Security at Mitigaze

1. Security architecture and practices

Mitigaze's security team uses industry best practices and frameworks to keep data secure. Our approach focuses on security governance, risk management and compliance. This includes encryption at rest and in transit, network security, administrative access control, system monitoring, and more.

HTTPS for secure connections

Mitigaze forces HTTPS for all services using TLS (SSL), including our public website and our Mitigaze App.

We regularly audit the details of our implementation:

  • the certificates we serve;
  • the certificate authorities we use; and
  • the ciphers we support.

Encryption of sensitive data and communication

All passwords are encrypted at rest with a PBKDF2 algorithm with a SHA256 hash.

Production environment

We maintain separate and distinct production, staging, and development environments for Mitigaze.

Payments

Mitigaze does not process payments or store credit card details. All payments go through our partner, Stripe, which is a leading global payments system that is PCI DSS compliant.

2. Storage and data centers

Mitigaze production services are hosted on the Amazon Web Services (AWS) platform.

The physical servers are located in AWS data centers.

As at today's date, AWS:

  • has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014;
  • is certified as a PCI DSS 3.2 Level 1 Service Provider; and
  • undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports).

Further details about AWS compliance programs are available from the AWS website.

All user content is stored within US regions of AWS.

3. Access controls

All user data stored in Mitigaze is protected and access to such data by Authorized Personnel is based on the principle of least privilege.

Only Authorized Personnel have direct access to Mitigaze's production systems. Those who do have direct access to production systems are only permitted to view user data stored in Mitigaze in the aggregate, for troubleshooting purposes or as otherwise permitted in our Privacy Policy.

Mitigaze maintains a list of Authorized Personnel with access to the production environment. Mitigaze also maintains a list of personnel who are permitted to access Mitigaze code, as well as the development and staging environments. These lists are reviewed regularly and upon role change.

4. Vulnerability disclosure

Our security team rapidly investigates all reported security issues. If you you’ve discovered a security bug or vulnerability in Mitigaze, please contact us at security@mitigaze.com. We ask you to not publicly disclose security issues until we have fully investigated the mater.