COMPLIANCE & SECURITY

Cloud Security

Our security, confidentiality, and availability architecture is built on top of ISO 27001:2013 controls, SOC 2 Focus Points, PCI DSS, and HIPAA frameworks to enable best practice protection controls, implemented based on industry standards.

Physical Security and Data hosting

Expand

Mezmo uses Amazon Web Services (AWS) Data Centers which are located in the United States of America. For IBM Customers, there are data centers located across multiple regions.

Dedicated Security Team

Expand

Mezmo's Security Team is actively monitoring and on-call to respond to security alerts and/or events.

Logical Access

Expand

Mezmo's Production Environment uses role-based (RBAC) security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. These measures are actively monitored and audited based on the industry standard frameworks. Access reviews are performed quarterly to ensure all access is appropriate.

Back Ups

Expand

Mezmo does not store customer log data for more than 30 days. For longer retention, we provide an archiving service that automatically exports older logs to customer preferred cloud storage service. Mezmo offers 7/14/30 days searchable log data plans, and our systems are configured to automatically purge the logs securely after 30 days.

Disaster Recovery

Expand

Non-Log Production data are replicated among discrete operating environments to protect the availability of Mezmo's service in the event of catastrophic events. Mezmo performs restoration testing annually to ensure the completeness and accuracy of backup data. The available Mezmo data archiving service provides the mitigation of data loss for customer logs in the event of catastrophic events.

Intrusion Detection and Prevention

Expand

Mezmo utilizes intrusion detection and prevention systems to detect and/or prevent intrusions into the environment. Active monitoring, alerts, and tools are in place to ensure action is taken by the appropriate on-duty teams if any intrusion and/or security events exceed predetermined thresholds.

Pentests & Vulnerability Scanning

Expand

Mezmo utilizes third-party security scanning tools to perform continuous vulnerability scans. Our dedicated security team reviews and responds to the security vulnerabilities in a timely manner. Annually, we engage independent third-party security experts to perform detailed penetration tests on the Mezmo application and network.

Security Incident Response

Expand

Mezmo has established policies and procedures for responding to potential security incidents. All incidents are managed by Mezmo's dedicated Incident Response Team. Mezmo defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Encryption

Expand

Mezmo transmits data over public networks using strong encryption. This includes data transmitted between Mezmo clients and the Mezmo service. Mezmo supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS protocols, encryption, and hashing algorithms, as supported by the clients. This applies to all types of data at rest within Mezmo's systems.

SECURE BY DESIGN - APPLICATION SECURITY

Mezmo's products and capabilities have been designed to be foundationally secure.

Software Development Life Cycle (SDLC)

Expand

Mezmo assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Mezmo undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages the OWASP Top 10. Based on this analysis, Mezmo creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. Annually, engineers are required to participate in secure code training covering the OWASP top 10 security risks, common attack vectors, and security controls.

Framework Security Controls

Expand

Mezmo leverages modern and secure frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Buffer Overflows, Broken Authentication/Session, and Cross Site Request Forgery (CSRF), among others.

Separate Environments

Expand

Testing and staging environments are logically separated from the Production environment. No Production Data is used in our development or test environments.

ORGANIZATIONAL SECURITY

Mezmo has established a security program dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned with the SOC 2, ISO 27001:2013, HIPAA and PCI standards and is regularly audited and assessed by third parties.

Onboarding and Training

Expand

All employees complete the latest available Security and Awareness training modules during onboarding and annually thereafter.

Personnel Security

Expand

Mezmo's personnel practices apply to all members of the Mezmo workforce. All workers are required to understand and follow internal policies and standards. Upon termination of work at Mezmo, all access to Mezmo systems is removed immediately.

Policies and Procedures

Expand

Mezmo maintains a set of policies, standards, procedures, and guidelines (“security documents”) that provide the Mezmo workforce with the “rules of the road” for operating. Our security documents help ensure that Mezmo customers can rely on our workers to behave ethically and for our service to operate securely. These policies are living documents, they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Employee Screening

Expand

Mezmo performs background checks on all new employees in accordance with local, federal and state laws applicable to our business.

Confidentiality

Expand

All employee contracts include a confidentiality agreement.

Compliance

HIPAA

Expand

The Health Insurance Portability and Accountability Act of 1996 Title II (HIPAA) addresses safeguards to secure electronically protected health information (ePHI), including log management and audit requirements. Mezmo's systems and processes are fully compliant with HIPAA, and we are audited for HIPAA and HITECH compliance every year by a third-party qualified security assessor. For customers on our HIPAA-compliant logging plan, Mezmo will sign a Business Associate Agreement (BAA) and take on the associated legal liability of handling your sensitive data.

HIPAA requires a minimum of 6 years of retention of audit log data. To ensure compliance, Mezmo provides a secure and convenient archiving service for logs older than the retention period of your Mezmo plan.Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.

GDPR compliant

GDPR

Expand

Mezmo is committed to ensuring the highest level of privacy protection. As a General Data Protection Regulation (GDPR) compliant organization, Mezmo has standardized user data privacy across the EU nations, regardless of where the organizations themselves are located.

Learn more about Mezmo's approach to GDPR.

SOC 2 Type 2

Expand

The SOC 2 Report demonstrates Mezmo's commitment to meeting the most rigorous security, availability, and confidentiality standards in the industry. It verifies that Mezmo's security controls are in accordance with the AICPA Trust Services Principles and Criteria.Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.

PCI DSS Compliant

PCI-DSS

Expand

Mezmo has been audited by an independent PCI-DSS Qualified Security Assessor (QSA) and is certified as a PCI-DSS Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.

EU-US Privacy Shield

EU-US Privacy Shield

Expand

To comply with EU data protection requirements Mezmo is Privacy Shield certified. This enacts protections for the personal data of EU individuals when it is transferred to the United States.

Learn more about 's approach to Privacy Shield.

CCPA

Expand

Mezmo complies with the California Consumer Privacy Act (CCPA) and supports our customers’ compliance with the CCPA. As a provider of enterprise log management tools, Mezmo is primarily a service provider under the CCPA. You can read more about Mezmo's commitment to compliance in our Privacy Policy.

Learn more about 's approach to CCPA.

TRUSTe

Expand

Companies that display the TRUSTe Certified Privacy seal have demonstrated that their privacy policies and practices meet the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria. TRUSTe monitors ongoing compliance through annual recertifications and complaints received through the Privacy Feedback mechanism.

Get compliant

Mezmo is compliant with CCPA, GDPR, HIPAA, SOC 2, PCI-DSS and US/EU Privacy Shield