Security

At Mine, we take data privacy and security very seriously

Want an expert to assist you? Get a free personal onboarding!

Mine provides service to thousands of companies a month. So keeping your company’s data secure is a top priority. As a data company, we understand and stress the importance of complying with global privacy protocols and standards. As such, data privacy and security are things that we take very seriously. Our goal is to provide a secure environment, while also keeping our application’s performance at the highest quality to provide you with the best overall user experience.

 

We’re serious about transparency (it’s one of our core values) and realize security is important to our customers. Below we share answers to the questions we feel are most important for our customers to know.

 

If you believe you have found a security vulnerability in Mine, please let us know right away. You can find more information on reporting a vulnerability here.

 

Certifications

 

ISO/IEC 27001:2013

We are happy to tell you that we got the ISO 27001 certificate (International Organization for Standardization certification for Information Security Management).

We can the summary of the certification report available upon request.

If you want to know more about ISO 27001? Check it out here.

 

SOC 2 Type 2

Mine is in the process of getting the SOC 2 Type 2 certification which is expected to complete during 2022.

 

Operational Security

Security is the responsibility of all Mine employees, and we take measures to ensure that access to our systems and your data is restricted only to those who need access.

  • Our Site Reliability Engineers (SRE) are tasked with the operational aspects of our business and ensure information security.
  • All machines that run our infrastructure are kept up to date and patched automatically. Software installations are strictly limited and controlled. Access to these machines is restricted only to relevant members of the teams.
  • Our organization’s Development, Test, and Operational systems are separated.
  • We enforce best practices such as: encryption of storage media, using two-factor authentication (2FA), requiring strong passwords, and more such as configuring computers to lock after a short period of time. Additionally, all communication is done through securely encrypted channels using modern, strong encryption.

We also have strict requirements for employees, including but not limited to:

  • All staff machines must comply with our Confidentiality Policy which includes a requirement to “take all reasonable measures to protect the security and prevent the unauthorized access or disclosure of all confidential information”.
  • We provide periodic security training and tests for all employees.
  • Our office has 24-hour security, cameras, and requires a biometric lock to access.
  • We have a thorough employee termination/access removal process.

Application Security

  • All data is encrypted at transit and rest with modern encryption while disabling outdated ciphers/protocols. See here.
  • We also contract a reputable third party for annual security audits and penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
  • We keep full audit logs and have monitors and alerts for every suspicious activity.

Data Center Security

  • Mine was specifically built around compliance with the EU General Data Protection Regulation (GDPR) (http://www.eugdpr.org/).
  • Our data centers are all located inside the EU (Western Europe).
  • We host our infrastructure on Google Cloud Platform (https://cloud.google.com/security/).

Security Tools we use

At Mine, we use many different security tools to streamline our security workflows. A few examples are:

  • SentinelOne (https://www.sentinelone.com/platform/singularity-core/)
  • Detectify (https://detectify.com/)
  • Snyk (https://snyk.io/)
  • GitHub Code Security (https://docs.github.com/en/code-security)
  • Google Cloud DLP (https://cloud.google.com/dlp)
  • Google Cloud Security Command Center (https://cloud.google.com/security-command-center)
  • HashiCorp Vault (https://www.vaultproject.io/)
  • JAMF Now MDM (https://www.jamf.com/resources/product-documentation/jamf-now-easily-manage-your-apple-devices/)

3rd Party Data Source Integrations

Mine provides integrations to interact with data sources used by your company (eg Zendesk, Stripe, etc.) in order to:

  1. Monitor & map PII that reside within each one of them (types of data, number of records, customer geography, etc).
  2. Automate the process of DSR handling (Data Access or Erasure).

For 3rd party SaaS

Mine provides API Integrations that are authenticated using OAuth 2.0 or API Keys restricted to the minimal set of required permissions to operate. The above credentials are secured in a Vault and secured with the highest standards of encryption and access management.

For internal data sources

Mine provides an “Internal system integration” which is a set of  APIs to connect any internal sources, without giving Mine access to such an internal system. These APIs are protected with various mechanisms: encryption, credentials, digital signature, and IP whitelisting.


While interacting with the data sources, all information is encrypted at transit, and no PII is stored on Mine’s servers.
For the purpose of Monitoring & Mapping Mine only stores minimal aggregate data is required to operate.

All access to data sources is logged and available for the customer to review at any time.

 

Permissions and scopes

When integrating with a 3rd party SaaS to automate request handling, Mine uses the minimal set of permissions required to operate. Such operations include:

  • Search for objects that belong to a user by email/id
  • Retrieve such objects
  • Delete/anonymize such objects
This means that for every data source that is integrated with an API, we require read/write/list permissions to the objects that contain customer PII and are covered by the integration.
This usually includes access to objects such as contacts, tickets, conversations, etc.
In some cases, we only require read access, and not write. This is true for objects that are required for handling access requests but are not part of a right to be forgotten requests. One such example is invoices or other business objects that are required to be retained.
Access is granted for each data source separately and on the account level. If in some data sources you manage multiple accounts or workspaces, access is for the specific workspace you wish to add.
Access is given by an employee that has permission to do so.
 
Other than the basic account/workspace name, we do not require access to objects related to the organization itself, for example, settings, users, statistics, reports, permissions and keys, account data, etc.
We also do not require access to perform operations, such as: adding users, issuing refunds, sending emails, etc.
Note: Different providers implement different granularity of permissions/scopes.
Access is only granted by API keys or connecting through OAuth. This means any access given to Mine can always be revoked.