Nothing to see here yet. And that's a good thing 😊
We are closely monitoring developments out of Europe with the European Court of Justice's (ECJ) decision to strike down the EU-US Privacy Shield for data and are speaking with appropriate stakeholders to determine next steps.
Our priority is preventing any disruption to affected customers’ collaboration in MURAL. We have previously provided a Data Processing Agreement (DPA) and a Standard Contract Clause (SCC) to customers that require them, and we will continue to do so. Please contact your MURAL representative or email firstname.lastname@example.org if you have any questions on setting up an agreement or contract clause.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
You can see our Privacy Shield Certification here.
If your report has been triaged and validated then we will pay you only via PayPal (we will require your PayPal account). If you do not have a PayPal account we can offer an Amazon gift card instead, for the same amount. Please find our reward program below:
Thank you for keeping MURAL safe and happy hacking!
• At Rest: Your data only resides in the production environment encrypted with AES-256.
• In Transit: All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.
Our backup processes ensure data and information consistency with highest standards.
Passwords are hashed (and salted) securely with a SHA512 encryption.
Your data will never leave the US. Not in the US? We are EU-US Privacy Shield compliant.
Payment details are not stored and all payments made to MURAL go through our partner, Stripe (they are PCI compliant).
We currently support SSO with multiple identity providers via SAML 2.0.
Account Verification for Non-SSO Users
Users are required to validate their accounts via a link provided in an automated e-mail.
Our cloud provider is Microsoft Azure. We leverage their tools to setup firewall rules, intrusion and DMZ policies.
We have an automated process that patches our virtual machines on a daily basis.
We log every action performed in the system.
Every component of our infrastructure has redundancy. We leverage Microsoft Azure Availability Sets and have redundancy in Azure East and West.
Full Redundancy of Core Services
Spare deployments across multiple data centers.
Disaster Recovery and Business Continuity
We have tested procedures in place to guarantee our uptime and our system’s availability.
Continuous Security Program
Including periodic independent 3rd party penetration tests and a formal HackerOne program.
Security and confidentiality incidents submitted to email@example.com or our in-app support chat will be resolved in accordance with established incident policy.
Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications.
Move Fast, Break Nothing
We have a formal software development lifecycle methodology and change management procedures.
Monthly risk assessments are performed to ensure the application is secure.
All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.
We keep our list of subprocessors up to date. You can review our current subprocessors here.
Employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.
MURAL uses Microsoft Azure VPN Gateway to ensure employees that require privileged access have a secure access to the system.
We enforce it for every employee.
Employee Asset Control
Our employees’ devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches.
We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.