MobileAction’s Commitment to Trust
We, as MobileAction, value and prioritize security and we are aware that our customers do too. It’s this commitment to customer privacy and inspiring trust that determines the decisions we make on a daily basis. Trust is the responsibility of each and every employee and one we take seriously.
Data Center Compliance
All MobileAction data and applications, including customer data, are stored on cloud services operated by Amazon Web Services (AWS) - the market leader in cloud services. MobileAction operates on Heroku as well, and Heroku also utilizes AWS. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Backups & Integrity
MobileAction employs the latest in automatic backup technology that securely stores versioned data within AWS S3 Buckets. Redundant server environments linked together with Heroku load balancing technology provide bulletproof fail-over should an environment require remediation.
Password-based authentication: MobileAction applies a top-level encryption algorithm to store passwords. OAuth-based authentication: Our product supports social login options with Google and LinkedIn.
Encrypt Data in Transit
Private data and logins exchanged with MobileAction are transmitted over SSL (our web interface utilizes HTTP Strict Transport Security). Application passwords are filtered from our log files and are encrypted. Pushing and pulling of private data is done with SSH authenticated keys, not passwords, to help prevent brute force cracking. Tools are available for users to deploy similar steps for their applications.
All of our environments, namely staging, testing and development, are separated from each other logically and we do not prefer to use any personal or service data in testing or development environments.
Our Quality Assurance team conducts continuous testing of quality and basic security with full responsibility.
MobileAction employs rigorous internal standards for code quality with mandatory daily code reviews before our code is deployed into a production environment. Furthermore, all functionality and code are reviewed by our internal security architects to ensure that MobileAction platform remains secure as functionality is continually added.
Customer Data Retention and Destruction
MobileAction takes measures to delete your personal information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it unless we are required by law to keep this information for a longer period, or such information is necessary to resolve disputes and enforce our agreements. When determining the retention period, we take various criteria into consideration such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
Customer Security Best Practices
Our operations team uses a set of monitoring alert criteria to define the critical security and availability standards for our platforms' production environments. Operations personnel use third-party monitoring tools to closely monitor any spikes in activity above predefined thresholds. We also deploy Intrusion Detection System (IDS) sensors at critical points in our infrastructure to detect and alert our security team about unauthorized attempts to access our platform. Alerts are triggered for anomalies and Operations personnel use established procedures to address them and any potential security threats they may represent.
MobileAction holds a record for known security incidents that includes fundamental information that are namely the description, the disposition, and dates and times of relevant activities. Security, operations and support personnel investigate any suspected and confirmed security incidents; and identify and document the appropriate resolution steps. We move forward with the suitable and necessary steps for minimizing user damage and unauthorized disclosure, and to prevent future repentance for all confirmed incidents.
Notification in case of Incident
If we detect any unlawful access to the data we store within our services, we immediately contact the users that are affected, provide a detailed description of the actions being taken to resolve the incident, and provide the user with frequent status updates.