PRIVACY, SECURITY AND COMPLIANCE
Customer trust is Movable Ink’s top priority. Privacy, security, and compliance are core to everything we do. As part of that commitment, Movable Ink continuously enhances its product with new privacy and security features as well as updates its policies to reflect industry best practices. We take a Privacy and Security by Design approach to protecting our platform and clients. Our compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied.
Movable Ink provides a web-based application (the Movable Ink Platform Application) that enables clients to generate personalized creative email, web, and mobile application content with associated business logic for marketing campaigns at scale. The solution works with a client’s existing Email Service Provider (ESP) and does not send emails. Dynamic creative email content is automatically generated after inbox arrival. Optionally, Movable Ink’s personalized content can also be included within clients’ web sites and mobile applications. Additionally, Movable Ink’s Platform Application provides a dashboard for reporting and viewing marketing campaign analytics.
At Movable Ink, protecting customer data is a first-order priority. We continuously monitor the evolving regulatory and legislative landscape to inform our policies, data security, and product development. Customer data is managed, processed, and stored in accordance with applicable global data protection legal and regulatory requirements. Movable Ink takes a Privacy by Design approach characterized by proactive rather than reactive data privacy measures.
General Data Protection Regulation (GDPR)
Movable Ink has implemented technologies and processes to meet the GDPR requirements for data processors. We consistently protect data in accordance with client instructions and the GDPR’s rules for data processors including full support for Data Subject Requests (DSRs).
California Consumer Privacy Act
Movable Ink has implemented both technologies and processes to handle user rights requests and has adopted best-practice data protection principles that meet CCPA requirements.
Movable Ink is Privacy Shield certified. Additionally, Movable Ink fully supports The European Commission Standard Contractual Clauses (SCCs) for data transfers.
Data Collection and Retention
Movable Ink is committed to data management best practices such as processing and retaining only the data needed to provide our services. Additionally, dedicated data owners ensure the confidentiality, integrity, and availability of client data throughout the complete data lifecycle. Movable Ink securely deletes client data within 30 days upon contract termination or upon client request. Additionally, Movable can provide a copy or transfer client data within 30 days upon request by an authorized representative.
Data Storage and Encryption
Customer data is stored exclusively in the United States and is encrypted in transit utilizing TLS and SNI and at rest using AES-256. The Movable Ink Platform Application is available only over HTTPS and is encrypted using TLS.
COMPLIANCE AND THIRD-PARTY VERIFICATION
Movable Ink’s compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied. Movable Ink is SOC 2 Type 2 certified by an accredited auditor and is able to share a copy of its SOC 2 report with stakeholders upon request. Our policies, standards, and procedures are based on the ISO 27,000 series and Movable Ink is both ISO 27,001 as well as 27,701 certified. Additionally, a qualified, independent security firm conducts comprehensive application and network penetration testing on an annual basis.
Movable Ink’s dedicated Information Security and Compliance team is responsible for the Company’s information security and compliance programs, which address technical, operational, and organizational measures for data governance, privacy, and security.
Movable Ink utilizes AWS to host its infrastructure and store customer data. All data centers are staffed 24/7/365 and utilize biometric access controls, security cameras, and record an audit trail of all access events. Administrator access to datacenter nodes is limited to authorized personnel required to carry out administrative tasks. Access controls are maintained via an automated provisioning system to ensure that access controls are up to date.
The Company utilizes a multi-tier network structure with a secure perimeter. Intrusion Prevention and Detection Systems are deployed, maintained, and monitored, and the application and database tiers are only accessible from within the Company’s Virtual Private Cloud (VPC). Movable Ink’s production environment is configured to implicitly deny all traffic and explicitly allow only well-defined, permitted traffic.
Identity and Access Management
Movable Ink takes a need-based and least-privileged approach to managing access. Access is strictly granted based on role and business need and regular recertifications are conducted. Segregation of duties is established for critical functions within the environment to minimize the risk of unauthorized changes to production systems. For external/client users, the Company enables clients to employ a self-service model. The Application offers multiple user roles to enable clients to assign access rights based on business need and manage users throughout the complete lifecycle.
Movable Ink maintains network architecture diagrams and a detailed inventory of all assets encompassing hardware, software, and data resources. All assets require clear ownership as well as categorization by type, sensitivity, and criticality.
Movable Ink ensures its systems and data have designated resource owners, including clearly documented and communicated roles and responsibilities as they pertain to system and data ownership. Resource owners are responsible for protecting the confidentiality, integrity, and availability of assigned resources as well as their appropriate use throughout the complete life cycle.
Configuration baselines have been established for network architecture, network devices, operating system deployments, as well as for approved protocols and ports. The DevOps team regularly reviews and updates baseline configurations, and automated solutions have been implemented to safeguard against deviations from these configurations.
Data at rest is stored in encrypted form utilizing AES-256. Data in transit is encrypted via the TLS and SNI protocols. The Movable Ink Platform Application is available only over HTTPS and is encrypted using TLS.
System Monitoring and Logging
Movable Ink conducts infrastructure and application monitoring and logging utilizing third-party industry-standard software solutions as well as Movable Ink’s own custom telemetry infrastructure.
Vulnerability and Patch Management
Movable Ink maintains vulnerability and patch management policies and procedures to track its systems for vulnerabilities, defects, and available patches. Internal and external application and network scans are conducted and reviewed at regular intervals according to related policies and procedures. Additionally, Movable Ink conducts annual network and application penetration testing with an independent qualified third-party firm. As an integral part of our risk management program, any needed remediation is identified, documented, tracked, prioritized, and completed according to risk rating calculations.
Movable Ink utilizes threat protection services and internal threat analysis to correlate external threat indicators with its assets. Real-time threat intelligence feeds include threat indicator types such as Zero Day, Denial of Service, Public Exploits, and Actively Attacked vulnerabilities. Validated vulnerability disclosure information is continuously considered in the context of Movable Ink’s assets and mapped where applicable down to the individual asset level in order to facilitate rapid, prioritized remediation.
Movable Ink has a comprehensive Procurement and Supplier/Partner Management Policy. For all suppliers and partners, Movable Ink conducts privacy, security, and compliance assessments which result in assigned risk ratings. Vendor and partner systems are reviewed and validated against Movable Ink’s Policies to ensure compliance with Movable Ink’s own privacy and security requirements.
Systems/Software Development Lifecycle (SDLC) and Change Management
Movable Ink takes a Privacy and Security by Design approach throughout the Systems/Software Development Lifecycle. Secure coding best practices are followed including required training, code analysis, segregation of duties, peer code review, approval process, and QA/testing in a dedicated staging environment.
Intrusion Prevention and Detection
Movable Ink has implemented intrusion prevention and detection capabilities across its production and corporate environments that are monitored by the DevOps, Information Security and Compliance, and IT teams. Logs from key applications are ingested in real-time for analysis and troubleshooting purposes. Movable Ink’s intrusion prevention and detection solutions include agents deployed across each server instance that proactively monitor for anomalous activity, conduct file integrity monitoring, and reference a centralized database of known threats which is updated at least daily. All corporate laptops are equipped with enterprise-class anti-virus software with centralized management and alerts. Movable Ink has implemented DLP to protect its core enterprise applications as well as its production environment.
Training and Awareness
Employees must complete privacy, security, and compliance awareness training upon hire and annually thereafter. Annual training includes, but is not limited to, how to define and protect personal information as well as applicable laws and regulations such as GDPR and CCPA. Additional customized privacy and security training is conducted based on roles and responsibilities, including secure coding training for engineers that includes OWASP Top 10 and SANS Top 20 best practices. Phishing simulations are conducted at least quarterly.
Movable Ink has implemented an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents. Comprehensive incident response procedures, centralized tracking tools, and multiple channels for reporting incidents are maintained. Where applicable, the security program and/or platform are updated to incorporate improvements identified as a result of incidents.
Business Continuity and Disaster Recovery
Movable Ink has documented Business Continuity and Disaster Recovery Policies and Plans that outline the procedures to be followed in the event of a serious business disruption affecting the operation of our key functions and provides a framework to improve its resilience and ability to continue to operate in the event of a major disruption. Movable Ink has implemented active-active replication across its redundant, geographically disparate data centers with multiple redundant nodes. Comprehensive Business Continuity and Disaster Recovery testing is conducted at least annually including restoration of Movable Ink’s primary database with verification, as well as tabletop exercises on a quarterly basis.
Your feedback is very important to us.
Learn more about our security program: email@example.com
Report a security concern: firstname.lastname@example.org
If you’re looking for information on GDPR, its impact on companies that process personal data, and what Movable Ink has done to comply, you’ve come to the right place. GDPR represents the most significant piece of legislation affecting the use of personal data by corporations, so it’s worth getting smart about it. The following GDPR Q&A will help you do just that.
What is GDPR?
Effective and enforced as of May 25, 2018, the General Data Protection Regulation (GDPR) is a data protection framework that was enacted by the European Union to give its citizens more control over how their personal data is used. GDPR strengthens and consolidates existing data protection laws, including extending regulations to foreign companies that process data of EU residents.
To Whom Does GDPR Apply?
If your company isn’t in the European Union, you might think you’re off the hook. You’d be wrong. The regulation doesn’t just apply to EU-based data controllers (organizations that collect data from EU citizens) and data processors (organizations that process data for the data controllers). GDPR applies to any organization that processes or controls data of any EU citizen. So, if you’re a data processor or controller with an EU citizen in your marketing database, it applies to you.
Is Movable Ink Compliant?
Yes. Movable Ink has numerous technologies and processes in place to ensure compliance with GDPR. Movable Ink is considered a data processor, because when clients use our intelligent creative solutions, we take relevant data from data controllers and use it to create personalized messages. Since we process personal data only according to the instructions of our clients, we are subject to GDPR’s rules for data processors.
What Steps Has Movable Ink Taken to Be Compliant?
The GDPR framework outlines a number of requirements that data processors like Movable Ink must meet to protect personal data and respond to consumer requests to access or delete it. The following are just some of the ways that Movable Ink complies with GDPR:
Movable Ink has invested heavily in technologies and services to protect client data
Movable Ink has a robust information security program that includes appropriate technical and organizational measures, including encryption, pseudoanonymization, two-factor authentication, and limiting access to data.
Movable Ink only processes data in ways allowed under the data processing agreements secured with data controllers.
Movable Ink never shares client data with other clients.
Movable Ink has established processes for responding to requests to delete end users’ data.
Movable Ink and its sole sub-processor Amazon Web Services (AWS) are certified under the EU-US Privacy Shield Framework.
Movable Ink has Data Processing Addendums in place with AWS that meets the requirements of the Data Protection Act 1988 and the May 2018 GDPR regulation.
Secure Processing of Personal Data
Movable Ink ensures any processing of personal data follows strict protocols for security
Dynamic IP addresses collected to determine an email recipient’s approximate location are associated with the unique user identification number of the end user provided by client.
Any time a client uses email address as the unique identifier to associate with information collected from a particular campaign, the address is cryptographically hashed.
Any website behavior we are instructed to collect by a client is associated with a unique user identification number of the website visitor as provided by the client.
How Does GDPR Impact a Brand’s Ability to Personalize Email?
One of the core pillars of GDPR is the need for organizations to get clear consent before processing personal data belonging to any EU citizen. You’ll want to check with an informed lawyer on what constitutes consent, but your organization needs it for every EU citizen who receives a personalized email from you that leverages their data.
So where does that leave email marketers? Any campaign that you are sending must now take into account whether or not you have consent from the recipient to personalize it using their data. This can be a serious uphill climb, but it also happens to be one area where Movable Ink’s Intelligent Creative Platform can offer some much needed help.
Embracing GDPR with Intelligent Creative
With intelligent creative, email marketers have the flexibility to create 1:1 email campaigns that can fall back automatically to different levels of personalization based on access to data or the ability to leverage it based on GDPR or other privacy laws.
With Movable Ink, marketers can ensure that each recipient receives the maximum amount of personalization possible, from true 1:1 personalization that pulls in CRM and contextual data when data consent is given, to other types of personalization that don’t rely on personal data, like recent-time pricing and inventory information. Learn more on our products page.
Get Smart with GDPR Resources
For more information on GDPR and the impact it can have on your marketing, we invite you to explore the resources below. We also invite you to see what’s possible with Intelligent Creative by requesting a demo.
On-Demand Webinar: What GDPR Means for the American Email Marketer
DMA UK GDPR Site
e-Consultancy GDPR Site
AWS GDPR Center
What is the CCPA?
The California Consumer Privacy Act (CCPA) gives consumers residing in California more control over the personal information that businesses collect about them and grants them GDPR-like rights of deletion, access, portability, as well as a right to opt-out of the sale of their personal information. The CCPA took effect on January 1, 2020, with enforcement beginning July 1, 2020.
To Whom Does the CCPA Apply?
The CCPA applies to for-profit businesses that do business in California and meet any of the following:
Have a gross annual revenue of over $25 million;
Buy, receive, or sell the personal information of 50,000 or more California residents,
households, or devices; or
Derive 50% or more of their annual revenue from selling California residents’ personal information.
Is Movable Ink Compliant?
Yes. Movable Ink’s dedicated Information Security & Compliance team maintains a comprehensive privacy and security program which is based on the principles of transparency, fairness, and accountability. Some examples of data protection measures that Movable Ink has implemented include:
Annual internal Security Risk Assessment (SRA) with remediation;
Annual internal Compliance Control Assessment with remediation;
Annual third-party penetration testing by a qualified supplier with remediation;
TLS 1.2 or SNI fully supported for data encryption in transit;
AES-256 fully supported for data encryption at rest;
Customer data is not stored in non-production environments (e.g., Movable Ink’s staging
Regularly scheduled Qualys network and application vulnerability scans with remediation.
Movable Ink is a Service Provider with respect to its clients doing business in California under the CCPA and processes personal information in order to meet the terms of its contracts with those clients. Movable Ink does not sell personal information. Movable Ink’s general privacy statement on the CCPA is located at https://movableink.com/legal/privacy. Movable Ink also has processes in place to ensure timely processing of consumer requests submitted by our clients who are subject to CCPA. While our existing privacy practices already satisfy the core requirements of the CCPA, we are actively monitoring the evolving CCPA regulations in order to address any additional compliance requirements that may be promulgated.