Security & Compliance

The confidence you need to deploy at scale

MURAL meets and exceeds some of the most broadly recognized security standards and offers flexible enterprise-grade security tools to address compliance requirements, so you can focus on onboarding a collaboration solution for your global teams. This rigorous approach to security is trusted by customers in highly-regulated industries such as financial services, government, and defense.

Open European Data Protection OfficeCloud Security Alliance CertifiedQualysISO 9001:2015 CertifiedSqreenGDPR ReadyCCPA ReadyMcAfee Enterprise Ready

Key Security Practices

Data and Information

Encryption
At Rest: Your data only resides in the production environment encrypted with AES-256.
• In Transit: All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.

Backup Policy
Our backup processes ensure data and information consistency with highest standards.

Password Hashing
Passwords are salted and hashed using the SHA-512 algorithm.

Data Localization
Your data will never leave the US. Not in the US? Soon customers will have the ability to choose where their data resides. Complete this form to learn more about data residency.

Payment Information
Payment information is not stored by MURAL and all payments made to MURAL go through our partner, Stripe, a PCI compliant company.

Standards-Based Identity
We currently support Single Sign On (SSO) with multiple identity providers via SAML 2.0.

Account Verification for Non-SSO Users
Users are required to validate their accounts via a link provided in an automated e-mail.

Two-factor authentication for Non-SSO Users
Users are required to verify their account with a one-time code in addition to their password.

Infrastructure

Secure Infrastructure
Our cloud provider is Microsoft Azure. We leverage their tools to setup firewall rules, intrusion, and DMZ policies.

Server Patching
We have an automated process that patches our virtual machines on a regular cadence.

Real-Time Monitoring
We utilize a Web Application Firewall in addition to other technologies to perform real-time monitoring and proactive blocking of malicious user behavior.

Logging
All actions on the back-end are logged.

Disaster Recovery and Business Continuity
We have a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability.

High Availability
Every component of our infrastructure has redundancy. We leverage Microsoft Azure Availability Sets and have redundancy in Azure US East and US West.

Full Redundancy of Core Services
Deployments across multiple data centers.

Continuous Security Assessment
We periodically utilize an independent 3rd party to perform penetration tests. We also run an ongoing public Vulnerability Disclosure Program (VDP) as well as continuous automated security tests

Secure Software Development Lifecycle
We perform the following initiatives in our software development lifecycle: 

  • Security and Privacy Reviews to identify and mitigate risks during the design phase
  • Static analysis tools to scan code during the development phase 
  • Dynamic analysis tools to scan during the testing and post-release stages

Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications.

Move Fast, Break Nothing
We have a formal software development lifecycle methodology and change management procedures.

Vendors

Vendor Selection
All of our vendors offer industry-leading products and go through an exhaustive security audit as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards.

Subprocessors
Our subprocessors can be found here.

Personnel

Logical Access
Employee’s level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary.

Endpoint Security
MURAL uses Pritunl VPN to ensure employees that require privileged access have secure access to our corporate network from multiple endpoints.

Multi-Factor Authentication
Is enforced for every employee.

Employee Asset Control
Our employees’ devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches.

Personnel
We run background checks and sign confidentiality agreements with all employees. We also regularly train them in Information Security and Secure Development Practices.

Vulnerability Disclosure Policy

This policy is intended for security researchers who have an interest in reporting security vulnerabilities or even potential security-related issues to the MURAL Security team.

Need Enterprise compliance and security support?
MURAL has dedicated enterprise deployment experts ready to partner with you. Submit this form for help navigating global data regulations, governance, and risk management.