Version 1.7, Updated at 2018-01-25
This Security Policy document is aimed to define the security requirements for Mentimeter services, organization and third party vendors. Its goal is to protect the Organization and the users of Mentimeter to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.
Security related incidents should be reported to: firstname.lastname@example.org
This document applies to all the employees at Mentimeter and any third party vendors. It includes temporary employees, consultants with temporary access to the services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for the aforementioned employees.
Personal Data shall mean any information that can be related to an identified or identifiable living natural person ('data subject'), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
The terms “personally identifiable information (PII)”, “Personal Data”, “private information”, “sensitive Personal Data”, “special categories of data” and “legally protected information” are often used interchangeably to refer to information relating to individuals.
The terms “customer data” and “subscriber information” are commonly used to refer to information relating to subscribers or other end-users.Survey Data
Any data that the user creates within the Mentimeter system such as; Presentation, Questions, Themes and custom grids. Poll data/results from the audience are considered to be survey data.
Top management shall set direction for, and show commitment to information security.
The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. See 7. Security Revision Schedule.
Mentimeter maintains Separation/Segregation of Duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task, so that no single role or account, can access, modify or use User’s Information without authorization or detection.
Mentimeter has a process that ensures that all Personnel with access to systems or Information that can have access to customer data have signed a Non-Disclosure Agreement (NDA) as part of their contract with Mentimeter.
Mentimeter has a staff onboarding process that includes verifying the identity of staff and the background and skill they state.
Mentimeter has a rigorous staff termination process that includes revoking access rights, seizing IT equipment, invalidating company access card as well as notification of continuous confidentiality obligations.
Any staff with access to customer Information shall be required to take appropriate security training on a regular basis. See 7. Security Revision Schedule
To gain access to the internal resources from remote locations, users must have the required authorization. Remote access for an employee, external user or partner can be requested only by members of the leadership team.
In consideration of being entrusted rights to use Mentimeter systems, repositories and information all employee must acknowledge the following:
Mentimeter Password Control Policy defines the requirements for the proper and secure handling of passwords in the Organization. All employees who handle assets and services related to Mentimeter uses password management via a certified password management system and strong passwords are required.
Losses, theft, damages, tampering or other incident related to IT-assets that compromises security must be reported as soon as possible to the VP Engineering.
Any sub-contractors are subject to the same vetting as employees and are required to sign above stated NDA and intellectual property rights agreement.
Third Party Sub-Processors shall be restricted to only the necessary access, use, retention and disclosure of customer Information needed to fulfill contractual obligations.
Mentimeter has world class engineering practices to ensure everything we do has a security perspective. This list is an example of things we do to uphold information security.
Mentimeter shall implement new updates and versions of the Application, to the extent deemed suitable by Mentimeter.
Mentimeter shall always have the right to disconnect the Application for service and upgrading without giving prior notice to the Customer.
Mentimeter intends to give notice on beforehand to the Customer before updates or maintenance of the Application.
Mentimeter has an incident management process to detect and handle incidents.
Mentimeter is a SaaS (software as a service) and therefore we host the service and data ourself. No on premise solution is available.
Physical access to Mentimeter Office buildings shall be restricted to staff individually and on a need to have basis.
Physical access to where Services are performed shall log physical access related events such as date, time, swipe/proximity card-id, door-id, access denied or access granted.
Mentimeter is working with the best in class service provider for data storage. Service provider's physical infrastructure is hosted and managed within Heroku's and Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under:
Amazon security is covered here: https://aws.amazon.com/security/
Heroku security is covered here: https://www.heroku.com/policy/security
All services are hosted in United States, East Coast.
Keeping our customers' data secure is extremely important and we spend a lot of effort and time to ensure all data sent to Mentimeter is handled securely. We will, in this section and 7. Security Revision Schedule, describe what we do to accomplish this.
We avoid storing any personal data that is not needed to supply our users with a great experience and gain value from Mentimeter. We have deemed the following to be the minimum amount of data we need:
Mentimeter staff do not access or interact with customer data or applications as part of normal operations. There may be cases where Mentimeter is requested to interact with customer data at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Mentimeter staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
See 2. Organization of Information security for more information about background checks and policies for staff.
Mentimeter uses Encryption of data "at-rest". Mentimeter gets powerful and automatic protection through our database provider. Database service providers are certified under the EU-U.S. Privacy Shield framework https://www.heroku.com/policy/security
We store images and media assets at AWS (an Amazon service) - https://aws.amazon.com/compliance/
Mentimeter uses standard SSL, ie. Encryption of data "in-transit, and are rated A+ by 3rd party vendor, SSL Labs.
Privacy and the protection of customer communications and data is of highest importance to Mentimeter and we both have technical and operational support in place to ensure this.
We are using standard SSL, ie. Encryption of data "in-transit". We also leverage all protection through https://www.heroku.com/policy/security.
Data is backed up continuously and we have an automatic failover system if the main system would fail.
We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. Mentimeter can never see user passwords and users can only self-reset them by email.
Mentimeter use PCI compliant payment processor Braintree for encrypting and processing credit card payments.
It is impossible for employees or vendors to handle credit card information.
We may collect information when you interact with our advertisements and other content on third-party sites or platforms, such as social networking sites. This may include information such as “Likes”, profile information gathered from social networking sites or the fact that you viewed or interacted with our content.
Personal Data shall not be excessively stored, printed, copied, disclosed or other means of processing outside the purpose for use.
Voting on Mentimeter's voting site Menti.com is anonymous and we believe this is an important part of the voting experience. For preventing abuse we do, however, store the voter's IP address for a short period of time (it is erased within 30 days).
How often Mentimeter conducts security revisions and conduct different types of test. If significant changes occur Mentimeter will initiate an otherwise planned activity to ensure continuing security.
Security training for personnel
Yearly and at beginning of employment
Revoke system, hardware and document access
At end of employment
Ensures access levels for all systems and employees are correct
2 times a year
Ensure all critical system libraries are up-to-date
Unit and integration tests to ensure system functionality and security