• At Rest: Your data only resides in the production environment encrypted with AES-256.
• In Transit: All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.
Our backup processes ensure data and information consistency with highest standards.
Passwords are salted and hashed using the SHA-512 algorithm.
Designate the region in which data in a mural is stored to help meet corporate policies and compliance requirements globally.
Payment information is not stored by MURAL and all payments made to MURAL go through our partner, Stripe, a PCI compliant company.
We currently support Single Sign On (SSO) with multiple identity providers via SAML 2.0.
Account Verification for Non-SSO Users
Users are required to validate their accounts via a link provided in an automated e-mail.
Two-factor authentication for Non-SSO Users
Users are required to verify their account with a one-time code in addition to their password.
Our cloud provider is Microsoft Azure. We leverage their tools to setup firewall rules, intrusion, and DMZ policies.
We have an automated process that patches our virtual machines on a regular cadence.
We utilize a Web Application Firewall in addition to other technologies to perform real-time monitoring and proactive blocking of malicious user behavior.
All actions on the back-end are logged.
Disaster Recovery and Business Continuity
We have a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability.
Every component of our infrastructure has redundancy. We leverage Microsoft Azure Availability Sets and have redundancy in Azure US East and US West.
Full Redundancy of Core Services
Deployments across multiple data centers.
Continuous Security Assessment
We periodically utilize an independent 3rd party to perform penetration tests. We also run an ongoing public Vulnerability Disclosure Program (VDP) as well as continuous automated security tests
Secure Software Development Lifecycle
We perform the following initiatives in our software development lifecycle:
Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications.
Move Fast, Break Nothing
We have a formal software development lifecycle methodology and change management procedures.
All of our vendors offer industry-leading products and go through an exhaustive security audit as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards.
Our subprocessors can be found here.
Employee’s level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary.
MURAL uses Pritunl VPN to ensure employees that require privileged access have secure access to our corporate network from multiple endpoints.
Is enforced for every employee.
Employee Asset Control
Our employees’ devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches.
We run background checks and sign confidentiality agreements with all employees. We also regularly train them in Information Security and Secure Development Practices.