Comprehensive security strategy covering organizational security, physical security, infrastructure security, data security, incident management, and vulnerability threat and risk management.
Click on any topic below to navigate directly to detailed information
Mynd provides Software as a Service (SaaS) products to millions of users worldwide to solve their business problems. Security is a key component in our offerings, and is reflected in our people, process, and products. This page covers topics like data security, operational security, and physical security to explain how we offer security to our customers.
We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.
We have a dedicated compliance team to review procedures and policies in Mynd to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
All workstations issued to Mynd employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by Mynd's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle.
We control access to our resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
We monitor all entry and exit movements throughout our premises in all our business centers and data centers through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Mynd's production infrastructure.
We monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall everyday. Additionally, these changes are reviewed once in every six months to update and revise the rules. Our dedicated Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.
All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Mynd services will still be available to them.
We additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.
We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.
At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.
Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.
Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks.
All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using Google Cloud (Secret Manager) & Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions.
We respond to the security or privacy incidents you report to us through infosec@myndsol.com with high priority. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organization administrator registered with us).
Vulnerability Threat and Risk Management (VTRM) is a comprehensive approach used by organizations to identify, assess, and manage vulnerabilities, threats, and risks associated with their assets, systems, and operations. It is a systematic process that helps organizations understand potential vulnerabilities, evaluate threats, and implement appropriate risk mitigation measures.
By adopting VTRM practices, organizations can enhance their overall security posture, proactively identify and address vulnerabilities and threats, and reduce the likelihood and impact of security incidents. It provides a structured approach to managing risks and helps organizations make informed decisions when allocating resources for security measures.
Vulnerabilities refer to weaknesses or flaws in systems, processes, or configurations that could be exploited by threat actors. These vulnerabilities can exist in software, hardware, networks, or even in human behavior. Identifying vulnerabilities is a crucial step in the VTRM process.
Threats encompass potential events or actions that could exploit vulnerabilities and cause harm to an organization. These threats can come from various sources, such as hackers, malware, natural disasters, or even internal actors. Understanding the types of threats an organization may face is essential for effective risk management.
Risks are the potential negative consequences that result from the exploitation of vulnerabilities by threats. Risk management involves assessing the likelihood and impact of a threat exploiting a vulnerability and determining the level of risk it poses to the organization. Risks can vary in severity, and organizations need to prioritize and allocate resources accordingly to mitigate them.
The VTRM process involves conducting a comprehensive assessment to identify vulnerabilities, evaluate threats, and analyze associated risks. This assessment can include vulnerability scanning, penetration testing, threat intelligence analysis, risk analysis, and other techniques to gather information and assess the security posture of the organization.
Once vulnerabilities, threats, and risks have been identified and analyzed, organizations can develop and implement risk mitigation strategies. These strategies can include a range of measures, such as implementing security controls, conducting employee training and awareness programs, updating software and systems, establishing incident response plans, and implementing disaster recovery measures.
VTRM is an ongoing process, and organizations should continuously monitor their systems, networks, and operations for new vulnerabilities and emerging threats. Regular assessments, vulnerability scans, threat intelligence updates, and monitoring of security controls are essential to maintaining an effective VTRM program.
VTRM is closely tied to compliance requirements and regulatory framework specific to an organization's industry. Compliance with relevant standards and regulations helps ensure that the VTRM program meets legal and industry requirements. While keeping all the principles above a comprehensive security program has been created at Mynd which is responsible to cover all of the above aspects.