General Data Protection Regulation (GDPR)
On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Here is how Mirabel Technologies, Inc. can assist you on your GDPR journey:
As companies are increasingly using data intelligence to understand and serve customers better, it's critical that they are accountable to individual's rights to privacy and security. That’s why Mirabel Technologies provides companies with transparency and control of their customer data to accelerate compliance with regulations like the General Data Protection Regulation (GDPR).
ABOUT OUR COMPANY & PRODUCTS
Mirabel Technologies, Inc. is a leading provider of CRM software solutions and business intelligence platforms. Thousands of customers throughout the world utilize Mirabel’s
Software-as-a-Service platforms to attract and engage customers, generate revenue, preserve resources, and maximize profitability.
Our widely used applications enable organizations to have more meaningful conversations with leads, prospects, and customers. As a provider of Software-as-a-Service (SaaS) solutions, our platforms are available for use as web applications, application programming interfaces (APIs), and third-party plugins.
SECURITY AND RISK GOVERNANCE
The primary security focus of Mirabel Technologies, Inc. is to safeguard our customers’ and users’ data. This is why Mirabel Technologies has invested in the appropriate resources to better serve our customers, which includes the implementation of a dedicated compliance team, who is responsible for Mirabel’s comprehensive security, risk management, and governance programs. Furthermore, this compliance team is focused on refining existing controls, implementing and managing our security framework, and providing a support structure to facilitate effective risk management.
OUR SECURITY AND RISK MANAGEMENT OBJECTIVES
We have developed our security framework using best practices in the SaaS industry.
Our objectives include:
- consistently delivering superior product and service to our customers while protecting the privacy and confidentiality of their information.
- Ensuring availability of data to all authorized individuals while proactively minimizing security risks
- Ensuring that customer information is never inappropriately altered
- Implementing a compliance process and standard controls to align with current industry best practice guidance for cloud security.
To protect data provided to us, we implemented efficient security controls for managing information internally:
Security of Data Centers: Mirabel Technologies does not host any production software systems within its corporate offices. Instead, it outsources hosting of its product infrastructure to two leading infrastructure providers which are known for providing high levels of physical and network security: (1) Amazon Web Services (AWS) (2) Hostway (3) Singlehop and (4) Microsoft Azure.
Our AWS cloud server instances reside in US locations, and all providers maintain an audited security program including SOC 2 and ISO 27001 compliance. These instances ensure a minimum of N+1 redundancy to all power, network, and HVAC services, and site access is restricted physically and electronically via public and private networks. This environment also includes continuity and recovery plans that have been approved as part of their SOC 2 Type II and ISO 27001 certifications, and certificates are available.
Mirabel Technologies’ products are designed to prevent unauthorized network access via enterprise-grade routing and fire-walling. These controls have been implemented using subnets which apply port/address-level protections to each of our server instances and control network traffic from a public network and other server instances using a multi-tiered approach. Any changes in our networks are actively monitored using standard processes that evaluate and eliminate security risk.
Mirabel Technologies uses automated alerts and response technologies to continuously
to alert engineers and administrators when issues occur such as errors, abuse scenarios, application attacks, and automatically triggered responses about unexpected or malicious
activities such as traffic blocking, quarantines, termination of processes, and other functions that indicate risk. That’s why our systems actively log and store this information.
Other activities such as logins, page views, authentication attempts, among many other commands are also actively monitored to ensure any potential issues get escalated immediately at any hour of the day to our developers.
Access to Mirabel Technologies’ systems is strictly enforced by only granting access where appropriate (based on their jobs) using a role-based access control model. Access to our infrastructure tools is strictly minimized to those with jobs requiring it. Logs of these activities are continuously monitored for out-of-the-ordinary requests, and any direct network connections to infrastructure devices over SSH or similar protocols are strictly prohibited. Only select engineers can access these devices and they are required to authenticate first before accessing production environments.
As part of our commitment to protecting customer data and websites, Mirabel Technologies has also implemented a Web Application Firewall (WAF) which automatically identifies and protects against attacks aimed at our products and customer sites using best practice guidelines documented by the Open Web Application Security Project (OWASP). The WAF is also configured with a combination of industry standard protocols that protect our customers actively monitoring real-time traffic at the application level to block malicious behavior.
Because Mirabel Technologies strives to improve its products, new code is developed and tested on a daily basis. Software code reviews and quality assurance are managed by specialized engineers with intimate knowledge our of products. Once the code is approved, it is deployed to a rigorous testing environment and will not be releases until proven effective on all tiers. Each deployment is thoroughly documented and archived in case of failure. Updates are communicated to customers once released.
VULNERABILITY SCANNING & SECURITY OVERVIEW
At Mirabel Technologies, we have a multi-layered approach to scanning for vulnerabilities. This entails multiple vulnerability scans and penetration tests on our networks, web-based applications, and infrastructure continuously. We also automatically review the most current code to detect any possible security flaws early in the product development lifecycle. By continually running scans, we are prepared and equipped to stay ahead of potential threats. Furthermore, we have consulted reputable third parties to identify any security flaws that could potentially exist.
CUSTOMER DATA PROTECTION
- Mirabel Technologies products are designed to optimize and improve sales and marketing processes. The information we collect encompasses sales and marketing data gathered via web and live interactions, public directories, and third-party sources.
- Our online tools allow prospects and customers to define the type of information collected and stored on their behalf.
- We also ensure customers and prospects that only information that enhances marketing and sales workflows will be captured. This information not include banking information, financial data, social security numbers, license/passport numbers, such as credit or debit card numbers, personal financial account information, Social Security numbers, health information, or any other data deemed personal.
CREDIT CARD DATA & DATA ENCRYPTION
If you pay for Mirabel Technologies, Inc’s products and services via credit card, Mirabel Technologies does not store this financial data submitted to us. We use trusted Payment Card Industry compliant payment vendors to securely process these transactions. All of these sensitive transactions and other interactions (such as logins and API calls) made with Mirabel Technologies products are encrypted in-transit with TLS 1.0, 1.1, or 1.2 and 2,048 bit keys or better. Mirabel Technologies also uses several technologies to ensure stored data is encrypted at all times.
USER AUTHENTICATION & AUTHORIZATION
Mirabel Technologies also requires and enforces a strict, uniform password policy. The password policy requires a minimum of 6-12 characters that include a combination of lower and upper-case letters, special characters, and numbers. Customers can also adjust permissions to the users for their site and limit access to its content and features. Customers can also enable API access (to mimic a custom integration) through an API key.
MIRABEL TECHNOLOGIES EMPLOYEE ACCESS
Mirabel Technologies, Inc. tightly controls data access within its production and corporate environment. Only specific employees are granted access to this data based on their role or on an as-needed basis such as Engineers and Client Support/Software Consultants. Access is only granted on an as-needed basis to troubleshoot and analyze data for the purpose of product decisions and support. This access is also limited by network access and protected with user authentication and authorization controls. Because this access is strictly limited to specific job functions, employee access is reviewed and updated continuously and proactively.
Customer Support, customer engagement, and or other customer-facing staff may request occasional access to customer portals on an as-needed, limited basis. In these instances, access is only granted for a 24-hour period and all behavior, such as access requests, logins,
queries, page views and similar information get logged. Any and all employee access to corporate and product resources gets reviewed to ensure access is deemed appropriate.
The privacy of our customers’ data is a priority at Mirabel Technologies, and we never sell or share your personal data to with third parties. We take several measures to ensure that your data remains private and unaltered to meet customer needs and regulatory requirements. As such, Mirabel Technologies has registered to be certified under the EU-US and Swiss-US Privacy Shield Frameworks.
DATA RETENTION POLICY
Customer data is retained for as long as you remain a customer and will reside within Mirabel Technologies’ system indefinitely unless deemed impractical. However, former customers’ data is removed from live database servers when provided a customer’s written request to remove this data or after a specified period following the termination of the Client Service Agreement(s).
In the event of a terminated Client Service Agreement, customer information is purged 90 days after the last day of service. Backup data is not actively purged from the repositories as data tends to age naturally and become unusable. Mirabel Technologies reserves the right to purge and process any remaining data in order to address compliance or technical issues.
Mirabel Technologies’ disaster recovery plans focus on outage prevention by implementing redundancy plans and operation strategies that will rapidly recover data if an unexpected event takes place. If a situation occurs that impacts customers, Mirabel Technologies works diligently to isolate the cause and resolve the issue and transparently communicate updates to customers via email and in-app notifications.
All Mirabel Technologies’ product services are designed with infrastructure redundancy, backups, and real-time replications. Our servers are distributed across multiple regions via our infrastructure providers.
Semiannual stress tests, real world experience with natural disasters and detailed policies and procedures for multiple contingencies ensure continued service and quick recovery in the unlikely event of a loss of service. Our databases are maintained at redundant geographically dispersed server sites with multiple fail safes to ensure data security.
System Recovery & Backup Strategy
We continuously maintain and update databases and test for recovery procedures on regular intervals. We also use dedicated and private cloud-based servers that adhere to strict policies in terms of hosting, backup and recovery.
Employee Authentication & Authorization
All passwords are regularly updated and provided only to employees that need to access systems. All relevant passwords are changed on regular intervals as well as upon the termination of employment for anyone who was in possession of the passwords. Any sign-in attempt to the system and any access or alteration of data is recorded and stamped by time, user and machine.
We maintain a select group of 3rd party providers to supply our customers with an ideal experience. Our providers are rigorously vetted and monitored to ensure compliance with our security procedures. All appropriate safeguards are taken to ensure the security of data with any 3rd party provider. All vendors are managed by leaders in our business units and subject to review of their procedures to ensure full compliance with our security standards.