Statement on Security

MapDecisions’ Statement on Security

Last Updated: July 29, 2015

Introduction

Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

  • MapDecisions corporate security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Data model access control in MapDecisions
  • Systems development and maintenance
  • Service development and maintenance
  • Regularly working with third party security experts

MapDecisions Corporate Security Policies & Procedures

Every MapDecisions employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at mapdecisions.com/legal and mapdecisions.com/legal/privacy-policy. Access rights are based on employee’s job function and role.

Security in our Software Development Lifecycle

MapDecisions uses the GIT revision control system. Changes to MapDecisions’ code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein MapDecisions employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. MapDecisions engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:

  • Test our code for common exploits
  • Use network scanning tools against our production servers

Security at the MapDecisions office

Our office is secured via RFID keycard access which is logged, as well as key locked doors.  Our building is also monitored by a 24 hour per day video surveillance system.

We monitor the availability of our office network and the devices on it. We collect logs produced by networking devices such as firewalls, DNS servers, DHCP servers, and routers in a central place. The network logs are retained for the security appliance (firewall), wireless access points, and switches.

MapDecisions Architecture & Scalability

Scalability/Reliability of Architecture

MapDecisions uses Amazon Web Services (RDS & S3) to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Amazon failure.

We currently host data in secure SSAE 16 audited data centers via Amazon RDS in the United States.

Encrypted Transactions

Web connections to the MapDecisions service are via TLS 1.0 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using SSL 3.0 and below or RC4.

MapDecisions Information Security

Employee Workstations, Laptops, & Mobile Devices

All laptops and workstations are secured via full disk encryption and centrally managed. We diligently apply updates to employee machines and monitor employee workstations for malware. We also have the ability to apply critical patches and remote wipe a machine. We use industry-standard OTP technology to further secure access to our corporate infrastructure.

Data Center Security

Amazon

Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.

Product Features

Administrator Management Features

  • Authentication- MapDecisions administrators can force employees to authenticate via Google Accounts. If passwords are stored directly with MapDecisions, we secure them using salted bcrypt.
  • User Management- Administrators can see Last Activity, Guest/Member status, and deprovision users from a central administration interface.

User Features

  • Privacy, Visibility, & Sharing Settings – Customers determine who can access different categories of data like Teams, projects, and tasks. Access to an MapDecisions Organization is based on your company email domain. You can limit a user’s access by inviting them as a Guest.

Privacy

Privacy Policy

MapDecisions’ privacy policy, which describes how we handle data input into MapDecisions, can be found at mapdecisions.com/legal/privacy-policy.

Safe Harbor compliance

MapDecisions complies with the EU-U.S. and Swiss-U.S. Safe Harbor (“Safe Harbor”) frameworks and principles.

Availability

We are committed to making MapDecisions consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.

Want to report a security concern?

Email us at admin@mapdecisions.com.