Version 1.6, Updated at 2017-11-01
This Security Policy document is aimed to define the security requirements for Mentimeter services, organization and third party vendors. Its goal is to protect the Organization and the users of Mentimeter to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.
Security related incidents should be reported to: firstname.lastname@example.org
This document applies to all the employees at Mentimeter and any third party vendors. It includes temporary employees, consultants with temporary access to the services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for the aforementioned employees.
1.2. DefinitionsPersonal Data
Personal Data shall mean any information that can be related to an identified or identifiable living natural person ('data subject'), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
The terms “personally identifiable information (PII)”, “Personal Data”, “private information”, “sensitive Personal Data”, “special categories of data” and “legally protected information” are often used interchangeably to refer to information relating to individuals.
The terms “customer data” and “subscriber information” are commonly used to refer to information relating to subscribers or other end-users.Survey Data
Any data that the user creates within the Mentimeter system such as; Presentation, Questions, Themes and custom grids. Poll data/results from the audience are considered to be survey data.
2. Organization of Information security
Top management shall set direction for, and show commitment to information security.
The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. See 10. Maintenance Intervals and Schedule.
Mentimeter maintains Separation/Segregation of Duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task, so that no single role or account, can access, modify or use User’s Information without authorization or detection.
2.1. Human resource security
Mentimeter has a process that ensures that all Personnel with access to systems or Information that can have access to customer data have signed a Non-Disclosure Agreement (NDA) as part of their contract with Mentimeter.
Mentimeter has a staff onboarding process that includes verifying the identity of staff and the background and skill they state.
Mentimeter has a rigorous staff termination process that includes revoking access rights, seizing IT equipment, invalidating company access card as well as notification of continuous confidentiality obligations.
Any staff with access to customer Information shall be required to take appropriate security training on a regular basis. See 10. Maintenance Intervals and Schedule
To gain access to the internal resources from remote locations, users must have the required authorization. Remote access for an employee, external user or partner can be requested only by members of the leadership team.
2.1.1. Roles, accountability and responsibilities
- Chief Executive Officer
- Accountable for all aspects of the Organization’s information security.
- Determine the privileges and access rights to the resources within their areas.
- Responsible for the security of the IT infrastructure.
- Plan against security threats, vulnerabilities, and risks.
- Implement and maintain Security Policy documents.
- Ensure security training programs.
- Ensure IT infrastructure supports Security Policies.
- Respond to information security incidents.
- Help in disaster recovery plans.
- All employees
- Must uphold and meet requirements of Mentimeter Security Policy.
- Report any attempted security breaches.
In consideration of being entrusted rights to use Mentimeter systems, repositories and information all employee must acknowledge the following:
- That disclosure of information that would cause harm to Mentimeter irrespective of the form in, or the media on, which the information is displayed or contained is considered confidential information.
- That employees will not, directly or indirectly, make use of information other than in the course of my work duties;
- That employees will keep passwords, PIN codes, etc. entrusted to me, strictly confidential;
- That any computer that has Mentimeter information, systems and/or source-code is encrypted with at least AES 128 encryption;
- That employees will log off the computer or activate the screensaver configured with password immediately upon completion of each work session;
- That employees understand that his/her rights to use Mentimeter systems, repositories and information expire upon the termination of my work duty, or at any time upon the request by Mentimeter. If I am not otherwise instructed, Mentimeter requests that I shall immediately return all intellectual properties that I hold when my rights have expired.
- A clear desk policy to protect customer information
Mentimeter Password Control Policy defines the requirements for the proper and secure handling of passwords in the Organization. All employees who handle assets and services related to Mentimeter uses password management via a certified password management system and strong passwords are required.
2.2. Operations security
Losses, theft, damages, tampering or other incident related to IT-assets that compromises security must be reported as soon as possible to the VP-Engineering.
2.3. Sub-contractor relationships
Any sub-contractors are subject to the same vetting as employees and are required to sign above stated NDA and intellectual property rights agreement.
Third Party Sub-Processors shall be restricted to only the necessary access, use, retention and disclosure of customer Information needed to fulfill contractual obligations.
2.4. Continuous improvements
Mentimeter has world class engineering practices to ensure everything we do has a security perspective. This list is an example of things we do to uphold information security.
Mentimeter shall implement new updates and versions of the Application, to the extent deemed suitable by Mentimeter.
- Clear code conventions enforced by static code analysis
- Use of well known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection)
- Incident response plans are maintained and followed to quickly act on incidents
- Continuous check up to keep libraries up-to-date
- Continuous integration builds and testing
- Continuous improvement process with entire product team where security issues are a standing item
- All code is peer reviewed to find bugs and security holes early
- Passwords are always kept in password safes or as configuration
3. Business continuity
Mentimeter shall always have the right to disconnect the Application for service and upgrading without giving prior notice to the Customer.
Mentimeter intends to give notice on beforehand to the Customer before updates or maintenance of the Application.
4. Incident management
Mentimeter has an incident management process to detect and handle incidents.
5. Physical and environmental security
Mentimeter is a SaaS (software as a service) and therefore we host the service and data ourself. No on premise solution is available.
Physical access to Mentimeter Office buildings shall be restricted to staff individually and on a need to have basis.
Physical access to where Services are performed shall log physical access related events such as date, time, swipe/proximity card-id, door-id, access denied or access granted.
5.2. Data Centers
Mentimeter is working with the best in class service provider for data storage. Service provider's physical infrastructure is hosted and managed within Heroku's and Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX) - As a publicly traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.
Amazon security is covered here (https://aws.amazon.com/security/)
Heroku security is covered here (https://www.heroku.com/policy/security)
5.3. Geographical locations of Mentimeter services
All services are hosted in United States, East Coast.
6. User privacy and data integrity
Keeping our customers' data secure is extremely important and we spend a lot of effort and time to ensure all data sent to Mentimeter is handled securely. We will, in this section and 10. Maintenance Intervals and Schedule, describe what we do to accomplish this.
- Top management are responsible for setting direction for and show commitment to data integrity and user privacy.
- Mentimeter have experienced engineers designing and building our systems according to best practices to ensure highest data security in all parts of the application
- We only use well-recognized and highly secure 3rd party systems with proper security certifications and practices
- Our employees are required to use 2 factor authentication for all system where data is stored, together with individual accounts to ensure that we can follow who did what and when. When an employment is ended, we immediately revoke all accesses that user had.
- Security measures are taken to protect user and user data both for “Data at rest” and “ Data in transit ”. (Read more below).
- Mentimeter respects intellectual property rights and will remove any content that infringes copyright, trademark, patent or other intellectual property rights of third parties upon notification from the Customer or third party.
- Mentimeter store customer data indefinitely or until requested to delete by the customer
- Mentimeter has a process in place to report and handle Privacy Incidents and/or Breaches as well as address inquiries, complaints and disputes.
6.1. Customer Data
We avoid storing any personal data that is not needed to supply our users with a great experience and gain value from Mentimeter. We have deemed the following to be the minimum amount of data we need:
- Password (see section 6.6)
- Billing address (if entered by user)
6.2. Access to Customer Data
Mentimeter staff do not access or interact with customer data or applications as part of normal operations. There may be cases where Mentimeter is requested to interact with customer data at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Mentimeter staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
See 2. Organization of Information security for more information about background checks and policies for staff.
6.3. Data at Rest
Mentimeter uses Encryption of data "at-rest". Mentimeter gets powerful and automatic protection through our database provider. Database service providers are certified under the EU-U.S. Privacy Shield framework
We store images and media assets at AWS (an Amazon service) - https://aws.amazon.com/compliance/
6.4. Data in Transit
Mentimeter uses standard SSL, ie. Encryption of data "in-transit, and are rated A+ by 3rd party vendor, SSL Labs.
Privacy and the protection of customer communications and data is of highest importance to Mentimeter and we both have technical and operational support in place to ensure this.
We are using standard SSL, ie. Encryption of data "in-transit". We also leverage all protection through https://www.heroku.com/policy/security.
6.5. Backups and Data Loss Prevention
Data is backed up continuously and we have an automatic failover system if the main system would fail.
6.6. User Password
We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. Mentimeter can never see user passwords and users can only self-reset them by email.
6.7. Payment Details
Mentimeter use PCI compliant payment processor Braintree for encrypting and processing credit card payments.
It is impossible for employees or vendors to handle credit card information.
6.8. Third Party Platforms
We may collect information when you interact with our advertisements and other content on third-party sites or platforms, such as social networking sites. This may include information such as “Likes”, profile information gathered from social networking sites or the fact that you viewed or interacted with our content.
Personal Data shall not be excessively stored, printed, copied, disclosed or other means of processing outside the purpose for use.
6.9. Voter Anonymity
Voting on Mentimeter's voting site Menti.com is anonymous and we believe this is an important part of the voting experience. For preventing abuse we do, however, store the voter's IP address for a short period of time (it is erased within 30 days).
7. Security Revision Schedule
How often Mentimeter conducts security revisions and conduct different types of test. If significant changes occur Mentimeter will initiate an otherwise planned activity to ensure continuing security.
Security training for personnel
Yearly and at beginning of employment
Revoke system, hardware and document access
At end of employment
Ensures access levels for all systems and employees are correct
2 times a year
Ensure all critical system libraries are up-to-date
Unit and integration tests to ensure system functionality and security