mParticle’s security posture protects client data from ever-evolving threats

Ever since the widespread adoption of the internet in the 1990s, digital technologies have been steadily migrating into more and more aspects of daily life. This rate of change was already rapid prior to 2020, but the onset of the COVID-19 pandemic was like pouring gasoline on the bonfire of digital transformation. Now, it feels as though our social and professional lives are wholly integrated into digital spaces, and this trend shows no signs of stopping.

While increasing digital connection can have many benefits, it also comes with inherent risks, and cybercrime is chief among these. Hacks and data breaches are an unfortunate reality of life in the modern world. It behooves anyone who uses digital technologies to be aware of cyber threats, but enterprises that store or process user data have a particularly weighty responsibility in this regard. It is incumbent upon any company that handles data for clients and end users to employ state-of-the-art tactics to stay ahead of cybercriminals and ensure that sensitive information does not fall into the wrong hands. 

This is why security is a fundamental part of mParticle’s DNA. Our security team operates on the principle of continuous improvement and strives to implement the latest technologies and processes to maintain a cutting-edge approach to keeping customer data secure. By proactively evaluating risk in our systems, applications, infrastructure, and processes, we aim to stay many steps ahead of those who would try to find and exploit vulnerabilities. 

When you’re in the business of data, you’re in the business of data security. Since mParticle’s founding, protecting customer, prospect, and employee data has been integral. It has played a major role in shaping our product roadmap, internal culture, and business strategy as a whole. 

Our security posture is similar to our core product in that it follows an innovation cycle of continuous improvement. Our dedicated security team is constantly evaluating the technologies and processes we have in place to protect the data we house and proactively evaluating risk in securing our systems, applications, and infrastructure. 

Here is how we put our overarching philosophy on data security into practice in specific practices and across different areas of our business: 

A proactive approach to risk management

Hackers work by finding and exploiting vulnerabilities in their target systems––they look for the weakest links in a company’s infrastructure, and focus their efforts there. This is why we have an ongoing risk assessment process to continuously look for potential weaknesses in our corporate systems and application infrastructure, and ensure that we mitigate any potential risks across our platform. This risk assessment process is what drives our security roadmap, and helps us focus our investments in the areas where they will have the greatest impact. In addition to our own product and systems, we also conduct ongoing security audits of all of our integration partners and other third-party vendors to ensure that their security practices align with our high-level requirements. 

Maintaining compliance with rigorous security standards

As part of our risk management process, we partner with established security testing firms to help us test our infrastructure, corporate network, and applications for potential vulnerabilities. Each year, we undergo several security audits of our platform which gives us external assurance of our compliance with security standards including SOC 2 Type 2 and ISO 27001. 

Protecting our infrastructure security

Keeping our clients’ data safe as it moves to and from our internal systems is a critical focus. One fundamental tenet we implement, aimed at optimizing the security of our data infrastructure, is the principle of least privilege. That is, only mParticle employees who require access to systems that house client data have such access. Additionally, we regularly conduct vulnerability scanning, patch management, and penetration testing across our infrastructure layer to further secure client data within our purview.

Beyond internal policies, we also implement a variety of technologies and systems to protect data while it is stored in and moves between our systems. For instance, we configure firewalls to limit data traffic only to what is expected and required for client usage. We also use Transport Layer Security (TLS) to encrypt all client data in transit and implement certificate pinning to further prevent data from being intercepted or altered by man-in-the-middle attacks. Additionally, access to the customer data environment requires a hardware token, and we also use various types of encryption options across our tech stack and AWS environment to protect data both at rest and in transit.

For securing certain aspects of our infrastructure, we look to modern, best-in-class vendors. For instance, we protect our production secrets with vendor solutions from Hashicorp Vault, Amazon KMS, and Parameter Store. We also leverage Lacework for identifying and reporting on known vulnerabilities in production.

Robust application security

Security best practices are an integral piece of our software development lifecycle. In order for a product or feature to progress along the path from ideation to deployment, it must pass multiple checkpoints designed to validate its security fundamentals. These are constantly updated to account for modern and evolving threats. Our CI process ensures that all code is scanned by static analysis tooling and reviewed by at least one other engineer before being merged into production. In cases in which shipped code has a significant impact on security, a member of the security team will also review the pull request. To validate the security of our overall product design and service implementation, we work with external security researchers as well as our own internal security team. 

A corporate culture of awareness and vigilance

Hackers often see a company’s employees as the easiest avenue through which to gain access to internal systems and data. This is why we make security awareness a central part of our culture at mParticle. Before anyone is granted access to mParticle systems, they undergo a live Security Awareness training from a member of our Security Team. On a regular basis, mParticle employees are required to complete security training courses and demonstrate knowledge of the latest threats to corporate security as well as best practices for detecting and preventing attacks. Our security team also performs phishing tests and awareness campaigns to prevent social engineering attacks and foster a culture of security throughout the company. 

While this article highlights some of the significant ways in which mParticle protects customer, prospect, and employee data, this information should be seen as a snapshot in time rather than a permanent solution to the problem. As underscored earlier, data security is an ever-evolving process by necessity–the threats companies face are always growing smarter and more insidious. At the end of the day, our approach of least privilege, continuous improvement, and vigilant risk assessment practices are the most effective defenses against those who seek to do harm. 

“Of all the measures we take to protect the data in our purview, I’m most proud of the security culture we have built across the entire organization,” says Dave Anderson, mParticle’s Chief Information Security Officer. “It really takes a whole company to buy into being vigilant and security minded in their day-to-day decisions and actions, and we’ve absolutely fostered that here at mParticle.”