Legal

Mentimeter Security Policy

Mentimeter is built to be easily accessible and beautiful. A simple way to create interactivity and engagement in meetings, webinars, workshops, presentations, and other real-time gatherings. Openness and ease of use are valuable and important aspects of the Mentimeter value proposition to our users.  This Information Security Policy governs the handling of information across all business functions to ensure the confidentiality, integrity, and availability of our digital assets.

Keeping your data secure is of high importance to us and we have implemented appropriate technical and organizational measures to ensure that all data sent to Mentimeter is handled in a secure manner. 

You can still share URLs, ID, or other information to make the presentations more accessible.  We however cannot take responsibility for privacy that is breached by the fundamental openness of the platform or sharing information you should not have.

Mentimeter AB (publ), Reg. No. 556892-5506, is hereinafter referred to as “we”, “us”, “our” or “Mentimeter” and ”you” shall be interpreted as the person or entity who has signed up for an Account to use our Services including, to the extent applicable, you who use our Services as a member of an Audience. 

Any capitalized words used but not defined herein, shall have the same meaning ascribed to them in the terms and conditions available at the Terms.

Human Resource Security 

We have processes in place to ensure that all personnel with access to systems or information about our Users as well as User Data have agreed to a non-disclosure undertaking and comply with internal security guidelines as part of their employment contract with Mentimeter.

Our staff onboarding process includes verifying the identity of staff and the background and skill they state. Our rigorous staff termination process includes revoking access rights, seizing IT equipment, invalidating all access as well as notification of continuous confidentiality obligations. 

Any staff with access to information about users shall be required to take appropriate security training at least on an annual basis and at the start of employment.

Roles, accountabilities, and responsibilities 

CHIEF EXECUTIVE OFFICER & MANAGEMENT TEAM

• Accountable for all aspects of Mentimeter's information security and data processing.

Mentimeter’s Management Team is fully committed to the implementation, maintenance, and continuous improvement of information security.

SECURITY OFFICER

• Responsible for Mentimeter's information and data security strategy, developing security policies, and managing risks related to information technology and security.
• Responsible for ensuring proper security measures are embedded in incident and disaster recovery plans.

INFORMATION SECURITY MANAGER 

• Implements and maintains Security Policy documents.
• Ensures security training program is running continuously.

SECURITY & IT 

• Ensure IT infrastructure aligns with Security Policies.
• Respond to information security incidents. 
• Maintain security controls for the IT infrastructure. 
• Plan against security threats, vulnerabilities, and risks.

ALL EMPLOYEES

• Must uphold and meet the requirements of Mentimeter’s Security Policy.
• Report any actual, attempted, and/or suspected security breaches.

In consideration of being entrusted rights to use Mentimeter's systems, repositories, and information all employees must acknowledge the following:

• That all confidential information must be kept confidential and that any disclosure of confidential information would cause harm to Mentimeter.
• That employee must only handle confidential information on devices issued by Mentimeter
• That employee will not, directly or indirectly, make use of information other than in the course of work duties;
• That employee will keep passwords, PIN codes, etc. entrusted to the employee, strictly confidential;
• We have rigorous routines to ensure that employees use at least 2-factor authentication for systems with user data. We also require password-protected SSH keys.
• Mentimeter implements host-based (i.e. per workstation) security by contractually requiring strong (at least AES128) encryption on all workstations hard drives. This is configured at the start of employment and is continuously ensured by an MDM system. 
• Firewall enabled on all workstations
• That employee will log off the computer or activate the screensaver configured with a password immediately upon completion of each work session;
• That the employee understands that his/her rights to use Mentimeter systems, repositories and information expire upon the termination of their work duty, or at any time upon the request by Mentimeter. If the employee is not otherwise instructed, Mentimeter requests that the employee shall immediately return all intellectual properties that the employee holds when his/her rights have expired.
• A clear desk policy to protect customer information.
• Mentimeter Password Standard defines the requirements for proper and secure handling of passwords within the organization. All employees who handle assets and services related to Mentimeter use password management via a certified password management system and strong passwords are required.

Operations security

Physical access to Mentimeter's office premises is restricted to staff individually and on a need to have basis.

Physical access to where the Services are performed shall log physical access related events such as date, time, proximity card-id, door-id, access denied, or access granted. Entries are monitored by security cameras.

Mentimeter maintains separation/segregation of duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task so that no single role or account can access, modify or use data without authorization or detection.  

We log important events, which enable us to monitor and follow up on suspicious or malicious activity.

Mentimeter maintains the principle of least privilege (PoLP), meaning that every module (such as a process, a user, or a program, depending on the subject) must only have access to the information and resources that are necessary for its legitimate purpose.

Losses, theft, damages, tampering, or other incidents related to IT-assets that compromise security must be reported as soon as possible to the Security Officer.

Business continuity

We reserve the right to disconnect the Application for service and upgrades without giving prior notice to you. Our intention is to give you notice before updates or maintenance of the Application. Our intention is to only perform planned maintenance on low traffic hours/weekends. Please see the Terms for more information. We reserve the right to implement new updates and versions of the Application, to the extent deemed suitable by us. 

We have a platform/security team whose main priority is the stability, scalability, and integrity of the Mentimeter platform.

We take help from Detectify that  performs vulnerability scans on a regular basis and reports threats in accordance with CVSS. High vulnerabilities are fixed within two weeks, medium within six weeks, low within eight weeks.

Continuous improvements

Our engineering practices ensure that we have security in mind in all stages of a development lifecycle. While no system is completely secure, we will do our utmost to minimize any type of risk. Examples of Engineering practices:

• Clear code conventions enforced by static code analysis;
• Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection);
• Incident response plans are maintained and followed to quickly act on incidents;
• Continuous check-up to keep libraries up-to-date;
• Continuous integration builds and testing;
• Continuous improvement process with the entire product team where security issues are a standing item;
• Penetration tests are done by our hosting provider AWS on their infrastructure
• All code is peer-reviewed to find bugs and security holes early.
• All releases are tested before merging to production.
• Passwords are always kept in password managers or as configuration.

Independent Security Assessments

• An independent third-party auditor performs vulnerability scans on our web applications on a regular basis, and reports threats in accordance with CVSS. 
• Penetration testing of our web applications is performed on an annual basis by independent third-party cybersecurity experts.

Data Security

Processing

We are working with the best-in-class service providers for data storage. The service provider’s physical infrastructure is hosted and managed within Amazon's secure data centers and utilizes Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon's data center operations have been accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate

We have multi-regional hosting and have configured our data to be stored in the regions; EU-West-1 EU (Ireland) and US-East-1, North Virginia, US.

More about Amazon security is covered here (https://aws.amazon.com/security/)

Data at rest

We use strong encryption of all data at rest, including AES 256-bit encryption for Customer data stored in Mentimeter's production environment.

As described above and in the Privacy Policy, Mentimeter stores Data on AWS (an Amazon service https://aws.amazon.com/compliance/) servers. We logically separate customer data in order to ensure integrity and confidentiality. 

Credit card information is stored with a Level 1 PCI compliant third-party vendor. See Payment Details below for more information.

Data in transit

All data in transit is encrypted using TLS 1.2 standard or higher. Additionally, we maintain an A+ rating from SSL Labs, a third-party security evaluator.

Backups and Data Loss Prevention

Data is backed up continuously and we have an automatic failover system if the main system fails. We receive powerful and automatic protection through our database provider. Read more here:

• https://aws.amazon.com/rds/features/multi-az/

User Passwords

We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being exposed in the case of a breach. Mentimeter can never see your password and you can self-reset it by email.

Employee Passwords

Passwords that are used in the line of work are always kept in a password manager. We enforce 2FA where applicable and that employees use screen locks whenever they are not by their workstation.

Payment Details

We use Level 1 PCI compliant payment processorStripe for encrypting and processing credit card payments.

Security Incidents

We have in place and will maintain appropriate technical and organizational measures to protect personal data as well as other data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing (a "Security Incident").

We have an incident management process to detect and handle Security Incidents which shall be reported to the security team(security@mentimeter.com) as soon as they are detected. This applies to Mentimeter employees and all processors that handle personal data. All Security Incidents are documented and evaluated internally and an action plan for each individual incident is made, including post-mortem. If you are affected by the Security incident, we will contact you as soon as possible through relevant channels.

Security Revision Schedule

Mentimeter regularly conducts security revisions and conducts different types of tests. If significant changes occur Mentimeter will initiate an otherwise planned activity to ensure continuing security. Below is a non-exhaustive overview of the actions taken:

Contact

Mentimeter AB (publ) is a Swedish limited liability company with registration number 556892-5506 and registered in Sweden.

You can always reach us at hello@mentimeter.com.

Changes To This Security Policy

This Security Policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

This Security Policy is not part of the Terms. Laws, regulations, industry standards and our business is in constant change, which requires us to make changes to the Security policy. We will post the changes to this page and encourage you to review our Security Policy to stay informed. If we make changes that materially alter your privacy rights, we will provide additional notice through the Services or via email if you have subscribed for notification in the link available at Policies. If you disagree with the changes to this Security Policy, you should contact us to deactivate your Account.

This Security Policy was last updated on 2025-05-28.