PRIVACY, SECURITY AND COMPLIANCE
Customer trust is Movable Ink’s top priority. Privacy, security, and compliance are core to everything we do. As part of that commitment, Movable Ink continuously enhances its product with new privacy and security features as well as updates its policies to reflect industry best practices. We take a Privacy and Security by Design approach to protecting our platform and clients. Our compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied.
Table of Contents
- Platform Description
- Compliance and Third-Party Verification
- Physical Security
- Network Infrastructure
- Identity and Access Management
- Asset Management
- Resource Ownership
- Configuration Management
- Cryptographic Controls
- System Monitoring and Logging
- Vulnerability and Patch Management
- Threat Management
- Third-Party Risk
- Systems/Software Development Lifecycle (SDLC) and Change Management
- Intrusion Prevention and Detection
- Training and Awareness
- Incident Management
- Business Continuity and Disaster Recovery
Movable Ink provides a web-based application (the Movable Ink Platform Application) that enables clients to generate personalized creative email, web, and mobile application content with associated business logic for marketing campaigns at scale. The solution works with a client’s existing Email Service Provider (ESP) and does not send emails. Dynamic creative email content is automatically generated after inbox arrival. Optionally, Movable Ink’s personalized content can also be included within clients’ web sites and mobile applications. Additionally, Movable Ink’s Platform Application provides a dashboard for reporting and viewing marketing campaign analytics.
At Movable Ink, protecting customer data is a first-order priority. We continuously monitor the evolving regulatory and legislative landscape to inform our policies, data security, and product development. Customer data is managed, processed, and stored in accordance with applicable global data protection legal and regulatory requirements. Movable Ink takes a Privacy by Design approach characterized by proactive rather than reactive data privacy measures.
General Data Protection Regulation (GDPR)
Movable Ink has implemented technologies and processes to meet the GDPR requirements for data processors. We consistently protect data in accordance with client instructions and the GDPR’s rules for data processors including full support for Data Subject Requests (DSRs).
State Privacy Laws
Movable Ink is Privacy Shield certified. Additionally, Movable Ink fully supports The European Commission Standard Contractual Clauses (SCCs) for data transfers.
Data Collection and Retention
Movable Ink is committed to data management best practices such as processing and retaining only the data needed to provide our services. Additionally, dedicated data owners ensure the confidentiality, integrity, and availability of client data throughout the complete data lifecycle. Movable Ink securely deletes client data within 30 days upon contract termination or upon client request. Additionally, Movable can provide a copy or transfer client data within 30 days upon request by an authorized representative.
Data Storage and Encryption
Customer data is stored exclusively in the United States and is encrypted in transit utilizing TLS and SNI and at rest using AES-256. The Movable Ink Platform Application is available only over HTTPS and is encrypted using TLS. Optionally, new Movable Ink client accounts can be set up in Movable Ink’s EU data center.
COMPLIANCE AND THIRD-PARTY VERIFICATION
Movable Ink’s compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied. Movable Ink is SOC 2 Type 2 certified by an accredited auditor and is able to share a copy of its SOC 2 report with stakeholders upon request. Our policies, standards, and procedures are based on the ISO 27,000 series and Movable Ink is both ISO 27,001 as well as 27,701 certified. Additionally, a qualified, independent security firm conducts comprehensive application and network penetration testing on an annual basis.
Movable Ink’s dedicated Information Security and Compliance team is responsible for the Company’s information security and compliance programs, which address technical, operational, and organizational measures for data governance, privacy, and security.
Movable Ink utilizes AWS to host its infrastructure and store customer data. All data centers are staffed 24/7/365 and utilize biometric access controls, security cameras, and record an audit trail of all access events. Administrator access to datacenter nodes is limited to authorized personnel required to carry out administrative tasks. Access controls are maintained via an automated provisioning system to ensure that access controls are up to date.
The Company utilizes a multi-tier network structure with a secure perimeter. Intrusion Prevention and Detection Systems are deployed, maintained, and monitored, and the application and database tiers are only accessible from within the Company’s Virtual Private Cloud (VPC). Movable Ink’s production environment is configured to implicitly deny all traffic and explicitly allow only well-defined, permitted traffic.
Identity and Access Management
Movable Ink takes a need-based and least-privileged approach to managing access. Access is strictly granted based on role and business need and regular recertifications are conducted. Segregation of duties is established for critical functions within the environment to minimize the risk of unauthorized changes to production systems. For external/client users, the Company enables clients to employ a self-service model. The Application offers multiple user roles to enable clients to assign access rights based on business need and manage users throughout the complete lifecycle.
Movable Ink maintains network architecture diagrams and a detailed inventory of all assets encompassing hardware, software, and data resources. All assets require clear ownership as well as categorization by type, sensitivity, and criticality.
Movable Ink ensures its systems and data have designated resource owners, including clearly documented and communicated roles and responsibilities as they pertain to system and data ownership. Resource owners are responsible for protecting the confidentiality, integrity, and availability of assigned resources as well as their appropriate use throughout the complete life cycle.
Configuration baselines have been established for network architecture, network devices, operating system deployments, as well as for approved protocols and ports. The DevOps team regularly reviews and updates baseline configurations, and automated solutions have been implemented to safeguard against deviations from these configurations.
Data at rest is stored in encrypted form utilizing AES-256. Data in transit is encrypted via the TLS and SNI protocols. The Movable Ink Platform Application is available only over HTTPS and is encrypted using TLS.
System Monitoring and Logging
Movable Ink conducts infrastructure and application monitoring and logging utilizing third-party industry-standard software solutions as well as Movable Ink’s own custom telemetry infrastructure.
Vulnerability and Patch Management
Movable Ink maintains vulnerability and patch management policies and procedures to track its systems for vulnerabilities, defects, and available patches. Internal and external application and network scans are conducted and reviewed at regular intervals according to related policies and procedures. Additionally, Movable Ink conducts annual network and application penetration testing with an independent qualified third-party firm. As an integral part of our risk management program, any needed remediation is identified, documented, tracked, prioritized, and completed according to risk rating calculations.
Movable Ink utilizes threat protection services and internal threat analysis to correlate external threat indicators with its assets. Real-time threat intelligence feeds include threat indicator types such as Zero Day, Denial of Service, Public Exploits, and Actively Attacked vulnerabilities. Validated vulnerability disclosure information is continuously considered in the context of Movable Ink’s assets and mapped where applicable down to the individual asset level in order to facilitate rapid, prioritized remediation.
Movable Ink has a comprehensive Procurement and Supplier/Partner Management Policy. For all suppliers and partners, Movable Ink conducts privacy, security, and compliance assessments which result in assigned risk ratings. Vendor and partner systems are reviewed and validated against Movable Ink’s Policies to ensure compliance with Movable Ink’s own privacy and security requirements.
Systems/Software Development Lifecycle (SDLC) and Change Management
Movable Ink takes a Privacy and Security by Design approach throughout the Systems/Software Development Lifecycle. Secure coding best practices are followed including required training, code analysis, segregation of duties, peer code review, approval process, and QA/testing in a dedicated staging environment.
Intrusion Prevention and Detection
Movable Ink has implemented intrusion prevention and detection capabilities across its production and corporate environments that are monitored by the DevOps, Information Security and Compliance, and IT teams. Logs from key applications are ingested in real-time for analysis and troubleshooting purposes. Movable Ink’s intrusion prevention and detection solutions include agents deployed across each server instance that proactively monitor for anomalous activity, conduct file integrity monitoring, and reference a centralized database of known threats which is updated at least daily. All corporate laptops are equipped with enterprise-class anti-virus software with centralized management and alerts. Movable Ink has implemented DLP to protect its core enterprise applications as well as its production environment.
Training and Awareness
Employees must complete privacy, security, and compliance awareness training upon hire and annually thereafter. Annual training includes, but is not limited to, how to define and protect personal information as well as applicable laws and regulations such as GDPR and CCPA. Additional customized privacy and security training is conducted based on roles and responsibilities, including secure coding training for engineers that includes OWASP Top 10 and SANS Top 20 best practices. Phishing simulations are conducted at least quarterly.
Movable Ink has implemented an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents. Comprehensive incident response procedures, centralized tracking tools, and multiple channels for reporting incidents are maintained. Where applicable, the security program and/or platform are updated to incorporate improvements identified as a result of incidents.
Business Continuity and Disaster Recovery
Movable Ink has documented Business Continuity and Disaster Recovery Policies and Plans that outline the procedures to be followed in the event of a serious business disruption affecting the operation of our key functions and provides a framework to improve its resilience and ability to continue to operate in the event of a major disruption. Movable Ink has implemented active-active replication across its redundant, geographically disparate data centers with multiple redundant nodes. Comprehensive Business Continuity and Disaster Recovery testing is conducted at least annually including restoration of Movable Ink’s primary database with verification, as well as tabletop exercises on a quarterly basis.
Your feedback is very important to us.
Learn more about our security program: firstname.lastname@example.org
Report a security concern: email@example.com