This Security Overview (“Security Overview”) is incorporated into and made a part of the agreement between Mindgard Ltd, Mindgard Inc and Customer covering Customer’s use of the Services (as defined below), including any terms applicable to the processing of personal data set forth therein (collectively, “Agreement”). Any capitalized term used but not defined has the meaning provided in the Agreement.
1. Definitions
“Customer Data” means any data (a) provided by Customer, or any user of the Services, including via any products and services provided by Customer, to Mindgard in connection with Customer’s use of the Services or (b) generated for Customer’s use as part of the Services.
“Services” means, collectively, the Mindgard Services (as defined below).
“Mindgard Services” means any services or application programming interfaces branded as “Mindgard”.
2. Purpose. This Security Overview describes Mindgard’s security program, including Mindgard’s security certifications and self-attestations and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change over time, Mindgard continues to update its security program and strategy to protect Customer Data and the Services in accordance with industry best practices. As such, Mindgard reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at https://www.mindgard.ai/legal/security-overview. This Security Overview does not apply to any (a) Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by Mindgard or (b) any services provided by telecommunications providers.
3. Security Organization and Program. Mindgard maintains a risk-based assessment security program based on the SOC 2 Security Management System, which includes administrative, technical, organizational, and physical safeguards reasonably designed to protect the Services and the security, confidentiality, integrity, and availability of Customer Data. Mindgard’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Mindgard’s business operations. Mindgard’s security program is managed at the highest levels of the company, with Mindgard’s security delegate regularly meeting with executive management to discuss security-related issues and coordinate company-wide security initiatives. Mindgard’s information security policies and standards are reviewed and approved by Mindgard’s security delegate and executive management at least annually.
4. People Security and Onboarding. Mindgard (a) maintains policies, procedures, and controls that are regularly updated to align with industry best practices and (b) makes such policies and procedures readily accessible to all Mindgard employees. All Mindgard employees are subject to the following minimum security measures:
(i) Performance of a background check that is administered by a recognized third-party background check provider on all new Mindgard employees prior to hiring in accordance with applicable local laws.
(ii) Execution of a confidentiality clause included within all employment agreements;
(iii) Annual completion of mandatory security training, with extended deadlines available for Mindgard employees on leaves of absence;
(iv) Maintenance and continuous monitoring of an anonymous whistleblowing mechanism for Mindgard employees to report any unethical behaviour where anonymous reporting is legally permitted;
(v) Controlled and limited access of Customer Data strictly to authorized Mindgard employees only in accordance with Section 10.1 (Provisioning Access) and Mindgard’s internal standard operating procedures governing such Customer Data’s processing and protection.
5. Physical Security. To the extent that Mindgard can exercise control over the premises, Mindgard maintains strong physical security controls at its offices, which are guided by a physical security policy that is regularly reviewed. Mindgard’s physical security policy establishes baseline physical security controls necessary for preventing unauthorized access to Mindgard’s offices and for the safeguarding of Mindgard’s physical assets. Mindgard’s physical security policy covers areas such as access controls, employee and contractor badge requirements, securing IT equipment, and after hours monitoring. Mindgard requires its infrastructure providers identified in Section 8 (Hosting Architecture and Data Segregation) of this Security Overview to maintain physical security standards that are at a minimum, aligned with SOC 2 standards.
6. Third Party Vendor Management. Mindgard may use third party vendors to provide the Services. Mindgard has implemented a comprehensive vendor management program that applies the appropriate technical and organizational security controls that is proportional to the type of service the third-party vendor is providing and any associated security-related risks. Prospective third-party vendors who will be processing customer data are thoroughly vetted through a process that ensures they comply with, and will continue to comply with, Mindgard’s rigorous confidentiality, security, and privacy requirements for the duration of their relationship with Mindgard. In addition, Mindgard regularly reviews (i) each third-party vendor against Mindgard’s security and business continuity standards; (ii) each third-party vendor’s access to Customer Data and its technical and organizational security controls to protect Customer Data; and (iii) evolving legal or regulatory requirements that impact Mindgard’s security program or processing of Customer Data. Mindgard’s current third-party vendors that are sub-processors are available at https://www.mindgard.ai.com/ legal/sub-processors. For the avoidance of doubt, telecommunication providers are not considered third-party vendors or sub-processors of Mindgard.
7. Security Certifications and Attestations. Mindgard holds the following security-related certifications and attestations:
8. Hosting Architecture and Data Segregation
8.1 Infrastructure and Colocation Providers. The specific Services set forth below are hosted by the applicable industry-leading infrastructure. Information regarding the infrastructure providers technical and organizational security controls is also available below.
8.2 Production Environment and Customer Data Access. The production environment of the Services that are hosted with the aforementioned infrastructure providers are logically isolated in a Virtual Private Cloud (VPC), and Customer Data is encrypted at all times. The infrastructure providers are hosted in the United Kingdom and United States of America. The aforementioned infrastructure providers do not have access to unencrypted Customer Data. All network access between hosts within the production environment is restricted, using access control mechanisms and the principle of least privilege to allow only authorized services to interact within the production environment. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments within Mindgard’s hosting environment. Access control lists are reviewed regularly. Mindgard separates Customer Data using logical identifiers.
9. Security by Design. Mindgard follows secure-by-design and privacy-by-design principles when it designs the Services. Mindgard also applies the Mindgard Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle, from requirements gathering and product design all the way through product deployment.
10. Access Controls
10.1 Provisioning Access. Mindgard follows the principles of least privilege through a team-based access control mechanism when provisioning system access to minimize the risk of unauthorized Customer Data exposure. Mindgard employees’ access to Customer Data must be approved before it is granted and is restricted based on if their job role or job responsibilities specifically require it. Access rights to the production environment of the Services that are not time-based are reviewed at least quarterly. An employee’s or contractor’s access to Customer Data is promptly removed upon termination of employment. In order to access the production environment of the Services, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an authorized user is granted access to the production environment of the Services, access must be approved by management.
10.2 Password Controls. At a minimum, Mindgard’s password management policy for Mindgard employees requires the use of a password manager that mandates minimum password requirements including; longer character lengths and special characters. A customer must also require its users to add another layer of security to their account by using two-factor authentication (2FA).
11. Change Management. Mindgard has a formal change management process it follows to administer changes to the production environment of the Services, including any changes to its underlying software, applications, and systems. Significant changes are carefully reviewed and evaluated in an environment segregated from production before being deployed into the production environment of the Services. All significant changes to systems, networks and processing facilities must be documented. Deployment approval for changes with substantial impact on information security and business operations is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
12. Encryption
12.1 Encryption in Transit. Customer Data is encrypted when in transit between Customer’s software application and the Services using at least TLS v1.2.
12.2 Encryption at Rest. Customer Data is encrypted at rest in Microsoft Azure using the Advanced Encryption Standard.
13. Vulnerability Management. Mindgard maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business and operational requirements. Mindgard uses third-party tooling to conduct vulnerability scans regularly to assess vulnerabilities in Mindgard’s hosting environment and corporate systems. Critical software patches are evaluated, tested, and applied proactively.
14. Penetration Testing. Mindgard performs penetration tests and engages independent, recognized third parties to conduct penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Additionally, Mindgard maintains a monitored responsible disclosure email address which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.
15. Security Incident Management
15.1 Prevention Measures. Mindgard maintains security incident management policies and procedures. Mindgard’s Security Incident Response Team assesses relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions.
15.2 Incident Response. Mindgard will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law or regulation, Mindgard will notify Customer of a Security Incident in accordance with internal security policies. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account. Mindgard has a defined set of policies, procedures, standards, and tooling that guide its subsequent responses, with adherence to applicable law or regulation. This includes customer notifications where mandated, coordination with law enforcement, and declarations to applicable privacy and other regulatory bodies where appropriate.
16. Resilience and Service Continuity
16.1 Resilience. Mindgard utilizes multiple geographically diverse regions within its infrastructure providers and has configured multiple fault-independent availability zones within each of those regions to ensure that a failure in any single data center does not affect the availability of the Services. This allows Mindgard to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that is able to regenerate hosts, building them from the latest backup.
16.2 Service Continuity. Mindgard leverages specialized tools available within the hosting infrastructure of the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Mindgard is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
17. Customer Data Backups. Mindgard performs regular backups of Customer Data, which is hosted on Azure’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using a modern encryption standard based on the type of Customer Data being encrypted.
