Security manifesto from mParticle’s CISO
We are committed to providing the most secure Customer Data Platform (CDP) on the market and prioritizing our customers' data privacy.
At mParticle, the security of our platform and our customers’ data is of paramount importance. We are committed to providing the most secure Customer Data Platform (CDP) on the market.
Having recently joined mParticle as the company’s first Chief Information Security Officer, I was delighted to find that security had been baked into the mParticle infrastructure, application, and company culture from the company’s formation.
After working at much larger organizations, it has been refreshing to join such a nimble and security-conscious company. Every individual at mParticle understands that they are part of the security ecosystem and that they hold a shared responsibility to protect our environment. The introduction of a dedicated security team reaffirms the company’s commitment to providing best-in-class security.
Being a cloud-native product, mParticle leverages the power and stability of Amazon’s AWS platform and takes advantage of the many advanced security features of the service, including strong authentication using multiple factors, clearly defined and enforced role-based access control, extensive logging, and industry-leading cryptographic services such as CloudHSM and KMS.
Our SDKs have been designed to offer advanced protection to customer data, using TLS and certificate pinning to encrypt data in transit. Once data is received by the mParticle API, it is encrypted at rest in the various stages of its journey through our AWS environment and again in transit when passed on to your chosen providers.
In addition to an array of technical measures to prevent unauthorized access to customer data, mParticle follows the principle of least privilege and strictly enforces role-based access control, ensuring that the bare minimum number of staff have access to any customer data. All staff and contractors are required to undertake comprehensive background checks and receive regular, targeted security awareness training before gaining access to company resources.
Our security team is on call 24/7 and collaborates closely with our operations team to maintain the availability, integrity, and confidentiality of our system at all times. To further check the security of our platform and our processes, we engage expert third-party consultants to perform a range of regular penetration testing services against our application, infrastructure, and staff. This process helps us identify and address issues efficiently to ensure we are operating securely on an ongoing basis.
To further ensure that we are following (or exceeding) industry best practices, we are in the process of aligning our security program with a number of third-party compliance certifications. We expect to gain both SOC2 and ISO27001 compliance certification during 2018.