to modify or delete log files is restricted and segregated so that users who perform privileged activities cannot manipulate log files.
  • Backup of application data, databases, file contents, and audit logs is performed per the backup policy that defines the backup scope, frequency, redundancy, failure monitoring, corrective action, retention, restoration, and archival.
  • Customer data is automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another region for disaster recovery.
  • A business continuity and disaster recovery plan is defined and follows a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour. In addition, an independent third-party audit is performed annually to conduct disaster recovery testing and validate the effectiveness of the business continuity plan.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • The incident management policy handles physical and technical events that adversely impact customer data security, confidentiality, integrity, availability, and privacy.
  • Backup of application data, databases, file contents, and audit logs is performed per the backup policy that defines the backup scope, frequency, redundancy, failure monitoring, corrective action, retention, restoration, and archival.
  • Customer data is automatically replicated in multiple availability zones physically separate from each other within a geographic region and backed up in another region for disaster recovery.
  • A business continuity and disaster recovery plan is defined and follows a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour. In addition, an independent third-party audit is performed annually to conduct disaster recovery testing and validate the effectiveness of the business continuity plan.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • ISO 27001 or Service Organization Control 2 (SOC2) Type 2 assurance audit is performed annually to obtain an independent opinion on the suitability of the design and operating effectiveness of the implemented controls.
  • An independent third-party security auditor annually performs vulnerability assessment and penetration testing of the applications (web, mobile, etc.) and network infrastructure.
  • An independent third-party audit is performed annually to conduct disaster recovery testing and validate the effectiveness of the business continuity plan.
  • Internal security and privacy controls are defined considering the customer’s contractual commitments, privacy laws, applicable regulations, and generally accepted industry practices.
  • Risk assessment of technical and organizational measures is performed annually to test and evaluate the effectiveness of internal security and privacy controls. Risk assessment includes identifying internal and external threats to operations, analyzing associated security and privacy risks, identifying the impact with relevant stakeholders, determining risk mitigation strategy, and deploying controls consistent with the determined risk mitigation strategy.
  • Sub-processors undergo onboarding due diligence and annual review to ensure compliance with security and privacy requirements, service level agreements, laws, and regulations. In addition, sub-processors are required to sign a Data Processing Agreement (DPA) that includes compliance with data protection laws, confidentiality and right to audit clauses, data retention, and access requirements.

Measures for user identification and authorization

  • Accounts with access to systems processing customer and personal data are unique, mapped to individuals, and not shared between users.
  • Only authorized roles, as defined in the Role-Based Access Control (RBAC), are allowed to access systems processing customer and personal data using a unique username and an alphanumeric password with at least eight characters with one special, one lowercase, and one uppercase character.
  • Single Sign-On (SSO) and multi-factor authentication, such as one-time password, authentication key codes, or device-based authentication, are utilized wherever possible.
  • Only limited individuals are granted access to infrastructure hosting customer and personal data based on the principle of least privilege using groups mapped to the IAM access permissions. Applications are granted access to customer and personal data using Identity and Access Management (IAM) policies.
  • Only internal systems allowed through security groups can communicate with applications processing customer and personal data. Further, firewalls are configured to restrict access and communication with external systems.
  • Access to modify or delete log files is restricted and segregated so that users who perform privileged activities cannot manipulate log files.

Measures for the protection of data during transmission

  • All the Customer Data, including personal data transmitted through a web browser, mobile application, APIs, data connector, and integrations, is encrypted through HTTPS connection over TLS 1.2 using SHA-256 with 2048-bit RSA encryption.
  • All the Customer Data, including personal data stored in primary and backup storage, is encrypted at rest with AES 256 encryption.

Measures for the protection of data during storage

  • All the Customer Data, including personal data stored in primary and backup storage, is encrypted at rest with AES 256 encryption.
  • Encryption keys with which Customer Data is encrypted shall be stored securely so that no one can retrieve keys from the service. In case the keys need to be retrieved, only limited individuals should be able to access those with specific authorization for a defined period. Further, the keys should be rotated at least on an annual basis.
  • Laptops and workstations storing and accessing customer data are encrypted with full disk encryption.

Measures for ensuring the physical security of locations at which personal data are processed

  • Datacenter access requests are reviewed and approved based on the principle of least privilege, and time-bound multi-factor authenticated access is granted to specific data layer areas.
  • Datacenter visitors are required to wear an identification badge, make an entry in the access register, and be escorted by authorized staff.
  • Physical access to data centers is logged, monitored, and reviewed periodically to ensure access appropriateness.
  • Physical access points to server rooms are recorded by a Closed Circuit Television Camera (CCTV) and guarded by security staff.
  • Electronic intrusion detection and sound alarm systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents.
  • Data centers have a backup power supply and use mechanisms to monitor and control temperature, humidity, and water leaks. Further, data centers are equipped with smoke detection sensors and fire suppression equipment.
  • Physical entry points to office premises are recorded by a Closed Circuit Television Camera (CCTV) and have an access card verification system at every door, allowing only authorized employees to enter the office premises.
  • Office visitors record an entry in the visitor management system and are escorted by authorized employees.

Measures for ensuring events logging

  • Events and audit trails related to access to systems processing Customer Data are logged, monitored, and reviewed periodically.
  • Audit logs maintain detailed information such as timestamps, IP address, application name, specific action taken, request metadata, etc., and are retained for one year.
  • Notification alerts are sent based on the rules configured in the monitoring systems to identify anomalies, suspicious network behavior, abnormal activities, and threats.

Measures for ensuring system configuration, including the default configuration

  • Baseline systems are selected with hardened security configurations such as restricted remote access only with SSH, disabled remote root login, reduced number of non-critical packages, kernel live patching, and automatic installation of important security updates during initial boot.
  • Baseline systems with hardened security configurations and vulnerability fixes are used in the production environment.
  • After the version upgrade of the operating system, security scans are performed, vulnerabilities are remediated, and updated operating system images are finalized as baseline systems.
  • Security scans are run on the production systems periodically to identify new vulnerabilities and remediate them in the affected and baseline system.
  • Infrastructure configuration is regularly checked against the CIS benchmark containing security configuration best practices.
  • Segregation between development, testing, staging, and production environment is maintained. Further, the data of one customer is segregated from other customers.

Measures for internal IT and IT security governance and management

  • Organization structure, reporting lines with assigned authority, and responsibilities are defined to appropriately meet business objectives ensuring proper segregation of duties, including an information security function headed by the Chief Information Security Officer responsible for ensuring security, availability, confidentiality, and privacy.
  • There exists an Information Security Team headed by the Chief Information Security Officer. The roles and responsibilities of the members of the information security organization are defined.
  • The data protection officer is formally appointed to oversee data protection strategy and ensure compliance with data protection standards.
  • A management committee meeting is held at least once annually to discuss and amend the information security processes.
  • A meeting between the management and the Board of Directors is conducted at least once annually to communicate, review and discuss the external assessment results and information needed to fulfill their roles aligned with the organization’s objectives.
  • Information security and privacy policies are defined considering customer contractual commitments and applicable data protection laws and regulations for handling and protecting data. These policies are reviewed annually and are available on the company portal for employee reference.

Measures for certification/assurance of processes and products

  • ISO 27001 or Service Organization Control 2 (SOC2) Type 2 assurance audit is performed annually to obtain an independent opinion on the suitability of the design and operating effectiveness of the implemented controls.
  • Applicable requirements outlined in General Data Protection Regulation (GDPR) are complied with to help customers meet their obligations as Data Controllers or Data Processors.

Measures for ensuring data minimization

  • Information stored in activity logs and databases is pseudonymized wherever possible using a unique randomized user identifier that cannot be back-traced to a specific data subject.
  • The only minimum required personal data is shared with third parties to provide customer services.

Measures for ensuring data quality

  • Customers can export personal data records to perform data quality checks and corrections.

Measures for ensuring limited data retention

  • Personal data is retained per the contractual terms agreed with the customers and as the laws require.
  • Audit logs containing personal data are retained for one year and, after that, either pseudonymized or deleted.
  • Data processing agreements that include data retention requirements are signed with third parties with a minimum required personal data shared to provide customer services.

Measures for ensuring accountability

  • Accounts with access to systems processing customer and personal data are unique, mapped to individuals, and not shared between users.
  • Events and audit trails related to access to systems processing Customer Data are logged, monitored, and reviewed periodically.
  • Audit logs maintain detailed information such as timestamps, IP address, application name, specific action taken, request metadata, etc., and are retained for one year.
  • Access to modify or delete log files is restricted and segregated so that users who perform privileged activities cannot manipulate log files.

Measures for allowing data portability and ensuring erasure

  • Customers can export their data through reports or programmatic APIs.
  • Personal data is retained per the contractual terms agreed with the customers and as the laws require.
  • Audit logs containing personal data are retained for one year and, after that, either pseudonymized or deleted.
  • Personal data records are removed through a secure deletion process that irreversibly destroys the data.
  • Data processing agreements that include data retention requirements are signed with third parties with a minimum required personal data shared to provide customer services.

MSIRobot