Mentimeter Security Policy

Valid from 2020-05-18

The Mentimeter platform is built to be easily accessible and beautiful, a simple way to create interactivity and engagement in meetings, webinars, workshops, presentations and other real-time gatherings of people. Openness and ease of use are valuable and important aspects of the Mentimeter value proposition to our users.

Keeping your data secure is extremely important to us and we spend a lot of effort and time to ensure all data sent to Mentimeter is handled securely. With that said, you can still share URLs, ID or other information to make the presentations non-secure and we cannot take responsibility for security that is breached by the fundamental openness of the platform or sharing information you should not have.

Mentimeter AB, Reg. No. 556892-5506, is hereinafter referred to as “we”, “us”, “our” or “Mentimeter” and ”you” shall be interpreted as the person or entity who has signed up for an Account to use our Services including, to the extent applicable, you who use our Services as a member of an Audience.

Any capitalized words used but not defined herein, shall have the same meaning ascribed to them in the terms and conditions available at https://mentimeter.com/terms (the “Terms”).

1. Human Resource Security

We have a process to ensure that all personnel with access to systems or information that can have access to information about our Users as well as User Data have agreed to a non-disclosure undertaking as part of their employment contract with Mentimeter. Our staff onboarding process includes verifying the identity of staff and the background and skill they state. Our rigorous staff termination process includes revoking access rights, seizing IT equipment, invalidating the company access card as well as notification of continuous confidentiality obligations. Any staff with access to information about users shall be required to take appropriate security training on a regular basis as set out in the Security Revision Schedule below. When employment has ended, we revoke all access that the concerned employee had.

Roles, accountabilities and responsibilities

Chief Executive Office

  • Accountable for all aspects of Mentimeter's information security and data processing.

  • Determines the privileges and access rights to the resources within their areas.

Security Officer

  • Responsible for the security of the IT infrastructure.

  • Plans against security threats, vulnerabilities, and risks.

  • Implements and maintains Security Policy documents.

  • Ensures security training programs.

  • Ensures IT infrastructure supports Security Policies.

  • Responds to information security incidents.

  • Helps in disaster recovery plans.

All Employees

  • Must uphold and meet the requirements of Mentimeter Security Policy.

  • Report any actual, attempted and/or suspected security breaches.

In consideration of being entrusted rights to use Mentimeter's systems, repositories and information all employees must acknowledge the following:

  • That all confidential information must be kept confidential and that any disclosure of confidential information would cause harm to Mentimeter.

  • That employees will not, directly or indirectly, make use of information other than in the course of work duties;

  • That employees will keep passwords, PIN codes, etc. entrusted to the employee, strictly confidential;

  • That employees use at least 2-factor authentication for systems with user data. We also require password-protected SSH keys.

  • Mentimeter implements host-based (i.e. per workstation) security by contractually requiring strong (at least AES128) encryption and firewalls on all workstations. This is verified at the start of employment and at least twice a year.

  • Firewall enabled on all workstations

  • That employees will log off the computer or activate the screensaver configured with password immediately upon completion of each work session;

  • That the employee understands that his/her rights to use Mentimeter systems, repositories and information expire upon the termination of their work duty, or at any time upon the request by Mentimeter. If the employee is not otherwise instructed, Mentimeter requests that the employee shall immediately return all intellectual properties that the employee holds when his/her rights have expired.

  • A clear desk policy to protect customer information.

  • We only use well-recognized and highly secure 3rd party systems with proper security certifications and practices.

  • Mentimeter Password Control Policy defines the requirements for the proper and secure handling of passwords in the organization. All employees who handle assets and services related to Mentimeter use password management via a certified password management system and strong passwords are required.

2. Operations security

Physical access to Mentimeter's office premises is restricted to staff individually and on a need to have basis.

Physical access to where the Services are performed shall log physical access related events such as date, time, swipe/proximity card-id, door-id, access denied or access granted.

Mentimeter maintains separation/segregation of duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task so that no single role or account can access, modify or use data without authorization or detection.

In addition, at Mentimeter we have a principle to protect your data called the principle of least privilege (PoLP), meaning that every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Losses, theft, damages, tampering or other incidents related to IT-assets that compromise security must be reported as soon as possible to the Security Officer.

3. Business continuity and continuous improvements

We reserve the right to disconnect the Application for service and upgrades without giving prior notice to you, even though our intention is to give you notice before updates or maintenance of the Application. Please see the Terms for more information. We also reserve the right to implement new updates and versions of the Application, to the extent deemed suitable by us. We have a world-class engineering practice to ensure everything we do has a security perspective and a third party vendor does penetration testing on a regular basis and reports threats in accordance with CVSS. High vulnerabilities are fixed within two weeks, medium within six weeks, low within eight weeks.

This list is an example of things we do to uphold information security with Engineering practices:

  • Clear code conventions enforced by static code analysis;

  • Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection);

  • Incident response plans are maintained and followed to quickly act on incidents;

  • Continuous check-up to keep libraries up-to-date;

  • Continuous integration builds and testing;

  • Continuous improvement process with the entire product team where security issues are a standing item;

  • Penetration testing is done continuously by an external part to ensure the system is protected from any new security threats

  • All code is peer-reviewed to find bugs and security holes early; Passwords are always kept in password safes or as configuration.

4. Data Security

Processing

We are working with the best in class service providers for data storage. The service providers' physical infrastructure is hosted and managed within Heroku's and Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon's data center operations have been accredited under:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • PCI Level 1

  • FISMA Moderate

Mentimeter mainly utilize the Amazon data center defined as US-East-1, North Virginia, US.

Sarbanes-Oxley (SOX) - As a publicly-traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.

Amazon security is covered here:

Heroku security is covered here:

Security measures are taken to protect you and your data both for "Data at rest" and "Data in transit".

Data at rest

We use encryption of all Data "at-rest" and get powerful and automatic protection through our database provider. Read more here: https://www.heroku.com/policy/security + https://aws.amazon.com/security/

As described above and in the Privacy Policy, Mentimeter stores Data on AWS (an Amazon service https://aws.amazon.com/compliance/) servers. We logically separate customer data in order to ensure integrity and confidentiality. Mentimeter utilizes ISO 27001, SOC2 and FISMA certified data centers managed by Amazon. Credit card information is stored with a Level 1 PCI compliant third party vendor. See Payment Details below for more information.

Data in transit

We use standard TLS1.2, ie. Encryption of data "in-transit, and are rated A+ by 3rd party vendor, SSL Labs. Privacy and protection of user data are of highest importance to us and we both have technical and operational support in place to ensure this. We also leverage all protection through https://heroku.com/policy/security.

Backups and Data Loss Prevention

Data is backed up continuously and we have an automatic failover system if the main system fails. We receive powerful and automatic protection through our database provider. Read more here:

User Password

We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. Mentimeter can never see your password and you can self-reset it by email. User session time-out is implemented meaning that a logged-in user will be automatically logged out if they are not active on the platform. Payment Details We use PCI compliant payment processor Braintree for encrypting and processing credit card payments. We never see or handle credit card information.

Security Incidents

We have in place and will maintain appropriate technical and organizational measures to protect personal data as well as other data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing (a "Security Incident").

We have an incident management process to detect and handle Security Incidents which shall be reported to the Security Officer (security@mentimeter.com) as soon as they are detected. This applies to Mentimeter employees and all processors that handle personal data. All Security Incidents are documented and evaluated internally and an action plan for each individual incident is made, including mitigatory actions.

5. Security Revision Schedule

This section shows how often Mentimeter conducts security revisions and conducts different types of tests. If significant changes occur Mentimeter will initiate an otherwise planned activity to ensure continuing security.

Planned activityFrequency
Security training for personnelYearly and at beginning of employment
Revoke system, hardware and document accessAt end of employment
Ensures access levels for all systems and employees are correct2 times a year
Audit of Access management process and catalogue2 times a year
Firewall settings verification for workstations and Network2 times a year
Ensure all critical system libraries are up-to-dateContinuously
Unit and integration tests to ensure system functionality and securityContinuously
External penetration tests to ensure system securityContinuously

This Security Policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness.

6. Contact

Mentimeter AB is a Swedish limited liability company with registration number 556892-5506 and registered in Sweden.

You can always reach us at hello@mentimeter.com.

7. Changes To This Security Policy

This Security Policy is not part of the Terms and we may change this Security Policy from time to time. Laws, regulations and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Security Policy to stay informed. If we make changes that materially alter your privacy rights, we will provide additional notice through the Services or via email if you have subscribed for notification in the link set out below. If you disagree with the changes to this Security Policy, you should deactivate your Account.

Notify me about changes to the Terms and Policies

By signing up you accept our terms of use and policies.