At Mine, we take data privacy and security very seriously

Want an expert to assist you? Get a free personal onboarding!

Mine provides service to thousands of companies a month. So keeping your company’s data secure is a top priority. As a data company, we understand and stress the importance of complying with global privacy protocols and standards. As such, data privacy and security are things that we take very seriously. Our goal is to provide a secure environment, while also keeping our application’s performance at the highest quality to provide you with the best overall user experience.


We’re serious about transparency (it’s one of our core values) and realize security is important to our customers. Below we share answers to the questions we feel are most important for our customers to know.


If you believe you have found a security vulnerability in Mine, please let us know right away. You can find more information on reporting a vulnerability here.



ISO 27001:2013

Mine has been ISO 27001 certified for over three years. We share the summary of the certification report available upon request.

Learn more


SOC 2 Type 2

Mine is SOC 2 Type 2 certified and is audited by Deloitte. We share the report upon request.



Mine is PCI-DSS certified through SAQ A, as we don't directly store/process credit card information.

Learn more



Mine does not directly process or store PHI. If you are HIPAA compliant and require Mine to sign a Business Associate Agreement (BAA), we are happy to do so. 

Learn more


Cyber Essentials

Mine is Cyber Essentials certified. We are happy to share the certificate upon request.

Learn more


Operational Security

Security is the responsibility of all Mine employees, and we take measures to ensure that access to our systems and your data is restricted only to those who need access.

  • Our Site Reliability Engineers (SRE) are tasked with the operational aspects of our business and ensure information security.
  • All machines that run our infrastructure are kept up to date and patched automatically. Software installations are strictly limited and controlled. Access to these machines is restricted only to relevant members of the teams.
  • Our organization’s Development, Test, and Operational systems are separated.
  • We enforce best practices such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and more such as configuring computers to lock after a short period of time. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.

We also have strict requirements for employees, including but not limited to:

  • All staff machines must comply with our Confidentiality Policy which includes a requirement to “take all reasonable measures to protect the security and prevent the unauthorized access or disclosure of all confidential information”.
  • We provide periodic security training and tests for all employees.
  • Our office has 24-hour security and requires a biometric lock to access.
  • The entrance is monitored by a camera that records movement 24/7.
  • We have a thorough employee termination/access removal process.


  • Our system runs automatic daily backups that are retained for 30 days.
  • All backups are encrypted (see encryption at rest below).
  • See our business continuity plan for more information.

Application Security

  • All data is encrypted at transit while enforcing modern ciphers and protocol versions. See more information here.
  • All data is encrypted at rest with AES. See more information here.
  • Mine contracts a reputable third party for annual security audits and penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
  • We keep full audit logs and have monitors and alerts for every suspicious activity.
  • Passwords are secured with Auth0.

Data Center Security

  • Mine was specifically built around compliance with the EU General Data Protection Regulation (GDPR) (
  • By default, our data centers are located inside the EU (Belgium), unless custom data hosting is required.
  • We host our infrastructure on Google Cloud Platform (

Security Tools we use

At Mine, we use many security tools to streamline our security workflows. A few examples are:

  • SentinelOne Endpoint Protection (
  • Detectify Vulnerability Scanner (
  • Snyk Code Analysis (
  • Auth0 (
  • GitHub Code Security (
  • Google Cloud Security Command Center (
  • JAMF Now MDM (
  • Perimeter 81 VPN (
  • Fortinet Security Fabric (

3rd Party Data Source Integrations

Mine provides integrations to interact with data sources used by your company (eg Zendesk, Stripe, etc.) in order to:

  1. Monitor & map PII that resides within each one of them (types of data, number of records, customer geography, etc.).
  2. Automate the process of DSR handling (Data Access or Erasure).

For 3rd party SaaS

Mine provides API Integrations that are authenticated using OAuth 2.0 or API Keys restricted to the minimal set of required permissions to operate. The above credentials are secured in a Vault and secured with the highest standards of encryption and access management.

For internal data sources

Mine provides an “Internal system integration” which is a set of  APIs to connect any internal sources, without giving Mine access to such an internal system. These APIs are protected with various mechanisms: encryption, credentials, digital signature, and IP whitelisting.

While interacting with the data sources, all information is encrypted at transit, and no PII is stored on Mine’s servers.
For the purpose of Monitoring & Mapping Mine only stores minimal aggregate data is required to operate.

All the access to data sources is logged and available for the customer to review at any time.


Permissions and scopes

When integrating with a 3rd party SaaS to automate request handling, Mine uses the minimal set of permissions required to operate. Such operations include:

  • Search for objects that belong to a user by email/id
  • Retrieve such objects
  • Delete/anonymize such objects
This means that for every data source that is integrated with an API, we require read/write/list permissions to the objects that contain customer PII and are covered by the integration.
This usually includes access to objects such as contacts, tickets, conversations, etc.
In some cases, we only require read access and not write. This is true for objects that are required for handling access requests but are not part of a right-to-be-forgotten request. One such example is invoices or other business objects that are required to be retained.
Access is granted for each data source separately and on the account level. If in some data sources you manage multiple accounts or workspaces, access is for the specific workspace you wish to add.
Access is given by an employee that has permission to do so.
Other than the basic account/workspace name, we do not require access to objects related to the organization itself, for example, settings, users, statistics, reports, permissions and keys, account data, etc.
We also do not require access to perform operations, such as: adding users, issuing refunds, sending emails, etc.
Note: Different providers implement different granularity of permissions/scopes.
Access is only granted by API keys or connecting through OAuth. This means any access given to Mine can always be revoked.