How does MailUp infrastructure guarantee compliance with the GDPR?

Information security and adequate management policies for data are our priorities and the reason we make continuous investments in technology.
For many sectors, the GDPR [General Data Protection Regulation] represents an important social innovation. In fact, it clarifies and allows individuals to manage their own privacy. MailUp has considerable experience in threat protection, in privacy protection, and in an array of compliance regulations.
We maintain a policy of transparency and aim to provide you with the information you need to feel secure when you use the platform.

Introduction

For many sectors, the GDPR represents an important social innovation in fact it clarifies and allows individuals to manage their privacy. MailUp boasts considerable experience in threat protection, privacy protection and compliance with various regulations.We operate one transparency policy and we aim to provide you with the information you need to feel confident using the platform. Every day we renew our commitment to respect our principles of trust in the cloud, data protection and data security.

  • Contractual commitments: relations with MailUp are supported by contractual commitments for our services, including security standards, support and timely notifications in compliance with the new GDPR requirements.
  • Sharing our experience: We will share the information we collect through various data protection authorities and other reputable organizations so that we can tailor what we have learned to help you create the best path for your organization.

As required by the regulation, our infrastructure and security policies have been subject to an assessment of their adequacy and preliminary impact on data protection. These assessments will continue to be performed on a regular basis to keep up with the highest standards of data protection compliance.

Data Protection Impact Analysis

As required by the regulations, our infrastructure and our security policies have undergone an assessment to assess the adequacy and preliminary impact on data protection. These assessments will continue to be conducted on a regular basis to maintain the highest standards of data protection compliance.

Data Center located in Europe

To safeguard the confidentiality, integrity and availability of data, the MailUp platform relies on a physical data center located in Italy accessible by our staff both physically (with biometric control) and via a virtual private network.

Data Loss Prevention (DLP)

MailUp believes that data loss prevention features are of critical importance as they prevent sensitive information from being shared without authorization. An organization’s data is essential to its success, it must be immediately available to allow for decision-making, but at the same time it must be protected to prevent it from being shared with recipients who are not authorized to access it. For this reason we have implemented a series of organizational and technical measures that allow us to guarantee our customers not only the prevention of unauthorized access, but also adequate security – in relation to the classification of the processed data – for all authorized access.

Mitigation techniques

The infrastructure is designed to be resilient to Distributed Denial of Service (DDoS) attacks through DDoS mitigation systems that can automatically detect and filter excess traffic by adding scalability to handle unexpected traffic volumes using dedicated load balancers.

Encryption

  • At the physical level we protect our data through a methodology which, in the event of theft of physical memory media, does not allow the extraction of sensitive data. The technology used for storing data on physical media aims to increase performance, make the system resilient to the loss of one or more disks and be able to replace media without interrupting service.
  • At the application level, we have the ability to secure the data contained in customer databases with data encryption at rest.
  • At the transport layer, data is vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, protecting data in transit has a high priority.
  • We use TLS / SSL cryptographic protocols which use symmetric encryption based on a shared key to provide communication security while guaranteeing data integrity on the network.
  • To be even more secure, we use a block cipher algorithm within TLS / SSL called AES-256 (Advanced Encryption Standard) which replaces the public key encryption technology DES (Data Encryption Standard) and RSA 2048.

Threat Protection

  • We employ advanced systems for searching for viruses in e-mail (both incoming and outgoing), for spoofing (using spoofed senders) and we have a clear anti-spam policy.
  • Anti-phishing analysis tools and advanced protection against advanced threats like spear phishing.
  • Identifying and blocking malicious files on our internal network using antivirus and proxy systems.
  • We regularly and automatically check that all our servers are up to date and have the latest security patches installed.
  • We have introduced N-Able, a new remote monitoring and management tool that allows you to supervise all user workstations more efficiently, also introducing automated anti-malware scans and specific reports.
  • We have introduced a Cyberoo Security Operations Center (SOC) in order to improve the detection and management of cyber attacks.

Multi-Factor Authentication e firewall

The corporate infrastructure is protected by firewalls for web applications and IDS (Intrusion Detection System) devices which are used to monitor IT resources (patterns). Thanks to punctual analyzes of data traffic carried out by our highly specialized personnel, it is possible to detect attacks on the network or on computers where the Intrusion Detection Systems act as “anti-theft”.

There are also multi-factor authentication measures, i.e. an authentication system that requires more than one verification method and with which at least a second level of security is added for user access and transactions. This method is used by system administrators and on Google and Amazon services.

New Firewall infrastructure

We have improved the entire Firewall infrastructure by introducing the new Fortigate solution inside the datacenter. This implementation has brought several advantages, improving the entire safety posture. The Fortigate firewall solution consists of two firewalls operating in Active/Standby mode and replaces the previous pair previously used. The new hardware is widely adopted and offers better support in terms of hardware maintenance and, if necessary, replacement.

The software component and features are under constant review for security issues and receive constant updates. New features are available in each new release. This helps to adopt and take advantage of new technologies.
Rules are applied to a single point of action, avoiding mismatches between different firewalls. All connections from the data center perimeter are now monitored through a single pane and provide a better understanding of flows and events through FortiAnalyzer, a NOC-SOC front end for security events. Furthermore, the better availability of information for events detected by the Fortigate firewall allows a better quality of integration with the systems of our external partner ISOC – CSIRT (Cyberoo).

We emphasize, in general, better management of internet resources. The SD-WAN configuration used in this firewall, in fact, allows an automatic response to link failures or connectivity degradation to further increase the availability of connectivity to and from the Data Center. The internet resource pool is now freely usable by all services, and not split between different firewalls as before.

Access monitoring and control

  • Advanced visibility into API calls.
  • Log aggregation options to streamline compliance investigations and reporting.
  • Definition, enforcement and management of user access policies on all services.
  • Suspicious access monitoring allows you to detect possible intrusions using very robust machine learning functions.
  • Programmable alert notifications in case of exceeding thresholds or verifying events.
  • The rights and access levels of employees are based on the job and job role they have, using the principles of “least-privilege” and “need-to-know”, according to the responsibilities defined for the employee.
  • Requests for further access follow a formal process that includes approval by the data or system owner or by managers or other executives, depending on established security policies.
  • Implementation of new Group Policies for Windows Active Directory (Office domain) which allow greater security controls by automating a standard configuration for the work environment of users and devices.

Vulnerability Assessment

  • MailUp cyclically performs vulnerability tests on all infrastructure systems and on the clients connected to it.
  • We regularly perform security penetration tests, using different vendors.
  • Testing involves high-level server penetration testing, extensive testing for vulnerabilities within the application, and social engineering exercises.
  • Finally, upon request, it is possible to authorize a vulnerability assessment by third parties.

Incident Management

We have a rigorous incident management process for security events that may affect the confidentiality, integrity or availability of systems or data.

We have introduced a Security Operations Center (SOC) in order to improve the detection and management of cyber attacks.
If an incident occurs, the security team logs and prioritizes it based on severity. Events that directly impact customers have the highest priority.

Physical security of data centers

Our data centers are monitored 24/7 by high resolution internal and external cameras, capable of detecting and monitoring intruders. Access logs, activity logs and camera footage are available in case an incident occurs.
As you get closer to the data center, security measures also increase. Access to the data center is governed by the use of a personal security badge and only approved employees with specific roles are allowed access.

  • Don’t forget that our advanced cooling systems maintain a constant operating temperature for servers and other hardware, reducing the risk of service interruptions. Fire detection and suppression equipment, on the other hand, helps prevent damage to the hardware. Heat, fire and smoke detectors activate audible and visible alarms in the affected area, security operations consoles and remote monitoring doors.

Availability and integrity of personal data

To ensure data availability, in the event of hardware malfunctions, backup copies are provided for the most critical servers at least once a day. This data is saved on systems installed in a dedicated backup site. MailUp keeps a backup copy of the databases uploaded by customers for the necessary time specified in the data retention policy and are then automatically deleted. These backups are checked periodically, are organized in such a way as to ensure data separation for each customer and are securely encrypted to ensure maximum data confidentiality.

Asset management

All physical and logical assets are continuously monitored. The organization applies stringent corporate policies and operating procedures in the field of asset management, in order to verify their correctness and efficiency in the use and functionality along the entire life cycle of the resource. This life cycle begins with its acquisition, followed by the installation and control of applications software (strictly updated and approved), until its decommissioning and eventual destruction. It should also be noted that N-Able has been introduced, a new remote monitoring and management tool that allows you to supervise all user workstations more efficiently, also introducing automated anti-malware scans and specific reports. For the disposal of the hardware, we rely on a highly qualified and experienced supplier who guarantees the destruction of the disk and the deletion of the data. The supplier provides a document certifying that the destruction has taken place.

Safe development

All applications developed by MailUp follow the OWASP guidelines for the development of secure code and Data Protection By Design. The software development process adopted in MailUp is characterized by a massive test phase which must be successfully completed before being able to proceed with the release of the software in the production environment. Our highly specialized professionals develop the tests taking into account not only the identified use cases but also the abuse cases in order to verify the correct functioning both in the case of legitimate interactions and in the case of malicious interactions. MailUp has cutting-edge tools to guarantee the correctness and security of its services, in fact every change to the source code is analyzed through the use of static code analysis tools. The changes to the source code are also subjected to a code review phase useful for the approval of the same. All our personnel involved in all phases of development and deployment are continuously trained and updated on the best practices deriving from the main international standards on the subject.

Training

At MailUp we believe that continuous training is the only way to keep up with the state of the art, improve and innovate. MailUp provides all its employees with the tools necessary for their professional growth. Specific training plans are also planned every year for each company department.

Background check

All of our professionals have been recruited after rigorous screening in terms of skills and abilities. A background check of candidates is carried out before hiring to verify security requirements, career path and motivation. The organization has established company policies and procedures to ensure that the entire employee life cycle is regulated in order to guarantee labor law rights and the safety of assigned resources.

Data classification

All data and information processed by the organization are classified in relation to their criticality declined in terms of confidentiality, availability, traceability and integrity.

Risk Assessment

Specific corporate policies and procedures are in place for risk assessment against the main IT threats. The implementation of our technical and organizational security measures is the result of a continuous and constant assessment in terms of likelihood and impact on the confidentiality, availability and integrity of the data and information we process, our own and that of our customers. The organization pursues a risk-based approach in every area of ​​its activity and for the implementation of its technical organizational models, as required by the regulations that are part of the data protection and cybersecurity frameworks.

Supplier management

Our suppliers and third parties are continuously monitored. A risk assessment is carried out on the supplier and verification of its own technical and organizational measures. This verification is carried out in compliance with Article 28 of the GDPR in the case of processing of personal data at a supplier appointed as Data Processor. The agreements with all our suppliers are continuously monitored and checked in order to verify the service levels (SLA).

Hardware tracking and disposal

  • The control starts with the acquisition, follows the installation, up to the decommissioning and eventual destruction.
  • For the disposal of the hardware, we rely on a highly qualified and experienced supplier who guarantees the destruction of the disk and the elimination of the data against a document confirming the destruction.

Partner

Where provided, we use service providers/partners only after verifying that they can provide an adequate level of security, privacy and precise guarantees on the possibility of managing data processing in Europe. Our partners are:

  • Amazon AWS

For the provision of support network services and storage of customer uploaded images, including Web Proxy and Content Delivery Network (CDN) services. Amazon AWS complies with many international and industry-specific standards. More information can be found directly atAWS compliance page