How does MailUp infrastructure guarantee compliance with the GDPR?
Information security and adequate management policies for data are our priorities and the reason we make continuous investments in technology.
For many sectors, the GDPR [General Data Protection Regulation] represents an important social innovation. In fact, it clarifies and allows individuals to manage their own privacy. MailUp has considerable experience in threat protection, in privacy protection, and in an array of compliance regulations.
We maintain a policy of transparency and aim to provide you with the information you need to feel secure when you use the platform.
For many sectors, the GDPR represents an important social innovation in fact it clarifies and allows individuals to manage their privacy. MailUp boasts considerable experience in threat protection, privacy protection and compliance with various regulations.We operate one transparency policy and we aim to provide you with the information you need to feel confident using the platform. Every day we renew our commitment to respect our principles of trust in the cloud, data protection and data security.
As required by the regulation, our infrastructure and security policies have been subject to an assessment of their adequacy and preliminary impact on data protection. These assessments will continue to be performed on a regular basis to keep up with the highest standards of data protection compliance.
Data Protection Impact Analysis
As required by the regulations, our infrastructure and our security policies have undergone an assessment to assess the adequacy and preliminary impact on data protection. These assessments will continue to be conducted on a regular basis to maintain the highest standards of data protection compliance.
Data Center located in Europe
To safeguard the confidentiality, integrity and availability of data, the MailUp platform relies on a physical data center located in Italy accessible by our staff both physically (with biometric control) and via a virtual private network.
Data Loss Prevention (DLP)
MailUp believes that data loss prevention features are of critical importance as they prevent sensitive information from being shared without authorization. An organization’s data is essential to its success, it must be immediately available to allow for decision-making, but at the same time it must be protected to prevent it from being shared with recipients who are not authorized to access it. For this reason we have implemented a series of organizational and technical measures that allow us to guarantee our customers not only the prevention of unauthorized access, but also adequate security – in relation to the classification of the processed data – for all authorized access.
The infrastructure is designed to be resilient to Distributed Denial of Service (DDoS) attacks through DDoS mitigation systems that can automatically detect and filter excess traffic by adding scalability to handle unexpected traffic volumes using dedicated load balancers.
Multi-Factor Authentication e firewall
The corporate infrastructure is protected by firewalls for web applications and IDS (Intrusion Detection System) devices which are used to monitor IT resources (patterns). Thanks to punctual analyzes of data traffic carried out by our highly specialized personnel, it is possible to detect attacks on the network or on computers where the Intrusion Detection Systems act as “anti-theft”.
There are also multi-factor authentication measures, i.e. an authentication system that requires more than one verification method and with which at least a second level of security is added for user access and transactions. This method is used by system administrators and on Google and Amazon services.
New Firewall infrastructure
We have improved the entire Firewall infrastructure by introducing the new Fortigate solution inside the datacenter. This implementation has brought several advantages, improving the entire safety posture. The Fortigate firewall solution consists of two firewalls operating in Active/Standby mode and replaces the previous pair previously used. The new hardware is widely adopted and offers better support in terms of hardware maintenance and, if necessary, replacement.
The software component and features are under constant review for security issues and receive constant updates. New features are available in each new release. This helps to adopt and take advantage of new technologies.
Rules are applied to a single point of action, avoiding mismatches between different firewalls. All connections from the data center perimeter are now monitored through a single pane and provide a better understanding of flows and events through FortiAnalyzer, a NOC-SOC front end for security events. Furthermore, the better availability of information for events detected by the Fortigate firewall allows a better quality of integration with the systems of our external partner ISOC – CSIRT (Cyberoo).
We emphasize, in general, better management of internet resources. The SD-WAN configuration used in this firewall, in fact, allows an automatic response to link failures or connectivity degradation to further increase the availability of connectivity to and from the Data Center. The internet resource pool is now freely usable by all services, and not split between different firewalls as before.
Access monitoring and control
We have a rigorous incident management process for security events that may affect the confidentiality, integrity or availability of systems or data.
We have introduced a Security Operations Center (SOC) in order to improve the detection and management of cyber attacks.
If an incident occurs, the security team logs and prioritizes it based on severity. Events that directly impact customers have the highest priority.
Physical security of data centers
Our data centers are monitored 24/7 by high resolution internal and external cameras, capable of detecting and monitoring intruders. Access logs, activity logs and camera footage are available in case an incident occurs.
The data centers are also regularly guarded by experienced security guards, who have received rigorous background checks and training.
As you get closer to the data center, security measures also increase. Access to the data center is governed by the use of a personal security badge and only approved employees with specific roles are allowed access.
Availability and integrity of personal data
To ensure data availability, in the event of hardware malfunctions, backup copies are provided for the most critical servers at least once a day. This data is saved on systems installed in a dedicated backup site. MailUp keeps a backup copy of the databases uploaded by customers for the necessary time specified in the data retention policy and are then automatically deleted. These backups are checked periodically, are organized in such a way as to ensure data separation for each customer and are securely encrypted to ensure maximum data confidentiality.
All physical and logical assets are continuously monitored. The organization applies stringent corporate policies and operating procedures in the field of asset management, in order to verify their correctness and efficiency in the use and functionality along the entire life cycle of the resource. This life cycle begins with its acquisition, followed by the installation and control of applications software (strictly updated and approved), until its decommissioning and eventual destruction. It should also be noted that N-Able has been introduced, a new remote monitoring and management tool that allows you to supervise all user workstations more efficiently, also introducing automated anti-malware scans and specific reports. For the disposal of the hardware, we rely on a highly qualified and experienced supplier who guarantees the destruction of the disk and the deletion of the data. The supplier provides a document certifying that the destruction has taken place.
All applications developed by MailUp follow the OWASP guidelines for the development of secure code and Data Protection By Design. The software development process adopted in MailUp is characterized by a massive test phase which must be successfully completed before being able to proceed with the release of the software in the production environment. Our highly specialized professionals develop the tests taking into account not only the identified use cases but also the abuse cases in order to verify the correct functioning both in the case of legitimate interactions and in the case of malicious interactions. MailUp has cutting-edge tools to guarantee the correctness and security of its services, in fact every change to the source code is analyzed through the use of static code analysis tools. The changes to the source code are also subjected to a code review phase useful for the approval of the same. All our personnel involved in all phases of development and deployment are continuously trained and updated on the best practices deriving from the main international standards on the subject.
At MailUp we believe that continuous training is the only way to keep up with the state of the art, improve and innovate. MailUp provides all its employees with the tools necessary for their professional growth. Specific training plans are also planned every year for each company department.
All of our professionals have been recruited after rigorous screening in terms of skills and abilities. A background check of candidates is carried out before hiring to verify security requirements, career path and motivation. The organization has established company policies and procedures to ensure that the entire employee life cycle is regulated in order to guarantee labor law rights and the safety of assigned resources.
All data and information processed by the organization are classified in relation to their criticality declined in terms of confidentiality, availability, traceability and integrity. A specific data and information classification procedure is in place in accordance with the main international standards relating to information security, such as the ISO/IEC 27001:2013 standard.
Specific corporate policies and procedures are in place for risk assessment against the main IT threats. The implementation of our technical and organizational security measures is the result of a continuous and constant assessment in terms of likelihood and impact on the confidentiality, availability and integrity of the data and information we process, our own and that of our customers. The organization pursues a risk-based approach in every area of its activity and for the implementation of its technical organizational models, as required by the regulations that are part of the data protection and cybersecurity frameworks.
Our suppliers and third parties are continuously monitored. A risk assessment is carried out on the supplier and verification of its own technical and organizational measures. This verification is carried out through second-party audit activities on the supplier’s infrastructure and in compliance with Article 28 of the GDPR in the case of processing of personal data at a supplier appointed as Data Processor. The agreements with all our suppliers are continuously monitored and checked in order to verify the service levels (SLA).
Hardware tracking and disposal
Where provided, we use service providers/partners only after verifying that they can provide an adequate level of security, privacy and precise guarantees on the possibility of managing data processing in Europe. Our partners are:
For the provision of support network services and storage of customer uploaded images, including Web Proxy and Content Delivery Network (CDN) services. Amazon AWS complies with many international and industry-specific standards. More information can be found directly atAWS compliance page