COMPLIANCE & SECURITY
Our security, confidentiality, and availability architecture is built on top of ISO 27001:2013 controls, SOC 2 Focus Points, PCI DSS, and HIPAA frameworks to enable best practice protection controls, implemented based on industry standards.
Physical Security and Data hosting
Mezmo uses Amazon Web Services (AWS) Data Centers which are located in the United States of America. For IBM Customers, there are data centers located across multiple regions.
Dedicated Security Team
Mezmo's Security Team is actively monitoring and on-call to respond to security alerts and/or events.
Mezmo's Production Environment uses role-based (RBAC) security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. These measures are actively monitored and audited based on the industry standard frameworks. Access reviews are performed quarterly to ensure all access is appropriate.
Mezmo does not store customer log data for more than 30 days. For longer retention, we provide an archiving service that automatically exports older logs to customer preferred cloud storage service. Mezmo offers 7/14/30 days searchable log data plans, and our systems are configured to automatically purge the logs securely after 30 days.
Non-Log Production data are replicated among discrete operating environments to protect the availability of Mezmo's service in the event of catastrophic events. Mezmo performs restoration testing annually to ensure the completeness and accuracy of backup data. The available Mezmo data archiving service provides the mitigation of data loss for customer logs in the event of catastrophic events.
Intrusion Detection and Prevention
Mezmo utilizes intrusion detection and prevention systems to detect and/or prevent intrusions into the environment. Active monitoring, alerts, and tools are in place to ensure action is taken by the appropriate on-duty teams if any intrusion and/or security events exceed predetermined thresholds.
Pentests & Vulnerability Scanning
Mezmo utilizes third-party security scanning tools to perform continuous vulnerability scans. Our dedicated security team reviews and responds to the security vulnerabilities in a timely manner. Annually, we engage independent third-party security experts to perform detailed penetration tests on the Mezmo application and network.
Security Incident Response
Mezmo has established policies and procedures for responding to potential security incidents. All incidents are managed by Mezmo's dedicated Incident Response Team. Mezmo defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.
Mezmo transmits data over public networks using strong encryption. This includes data transmitted between Mezmo clients and the Mezmo service. Mezmo supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS protocols, encryption, and hashing algorithms, as supported by the clients. This applies to all types of data at rest within Mezmo's systems.
SECURE BY DESIGN - APPLICATION SECURITY
Mezmo's products and capabilities have been designed to be foundationally secure.
Software Development Life Cycle (SDLC)
Mezmo assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Mezmo undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages the OWASP Top 10. Based on this analysis, Mezmo creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. Annually, engineers are required to participate in secure code training covering the OWASP top 10 security risks, common attack vectors, and security controls.
Framework Security Controls
Mezmo leverages modern and secure frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Buffer Overflows, Broken Authentication/Session, and Cross Site Request Forgery (CSRF), among others.
Testing and staging environments are logically separated from the Production environment. No Production Data is used in our development or test environments.
Mezmo has established a security program dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned with the SOC 2, ISO 27001:2013, HIPAA and PCI standards and is regularly audited and assessed by third parties.
Onboarding and Training
All employees complete the latest available Security and Awareness training modules during onboarding and annually thereafter.
Mezmo's personnel practices apply to all members of the Mezmo workforce. All workers are required to understand and follow internal policies and standards. Upon termination of work at Mezmo, all access to Mezmo systems is removed immediately.
Policies and Procedures
Mezmo maintains a set of policies, standards, procedures, and guidelines (“security documents”) that provide the Mezmo workforce with the “rules of the road” for operating. Our security documents help ensure that Mezmo customers can rely on our workers to behave ethically and for our service to operate securely. These policies are living documents, they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.
Mezmo performs background checks on all new employees in accordance with local, federal and state laws applicable to our business.
All employee contracts include a confidentiality agreement.
The Health Insurance Portability and Accountability Act of 1996 Title II (HIPAA) addresses safeguards to secure electronically protected health information (ePHI), including log management and audit requirements. Mezmo's systems and processes are fully compliant with HIPAA, and we are audited for HIPAA and HITECH compliance every year by a third-party qualified security assessor. For customers on our HIPAA-compliant logging plan, Mezmo will sign a Business Associate Agreement (BAA) and take on the associated legal liability of handling your sensitive data.
HIPAA requires a minimum of 6 years of retention of audit log data. To ensure compliance, Mezmo provides a secure and convenient archiving service for logs older than the retention period of your Mezmo plan.Please contact your account manager or email@example.com to request Mezmo's most recent report.
Mezmo is committed to ensuring the highest level of privacy protection. As a General Data Protection Regulation (GDPR) compliant organization, Mezmo has standardized user data privacy across the EU nations, regardless of where the organizations themselves are located.
SOC 2 Type 2
The SOC 2 Report demonstrates Mezmo's commitment to meeting the most rigorous security, availability, and confidentiality standards in the industry. It verifies that Mezmo's security controls are in accordance with the AICPA Trust Services Principles and Criteria.Please contact your account manager or firstname.lastname@example.org to request Mezmo's most recent report.
Mezmo has been audited by an independent PCI-DSS Qualified Security Assessor (QSA) and is certified as a PCI-DSS Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Please contact your account manager or email@example.com to request Mezmo's most recent report.
EU-US Privacy Shield
To comply with EU data protection requirements Mezmo is Privacy Shield certified. This enacts protections for the personal data of EU individuals when it is transferred to the United States.
Companies that display the TRUSTe Certified Privacy seal have demonstrated that their privacy policies and practices meet the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria. TRUSTe monitors ongoing compliance through annual recertifications and complaints received through the Privacy Feedback mechanism.
Mezmo is compliant with CCPA, GDPR, HIPAA, SOC 2, PCI-DSS and US/EU Privacy Shield