Security at core
Security is a top priority for every company. Threats are growing exponentially in terms of occurrence and gravity. That’s why we embedded it as one of our core values from the beginning. We’re providing you with a solution built with trust at its heart by following best practices as we create.
To ensure the best level of protection at all times for our customers, we provide several features within Mindflow to safeguard the security, confidentiality, integrity, and availability of customer data.
Infrastructure
Access to production environments: We restrict access to production systems to senior employees only that are designated upon manual review.
Segregation between test and production environments: We enforce segregation between test and production environments and ensure that data used in test is separate from data used in production environment to protect customers’ data.
Single tenant: Mindflow is deployed in single tenant to ensure hermetic separation between every customer.
Data encryption: Data flowing through Mindflow is encrypted at rest and in transit using AES-256.
Data backup: Automatic backups are performed daily and retained for 35 days. In the event of a disaster, Mindflow is replicated across numerous data centers to allow rapid recovery. Shall a prolonged Disaster occur, Mindflow has a predetermined Recovery plan on alternate sites to enforce Recovery Time Objectives.
Secure protocols: Mindflow enforces SSL/TLS protocols to keep connexions secure.
End user access: MFA can be enforced on end-users to access the platform.
Availability: Mindflow is built using AWS Lambda serverless computing to keep speed and agility as we scale up to meet any demand and maintain a high level of availability.
Physical and virtual security: AWS handles the physical and virtual security of Mindflow’s architecture as part of the shared responsibility model.
Web application firewall: Mindflow uses AWS WAF to block attacks targeting the web-facing app.
Code
Peer review: We enable peer review on code changes before pushing them into test environments.
Code changes: Code Changes are pushed to production environment only after a senior developer’s approval.
Continuous tests: Throughout the development life cycle, CI/CD tests are enforced to check the code for compiling errors.
Privileges
Identity management: A secure governance and management system using AWS Control Tower and Organizations provides identity management, cross-account security audits, and federated access to accounts enforced by high-level rules.
User access: Using AWS Cognito, we provide a fine-grained user identity system.
There is no security if we don’t place emphasis on humans. At Mindflow, we put security within our company at the same priority as in our product. We’ve listed below a non-exhaustive list of measures we’ve implemented enterprise-wide.
Security awareness training: Every Mindflow employee undergoes security awareness training as a mandatory onboarding step. Once a year, every employee must undergo training again.
Background checks: Every employee must complete a background check upon arrival at Mindflow.
Passwords and MFA: Mindflow enforces the use of a SOC2 Type 2 certified Password Manager among its employees. Access to critical systems is protected by MFA authentication.
Business continuity: In the event of a disruption of business processes, senior management is trained to minimize downtime and enforce continuity of the business processes.
Devices: All employees are issued laptops by the company dedicated to professional work upon arrival. The laptops are encrypted to prevent the risk induced by thievery. Laptops are continuously monitored to protect, or should the event arises, detect and mitigate incidents.
Third-party vendors risk assessment: Critical vendors’ security architecture are reviewed regarding SOC2 standards.
Mindflow is aligning its security architecture with regard to the relevant international frameworks. We have been successfully audited for the SOC 2 Type I and Type II for the following Trust categories Security, Confidentiality, Integrity, and Availability and certified compliant with the ISO/IEC 27001 standards.
Mindflow is committed to GDPR compliance and enforces adequate measures to ensure that requirements are met within the company. You can review our practices and sub-processors in our Privacy policy.
Mindflow provides a process to external users for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints. To report incidents linked to the matters mentioned above, please send details to security@mindflow.io.
We are dedicated to conducting our business with the highest standards of probity and integrity. In accordance with the French and international applicable regulations, we have implemented a comprehensive mechanism within our company to prevent breaches of probity and integrity. This public statement outlines our commitment to maintaining this mechanism throughout the duration of our business agreements and ensuring the confidentiality of those involved in reporting any breaches.
Mindflow is committed to protecting the confidentiality of those who report any breaches of probity and integrity, as well as the persons targeted by such reports and the information collected by all recipients of the report. To maintain confidentiality, we adhere to the following principles:
1. Ensuring the identity of authors of the report, persons targeted by it, and any information collected remains confidential and is only disclosed to authorized personnel on a need-to-know basis.
2. Implementing secure systems and processes to store and manage any sensitive information related to reports of breaches of probity and integrity.
3. Prohibiting any form of retaliation against employees or other parties who, in good faith, report concerns or potential breaches of probity and integrity.
4. Providing support and resources to those who report breaches of probity and integrity, including access to confidential advice and guidance.