Architecture, Security and Compliance
Mobilize maintains a Security and Compliance program committed to compliance with all laws, regulations, and ethical standards as they apply to the conduct of its business and its role as a Community Platform.
Employment
Employment is conditioned on pre-hire screening and background checks, and adherence to Mobilize’s security standards. Mobilize provides its employees with the tools they need to meet the requirements set forth in the laws and standards established by Mobilize. All employees are expected to comply with all laws, regulations, and Mobilize policies affecting business operations.
Architecture
The Mobilize solution is a Software-as-a-Service (SaaS) based web and mobile application served from a hybrid cloud infrastructure. It is built using industry standard components which provide security and resiliency with minimum downtime. All connections within the application, between its components and stored credentials are protected via encryption and firewalls. Our API access is achieved through secure REST calls. All customer account data is isolated and protected from access by other multi-tenant accounts. All multi-tenant data is partitioned logically and isolated to prevent unauthorized access. All of our stored data is encrypted at rest and on transit.
Compliance Levels
ISO 27001
ISO 27018
Data Centers
We host our application in top-tier data centers located in the United States. These data centers implement the highest standards of security including:
- Maintaining accepted security certifications such as ISO 27001, SSAE 16/SAS 70 or similarly recognized standards
- On-site security personnel
- Security camera monitoring and intrusion detection
- Redundant HVAC (Heating Ventilation Air Conditioning) units to ensure that temperature and humidity remain consistent
- Monitoring, alerting and suppression systems in the event of smoke, fire, water or similar threats
- Back-up power with immediate failover
- Distributed Denial of Service (DDoS) mitigation services
Email Authentication
Mobilize sends all mail with DomainKeys Identified Mail (DKIM) authentication. DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. This is an industry best practice to establish sender identity.
Administrative Controls
Mobilize implements and maintains controls on accessing our clients’ environments and data. This includes:
- Limited access to customer data to authorized personnel only and according to documented processes
- Logging and tracking access to our SaaS servers to enable auditing
- Ensuring that all employees who are provided access have passed extensive background checks, as per above
- Mobilize clients designate which of their employees have access to their instance of Mobilize. Customers can designate permission levels based on log-in credentials. By default, only the administrator has full access to all controls and content within Mobilize.
Personal Data
Personal data records are held in compliance with all applicable legal, regulatory and contractual requirements, including:
- Personal data records are not held for any longer than required.
- Certain personal data records are processed and retained by Mobilize solely on behalf
- of its customers in Mobilize’s capacity as their Data Processor.
- The protection of personal data records in terms of their confidentiality, integrity and availability is in accordance with their sensitivity and relevant business objectives and requirements (and among other things, in accordance with Mobilize’s contractual commitments under a Data Processing Agreement).
- Once such records are no longer necessary or relevant, Mobilize fully anonymizes or deletes them.
- This policy is subject to a regular review process carried out under the guidance of Mobilize’s Data Protection Officer.
GDPR
The European Union’s General Data Protection Regulation (GDPR) was designed to maintain consistent data privacy laws across Europe, delivering a right to privacy and the protection of personal data. It introduces broad-ranging requirements for data protection, security, and compliance. Mobilize complies with all GDPR standards, and our platform and services allow our clients to be GDPR compliant as well. In addition, Mobilize maintains a strict Privacy Policy and Data Processing Agreement.
SLAs
Mobilize offers SLAs for uptime and resolution times on customer requests for our Enterprise customers.
Backups and Redundancy
Mobilize uses a daily automatic backup protocol that is maintained with daily snapshots for recovery offsite for 30 days. Mobilize applies automatic high availability fail-over for data storage and network. Our infrastructure is redundant so there is a back-up component for all hardware that stores data. All network devices, including firewalls, load balancers, and switches are fully redundant and highly-available.
Vulnerability Management
Mobilize’s Information Security team is responsible for managing vulnerabilities. The team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews, and external audits, and is responsible for tracking and following up on detected vulnerabilities.
