Mailercloud (“Mailercloud”, “we”, “us”, “our”) values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below. Our Privacy Notice https://www.mailercloud.com/privacy-policy also further details the ways we handle your data.
This Statement complements Mailercloud’s Information Security Policy and provides a summary of the company’s internal security policies and procedures. The Statement’s aim is to provide assurance to interested parties about the security of the SaaS applications, as well as the data contained within them.
If you have any questions about the below, please contact us at [email protected]
Mailercloud has implemented governance, risk management, and compliance practices that align with the most globally recognized information security frameworks and has further implemented Information Security Management System (ISMS) to manage and continually improve information security posture.
Mailercloud takes a risk-based approach to information security aligned with ISO 27001 and the GDPR framework
Information security roles and responsibilities are well defined within Mailercloud. We take information security very seriously and have representation and sponsorship at the executive Mailercloud by Chief Technology Officer (CTO), with support from the CEO.
The company has trained and experienced staff developing and operating information systems. Mailercloud has implemented segregation of duties to protect critical functions. Security is considered in all projects the company undertakes.
Mobile Device Management (MDM) and other controls are in place to reduce the risks of Mailercloud employees working remotely and with mobile devices.
Mailercloud carefully screens people who do work for, or on behalf of, the company. Everyone at Mailercloud is trained and is aware on information security and data protection.
The company requires confidentiality and nondisclosure from all those who work for Mailercloud, both during and after employment.
Disciplinary action is enforced for noncompliance with corporate policy.
The company maintains high ethical standards that are defined and enforced through Mailercloud’s code of conduct.
Mailercloud inventories and labels all information assets and information systems to manage appropriate access and facilitate effective patch management and incident response.
Customer data is classified at the highest classification Mailercloud to facilitate proper identification and handling as defined in the company’s Information Classification Policy which is regularly communicated through training.
Personal data/PII is treated with the highest confidentiality and take appropriate measures to protect it.
Staff are trained on the dangers of physical media and avoid using it wherever possible. Approval is required before storing or printing customer data on physical media.
The Principle of Least Privilege (POLP) is enshrined at Mailercloud in policy and in culture.
Access is granted on a Need to Know or Need to Use basis only.
User access procedures are documented, and access is revoked the moment it is no longer required.
The company conducts user access audits and review administrative logs periodically. Mailercloud publishes and enforces an internal Password Standard Policy.
Access to Mailercloud’s sites is restricted with additional layers of security around information and communications infrastructure. The company monitors site access, and third parties require business justification and an escort for access. Mailercloud enforces a clear desk and clear screen policy.
Mailercloud has documented procedures for all standard operations and tight control over Change Management governed by the Change Management Policy.
A dedicated DevOps team monitors and manages the production platform. Mailercloud deploys malware controls to reduce the chance and impact of infections.
Audit and event logs are captured, protected and regularly reviewed, as defined by the Logging Policy.
Mailercloud regularly takes and tests backups and build multiple layers of redundancy into the company’s platform, as defined by the Backup and Retention Policy.
The deployment process makes it impossible to install software on live production systems.
Mailercloud runs a vulnerability management program based off the CVSS.
Mailercloud hardens all network services and firewalls.
Continuous compliance monitoring for changes are ran to secure configurations.
Segregation principles are used at multiple Mailerclouds for security, redundancy and performance.
Mailercloud provides guidance on the safe methods of information transfer and train users on the risks.
NDAs are required from all parties that have or may have access to sensitive information resources.
Mailercloud considers security requirements for every piece of work that goes through the company’s SDLC.
The company regularly scans public APIs for vulnerabilities.
All development activity follows Mailercloud’s secure SDLC, which is actively monitored and governed by the Secure Development Policy.
Security testing is conducted as a part of all tasks with security requirements and for all software deployments which includes testing against known standards, such as OWASP.
Multiple security gates are baked into the SDLC processes and are enforced by the 2-person rule.
Mailercloud minimizes outsourced development and applies additional controls to manage risks of code produced by third parties.
Mailercloud mandates and enforces the separation of development, testing and production environments to improve code quality and reduce errors.
Mailercloud closely manages suppliers using risk management principles.
Mailercloud performs additional vulnerability checking on dependencies in the supply chain and address them in accordance with the Information Security Policy.
Mailercloud maintains a security incident response process that covers the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. This process is reviewed regularly and tested bi-annually.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Mailercloud learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Mailercloud has a documented Business Continuity Plan, recovery procedures and a trained response team.
To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at all our data center locations. This program includes multiple components to minimize the risk of any single point of failure. For business critical applications, application data is replicated to multiple systems within the data center and, in some cases, replicated to secondary or backup data centers that are geographically dispersed to provide adequate redundancy and high availability. High-speed connections between our data centers help to support swift failover.
Mailercloud ensures that antivirus and malicious code protection are centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under virus protection.
Mailercloud identifies and tracks regional security requirements to ensure compliance. Staff are required to observe intellectual property rights.
Mailercloud’s Data Protection Program, backed by the Data Protection Policy, ensures the company maintains privacy compliance within regional regulatory contexts.
Care is taken with the use of cryptographic techniques and methods to ensure compliance with laws and regulations.
External audits to review the company’s information security implementation annually, at a minimum.
Mailercloud’s Platform is penetration tested by a specialist third-party firm annually, at a minimum.