At Mine, we take data privacy and security very seriously
Want an expert to assist you? Get a free personal onboarding!
Mine provides service to thousands of companies a month. So keeping your company’s data secure is a top priority. As a data company, we understand and stress the importance of complying with global privacy protocols and standards. As such, data privacy and security are things that we take very seriously. Our goal is to provide a secure environment, while also keeping our application’s performance at the highest quality to provide you with the best overall user experience.
We’re serious about transparency (it’s one of our core values) and realize security is important to our customers. Below we share answers to the questions we feel are most important for our customers to know.
If you believe you have found a security vulnerability in Mine, please let us know right away. You can find more information on reporting a vulnerability here.
We are happy to tell you that we got the ISO 27001 certificate (International Organization for Standardization certification for Information Security Management).
We can the summary of the certification report available upon request.
If you want to know more about ISO 27001? Check it out here.
SOC 2 Type 2
Mine is in the process of getting the SOC 2 Type 2 certification which is expected to complete during 2022.
Security is the responsibility of all Mine employees, and we take measures to ensure that access to our systems and your data is restricted only to those who need access.
- Our Site Reliability Engineers (SRE) are tasked with the operational aspects of our business and ensure information security.
- All machines that run our infrastructure are kept up to date and patched automatically. Software installations are strictly limited and controlled. Access to these machines is restricted only to relevant members of the teams.
- Our organization’s Development, Test, and Operational systems are separated.
- We enforce best practices such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and more such as configuring computers to lock after a short period of time. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.
We also have strict requirements for employees, including but not limited to:
- All staff machines must comply with our Confidentiality Policy which includes a requirement to “take all reasonable measures to protect the security and prevent the unauthorized access or disclosure of all confidential information”.
- We provide periodic security training and tests for all employees.
- Our office has 24-hour security, cameras, and requires a biometric lock to access.
- We have a thorough employee termination/access removal process.
- All data is encrypted at transit and rest with modern encryption while disabling outdated ciphers/protocols. See here.
- We also contract a reputable third party for annual security audits and penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
- We keep full audit logs and have monitors and alerts for every suspicious activity.
Data Center Security
- Mine was specifically built around compliance with the EU General Data Protection Regulation (GDPR) (http://www.eugdpr.org/).
- Our data centers are all located inside the EU (Western Europe).
- We host our infrastructure on Google Cloud Platform (https://cloud.google.com/security/).
Security Tools we use
At Mine, we use many different security tools to streamline our security workflows. A few examples are:
- SentinelOne (https://www.sentinelone.com/platform/singularity-core/)
- Detectify (https://detectify.com/)
- Snyk (https://snyk.io/)
- GitHub Code Security (https://docs.github.com/en/code-security)
- Google Cloud DLP (https://cloud.google.com/dlp)
- Google Cloud Security Command Center (https://cloud.google.com/security-command-center)
- HashiCorp Vault (https://www.vaultproject.io/)
- JAMF Now MDM (https://www.jamf.com/resources/product-documentation/jamf-now-easily-manage-your-apple-devices/)
3rd Party Data Source Integrations
Mine provides integrations to interact with data sources used by your company (eg Zendesk, Stripe, etc.) in order to:
- Monitor & map PII that reside within each one of them (types of data, number of records, customer geography, etc).
- Automate the process of DSR handling (Data Access or Erasure).
For 3rd party SaaS
Mine provides API Integrations that are authenticated using OAuth 2.0 or API Keys restricted to the minimal set of required permissions to operate. The above credentials are secured in a Vault and secured with the highest standards of encryption and access management.
For internal data sources
Mine provides an “Internal system integration” which is a set of APIs to connect any internal sources, without giving Mine access to such an internal system. These APIs are protected with various mechanisms: encryption, credentials, digital signature, and IP whitelisting.
While interacting with the data sources, all information is encrypted at transit, and no PII is stored on Mine’s servers.
For the purpose of Monitoring & Mapping Mine only stores minimal aggregate data is required to operate.
All access to data sources is logged and available for the customer to review at any time.
Permissions and scopes
When integrating with a 3rd party SaaS to automate request handling, Mine uses the minimal set of permissions required to operate. Such operations include:
- Search for objects that belong to a user by email/id
- Retrieve such objects
- Delete/anonymize such objects
Access is given by an employee that has permission to do so.