SOC II

Nothing to see here yet. And that's a good thing 😊

MURAL is SOC Type II certified - an independent auditor has evaluated our product, infrastructure, and policies, and certifies that MURAL complies with their stringent requirements.

The Service Organization Control (SOC) 2 Report is a standard auditing report governed by the American Institute of Certified Public Accountants (AICPA).

The scope of the SOC 2 report includes assessments of MURAL’s system of controls related to customer data focused on the following areas:

• Infrastructure: The collection of physical and virtual resources that support the overall IT environment used by MURAL to provide its services.

• Software: The applications and system software that MURAL uses to support data processing.

• People: The personnel involved in the governance, management, operation, security and use of the system providing services to customers.

• Data: Transaction streams, files, databases and other output files and data used or processed by MURAL’s system.

• Procedures: The automated and manual procedures related to the services that MURAL provides to customers.

A copy of MURAL’s most recent report is available upon request from compliance@mural.co but you will need to sign an NDA.

The Juicy Table

If your report has been triaged and validated then we will pay you only via PayPal (we will require your PayPal account). If you do not have a PayPal account we can offer an Amazon gift card instead, for the same amount. Please find our reward program below:

Low

Medium

High

Critical

$100

$500

$1000

$1500

Thank you for keeping MURAL safe and happy hacking!

We take security seriously, and for good reason: everyone using our service expects their data to be secure and confidential.


We are constantly working on bringing in state-of-the-art security practices into our product, so you can take advantage of cutting edge features designed to safeguard your data and work to maintain your trust.

Our Security Practices

DATA AND INFORMATION

Encryption
At Rest: Your data only resides in the production environment encrypted with AES-256.
• In Transit: All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.

Backup Policy
Our backup processes ensure data and information consistency with highest standards.

Password Hashing
Passwords are hashed (and salted) securely with a SHA512 encryption.

Data
Your data will never leave the US. Not in the US? We are EU-US Privacy Shield compliant.

Payment Details
Payment details are not stored and all payments made to MURAL go through our partner, Stripe (they are PCI compliant).

Standards-Based Identity
We currently support SSO with multiple identity providers via SAML 2.0.

Account Verification for Non-SSO Users
Users are required to validate their accounts via a link provided in an automated e-mail.

INFRASTRUCTURE

Secure Infrastructure
Our cloud provider is Microsoft Azure. We leverage their tools to setup firewall rules, intrusion and DMZ policies.

Server Patching
We have an automated process that patches our virtual machines on a daily basis.

Real-Time Monitoring
We scan our infrastructure and applications periodically to detect any existing vulnerability. We have monitoring with Qualys and also Web Application Firewall with Sqreen.

Logging
We log every action performed in the system.

High Availability
Every component of our infrastructure has redundancy. We leverage Microsoft Azure Availability Sets and have redundancy in Azure East and West.

Full Redundancy of Core Services
Spare deployments across multiple data centers.

Disaster Recovery and Business Continuity
We have tested procedures in place to guarantee our uptime and our system’s availability.

Continuous Security Program
Including periodic independent 3rd party penetration tests and a formal HackerOne program.

Incident Management
Security and confidentiality incidents submitted to support@mural.co or our in-app support chat will be resolved in accordance with established incident policy.

Reporting Service Disruption Incidents or Maintenance Windows
We use StatusPage.io to keep everyone up to date. This service provides several notification options to subscribe for notifications.

Move Fast, Break Nothing
We have a formal software development lifecycle methodology and change management procedures.

Risk Management
Monthly risk assessments are performed to ensure the application is secure.

VENDORS

Vendor Selection
All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.

Subprocessors
We keep our list of subprocessors up to date. You can review our current subprocessors here.

PERSONNEL

Logical Access
Employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.

Secure Access
MURAL uses Microsoft Azure VPN Gateway to ensure employees that require privileged access have a secure access to the system.

Multi-Factor Authentication
We enforce it for every employee.

Employee Asset Control
Our employees’ devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches.

Personnel
We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.


Quality Policy ISO 9001