Data Processing Addendum

Subscribe to Subprocessor Updates

Thank you! Your submission has been received! 🎉
Something went wrong while submitting the form.

Subprocessor

Subprocessing Activities

Location

Adobe

Cloud-based Marketing Automation Solution

United States

Amazon Web Services

Cloud Service Provider

United States

Auth0

Cloud-based Authentication Services

United States

Chorus

Cloud-based Analytics Tool

United States

Fivetran

Cloud Based Connector and Data Centralization Services

United States

Intercom

Cloud-based Customer Support Services

United States

Mandrill / Mailchimp

Cloud-based Customer Support Services

United States

Microsoft Azure

Cloud Service Provider

United States

Rollbar

Cloud-based Action Tracking Service

United States

Sisense (Periscope)

Cloud-based BI Services

United States

Vanilla

Cloud-based Community forum

United States

Zendesk

Cloud-based Customer Service Provider

United States

Last Updated: Apr 15, 2022

This Data Processing Addendum (this “DPA”) is entered into by and between MURAL (“we,” “our” or “us”) and Customer (“you” or “your”). For purposes of this DPA, the “Agreement” refers to either the Services Agreement or the Main Services Agreement between you and MURAL for the provision of Services to you (as applicable to you). NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:

1. DEFINITIONS

Some capitalized terms are defined in this Section 1, and others are defined contextually elsewhere in the DPA. Any capitalized terms that are not defined in this DPA have the meanings assigned to such terms in the Agreement.

Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act). For the avoidance of doubt, if MURAL’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.

Data Subject” means an identified or identifiable natural person about whom Personal Data relates. 

EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. (Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN)

Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms will have the same meaning as defined by applicable Data Privacy Laws, that is Processed for performance of the Services to you under your Agreement. In light of the protections afforded by Data Privacy Laws and this DPA, Personal Data is not considered Confidential Information under the Agreement. 

Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Subprocessing” means any sub-contracted Processing that relates directly to the provision of the Services. This does not include ancillary services, such as telecommunication services, postal or transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. A “Subprocessor” is the person with which MURAL has sub-contracted such Processing.

Subprocessor List” means the list of Subprocessors available at http://www.mural.co/terms/subprocessors.

UK SCC’s” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner’s Office and in force as of 21 March 2022. (Available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf)


2. SPECIFICATION OF PERSONAL DATA PROCESSING ACTIVITIES

2.1 Description of Processing. MURAL will Process Personal Data solely to fulfill its obligations to you under the Agreement, on your behalf, pursuant to your instructions or authorization, and in compliance with Data Privacy Laws, as follows:

Nature & Purpose of Processing
  • Processing necessary to provide the Services to you and your Authorized Users.
  • Processing necessary for any sharing or disclosures of Personal Data in accordance with our Terms of Service or as compelled by law.
Categories of Data Subjects MURAL Processes Personal Data of your Authorized Users.
Categories of Personal Data The categories of Personal Data Processed includes the following:
  • Contact information (including name, email, phone number)
  • Profile information (including employer, job title, location, team, role)
  • Device identifiers (including IP address)
  • Usage data (including activity logs, associated rooms, associated murals)
Sensitive Data Not applicable; MURAL does not knowingly Process Sensitive Data.
Duration of Processing The Processing commences upon your agreement to the Agreement and will terminate upon termination or expiration of the Agreement.


2.2 For Customers with US Data Subjects. MURAL will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth in this DPA. For purposes of this section, “sell” has the meaning set forth in the CCPA and other US Data Privacy Laws.

2.3 Data Retention. MURAL will retain Personal Data Processed under this DPA in accordance with its standard data retention policies and procedures, which MURAL will make available to you upon request. 

2.4 Return and Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, MURAL will, at your choice and upon your written request, return to you or securely destroy all Personal Data upon such request or at termination or expiration of the Agreement. MURAL will provide you with a certificate of destruction only upon your written request. In case of local laws applicable to MURAL that prohibit the return or deletion of Personal Data, we warrant that we will continue to ensure compliance with this DPA and will only process the Personal Data to the extent and for as long as required under such local laws. 

2.5 Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as MURAL or its Subprocessors Process the Personal Data.  

3. SECURITY MEASURES; PERSONAL DATA INCIDENTS

3.1 Security Measures. We will maintain our Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and Services, while also taking into account the state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. MURAL currently provides Security Measures as described in Attachment C. 

3.2 Confidentiality. We will ensure that the persons we authorize to Process the Personal Data are subject to a written confidentiality agreement covering the Personal Data or are under an appropriate statutory obligation of confidentiality. 

3.3 Personal Data Incidents. We will notify you without undue delay of any Security Incident that impacts Personal Data (a “Personal Data Incident”) when such notification is required under applicable Data Privacy Laws. We will also provide reasonable assistance to you in your compliance with your Personal Data Incident-related obligations, including without limitation by: (a) taking steps to mitigate the effects of the Personal Data Incident and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by MURAL in our sole discretion); and (b) providing you with the following information, to the extent known: (i) the nature of the Personal Data Incident, including, where possible, how the Personal Data Incident occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerns; (ii) the likely consequences of the Personal Data Incident; and (iii) the measures we have taken or proposed to address the Personal Data Incident, including where appropriate measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay.

4. SUBPROCESSORS

4.1 General Written Authorization. You acknowledge and agree that MURAL may use its Affiliates and third party Subprocessors to Process Personal Data in accordance with this DPA and applicable Data Privacy Laws. Where MURAL sub-contracts any of its rights or obligations concerning Personal Data, MURAL will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with this DPA and applicable Data Privacy Laws. MURAL will remain liable for the acts and omissions of its Subprocessors as if they were its own.

4.2 Our Subprocessor List. MURAL will maintain the Subprocessor List, and you hereby consent to MURAL’s use of such Subprocessors. The Subprocessor List page contains a mechanism for you to subscribe to notifications of updates to our Subprocessors included on the Subprocessor List, and MURAL will provide details of any such changes solely via this subscription mechanism at least thirty (30) days prior to any such change. If you object to a new Subprocessor, you must notify MURAL of your objection, if any, in writing within ten (10) days of receipt of information about the change. You will be entitled to terminate the Agreement with immediate effect and without liability in the event MURAL does not consider your objections within a commercially reasonable period of time. Upon such termination, MURAL will refund any prepaid fees covering our Services on a pro-rata basis following the effective date of such termination. This right to terminate and refund will be Customer’s sole and exclusive remedy.

5. INTERNATIONAL TRANSFERS OF PERSONAL DATA

5.1 Authorization of International Transfers of Personal Data. Customer understands and acknowledges that the Services are cloud-based, and that MURAL is a global organization with headquarters in the United States. As such, it may be necessary to transfer Personal Data to the United States or other jurisdictions outside of the primary jurisdiction of residence of your Authorized Users. Customer hereby expressly authorizes MURAL to make international transfers of the Personal Data as necessary to perform the Services to Customer, including without limitation to the United States, so long as such transfer is conducted in accordance with this DPA and applicable Data Privacy Laws for such transfers are respected. Customer will ensure that Customer and Customer’s Authorized Users are entitled to transfer the Personal Data to MURAL so that MURAL may lawfully Process the Personal Data in accordance with this DPA, including without limitation by sub-contracting any Processing to an Affiliate or third party Subprocessor.

5.2 Transfers from the European Economic Area.  With respect to Personal Data transferred from any European Economic Area jurisdiction for which the GDPR governs the international nature of the transfer, the EU SCCs form part of this DPA. The parties’ completion of the EU SCCs is set forth in Attachment A. In the event of a conflict between the terms of the EU SCCs and this DPA, the EU SCCs will prevail.

5.3 Transfers from the United Kingdom. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA. The parties’ completion of the UK SCC’s is set forth in Attachment B. In the event of a conflict between the terms of the UK SCCs and this DPA, the UK SCCs will prevail.

5.4 Transfers from Switzerland. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction or the United Kingdom) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner. In the event of a conflict between the terms of the EU SCCs as amended by this Section 5.4 and this DPA, the EU SCCs as amended by this Section 5.4 will prevail.

5.5 Additional Safeguards. To the extent that MURAL Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the European Economic Area, Switzerland, or the United Kingdom, MURAL has implemented a variety of additional safeguards regarding the transfer of such Personal Data from these jurisdictions. MURAL maintains transfer impact assessment materials, which are considered MURAL Confidential Information. We will provide these materials to Customers located in these jurisdictions upon written request to privacy@mural.co.

6. REQUESTS FOR ACCESS BY PUBLIC AUTHORITIES

6.1 Notification. To the extent legally permitted, MURAL will notify you without undue delay if it receives a legally binding request for disclosure of or access to Personal Data from a public authority (including judicial or administrative authorities, or national security or intelligence agencies) or becomes aware of any direct access by a public authority to Personal Data. Such notification will include information about the Personal Data requested or accessed, the requesting or accessing authority, the legal basis for the request or access, and any response provided. If MURAL is prohibited by applicable law or regulation from notifying you or disclosing the details of a public authority request to you, MURAL will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. If unsuccessful in its attempts at obtaining such a waiver, MURAL will inform you that it can no longer comply with your instructions under this DPA, without providing more details, and await your further instructions. Such notice will entitle you to terminate the Agreement (or, if applicable, only the affected Order Form(s)) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This right to terminate and refund will be Customer’s sole and exclusive remedy.

6.2 Responding to Requests. MURAL will use all reasonably available legal mechanisms to challenge any binding legal requests for disclosure of or access to Personal Data made by a public authority that it receives, as well as any non-disclosure provisions attached to any such request. MURAL will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

6.3 Transparency Reports. To the extent legally permitted, and no more than once per calendar year unless otherwise required by Data Privacy Laws, MURAL will, upon Customer’s written request, provide a report to Customer regarding binding legal requests for disclosure of or access to Personal Data it has received from public authorities (including with respect to national security requests), such report to include the number of requests, the type of Personal Data requested, the requesting authority(ies), whether the requests have been challenged, and the outcome of such challenges. Requests for transparency reports under this Section 6.3 should be sent to: privacy@mural.co.


7. MUTUAL COMMUNICATION, COOPERATION & ASSISTANCE

7.1 Good Faith Efforts. The parties understand and acknowledge that each party’s successful compliance with this DPA and Data Privacy Laws will require the reasonable communication, cooperation and assistance of the other party. To that end, each party commits that it will operate in good faith and provide such reasonable cooperation and assistance.

7.2 Data Protection Impact Assessments. At your request, MURAL will provide you with reasonable cooperation and assistance for your performance of any legally required data protection impact assessment related to your use of the Services, to the extent you do not otherwise have access to the relevant information needed to complete such an assessment, and to the extent such information is available to MURAL.

7.3 Data Subject Requests. If we receive any requests from a Data Subject seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data, to the extent legally permitted MURAL will promptly notify you or refer the Data Subject  to you for handling. Such requests related to Personal Data may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). MURAL will not respond to such Data Subject Requests itself, and you authorize MURAL to redirect the Data Subject Request as necessary to you for handling. In the event you are unable to address a Data Subject Request through the Services’ self-service capabilities, MURAL will, upon your request, provide commercially reasonable efforts to assist you in responding to Data Subject Requests, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Privacy Laws. To the extent legally permitted, you will be responsible for any costs arising from MURAL’s provision of this additional support to assist you with a Data Subject Request.

7.4 Supervisory and Regulatory Authorities.  To the extent legally permitted, each party will notify the other party without undue delay of any inspections or measures conducted by that party’s supervisory or regulatory authority, insofar as they relate to this DPA. Each party will cooperate with the supervisory authority of the other party to aid in their supervisory or regulatory authority’s performance of its tasks (insofar as they relate to this DPA) at the reasonable cost and expense of the party being inspected. In addition, at your reasonable cost and expense, MURAL will provide you with reasonable cooperation and assistance for your consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to MURAL under Data Privacy Laws to consult with a supervisory or regulatory authority in relation to MURAL’s Processing or proposed Processing of Personal Data.

7.5 Complaints and Claims. To the extent legally permitted, each party will inform Data Subjects of a contact point authorized to handle Data Subject complaints regarding the Processing of Personal Data under this DPA. Unless prohibited by applicable law, each party will promptly notify the other party of any complaints or Claims regarding the Processing of Personal Data under this DPA. The parties will work together and provide reasonable cooperation and assistance to each other to promptly address any complaint or respond to the Claim (as applicable).


8. AUDITS

8.1 Information Requests. So long as the Agreement remains in effect and no more than once during each calendar year during the term of the Agreement, at Customer’s sole expense, Customer may request that MURAL provide it with records or information sufficient to demonstrate MURAL’s compliance with this DPA, the nature and format of such records or information to be determined by MURAL in our sole discretion. 

8.2 Audits. If Customer has a reasonable objection that the information provided under Section 8.1 of this DPA is not sufficient to demonstrate MURAL’s compliance with this DPA, Customer may select a mutually-agreed upon third-party to conduct an audit of MURAL’s practices related to Processing Personal Data in compliance with this DPA, at Customer’s sole expense (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. Customer will provide MURAL with thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, Customer and MURAL will mutually agree upon the scope, timing, and duration of the Audit, as well as the MURAL reimbursement rate for which Customer will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of MURAL. Customer and its third-party representatives will conduct its Audit: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services used by Customer; and (ii) in a manner that will result in minimal disruption to MURAL’s business operations. Neither Customer nor its third-party representatives will be entitled to receive data or information of other MURAL customers or any other MURAL Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. Customer will promptly provide MURAL with the Audit results upon completion of the Audit.

8.3 Confidentiality.  All records or information provided by the parties under this Section 8 will be considered “Confidential Information” and subject to the confidentiality provisions of the Agreement.

9. MISCELLANEOUS

Each party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each party further represents, warrants, and covenants that it will comply with all Data Privacy Laws applicable to such party in its role as data controller, data processor, service provider, or Subprocessor (as applicable). If applicable to Customer, Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer Affiliates. MURAL’s collection and processing of personal data for its own purposes, not on behalf of you and independent of providing the Services to you, is outside the scope of this DPA. The parties acknowledge and agree that the exchange of Personal Data between the parties does not constitute a “sale” of Personal Data under any US Data Privacy Laws, and does not form part of any monetary or other valuable consideration exchange between the parties with respect to the Agreement or this DPA. Each party's liability arising out of or related to this DPA is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.  

To request a signed copy of this DPA, please contact privacy@mural.co.

ATTACHMENT A 
COMPLETION OF EU SCC’S

EU SCC’s

  1. Module Two or Module Three of the EU SCCs will apply as applicable to you.
  2. The docking option under Clause 7 (Optional - Docking Clause) will not apply.
  3. This DPA and the Agreement are Customer’s complete and final instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of the DPA and the Agreement. 
  4. For purposes of Clause 8.1(a) (Instructions), the instructions will be deemed provided as set forth in Section 2 of the DPA, and include onward transfers to Subprocessors located outside the EU / EEA for the purpose of performance of the Services.
  5. For purposes of Clause 8.6(a) (Security of processing), Customer is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Attachment C meet Customer’s requirements. Customer agrees that such measures provide a level of security appropriate to the risk with respect to its Personal Data. 
  6. For purposes of Clause 8.6(c), any personal data breach will be handled in accordance with Section 3.3 of the DPA. 
  7. The parties agree that the audits described in Clause 8.9 (Documentation and Compliance) will be carried out in accordance with Section 8 of the DPA.
  8. For purposes of Clause 9(a) (Use of Subprocessors), Customer will be deemed to have given general written authorization in accordance with Section 4 of the DPA.
  9. The parties agree that the certificate of deletion of Personal Data that is described in Clauses 8.5 (Duration of processing and erasure or return of data) and 16(d) (Non-compliance with the Clauses and termination) will be carried out in accordance with Section 2.4 of the DPA.
  10. For purposes of Clause 15(1)(a) (Notification), MURAL will notify Customer only and not the Data Subject(s) in case of requests from public authorities. Customer will be solely responsible for promptly notifying the Data Subject(s) as necessary.
  11. For purposes of Clause 17 (Governing law), the parties agree that the EU SCCs will be governed by the laws of Ireland.
  12. For purposes of Clause 18 (Choice of forum and jurisdiction), the parties agree that any dispute arising from the EU SCCs will be resolved by the courts in Ireland. A Data Subject may also bring legal proceedings against Customer and/or MURAL before the courts of the Member State in which the Data Subject has their habitual residence. The parties agree to submit themselves to the jurisdiction of such courts.

Annex I(A):  List of Parties

The Parties Data Exporter Data Importer
Name Customer MURAL
Address As provided in your MURAL Customer account information 611 Gateway Boulevard
Suite 120 - #1015
South San Francisco, CA 94080
Contact Person As provided in your MURAL Customer account information Marina Len Clements
VP of Legal
privacy@mural.co
Activities relevant to the transfer As provided in Section 2 of the DPA As provided in Section 2 of the DPA
Role Controller or Processor
(as applicable)
Processor or Subprocessor
(as applicable)

Annex I(B):  Description of Processing & Transfer

Categories of Data Subjects As provided in Section 2.1 of the DPA
Categories of Personal Data As provided in Section 2.1 of the DPA
Sensitive Data As provided in Section 2.1 of the DPA
Frequency of the Transfer Continuous during the Term of the Agreement
Nature & Purpose of Processing As provided in Section 2.1 of the DPA
Purpose of Transfer To provide the Services to Customer
Duration of Processing As provided in Section 2.1 of the DPA
Transfers to Subprocessors Same as above with respect to the subject matter, nature and duration of the Processing

Annex I(C):  Competent Supervisory Authority

The competent supervisory authority will be in accordance with the provision applicable to Customer as provided in Clause 13(a) of the EU SCCs.

Annex II:  Technical and Organizational Measures

As provided in Attachment C to this DPA.

Annex III:  List of Subprocessors

Not applicable; Customer has given general written authorization in accordance with Section 4 of the DPA. 

ATTACHMENT B 
COMPLETION OF UK SCC’S

United Kingdom International Data Transfer Agreement

By entering into this DPA and Attachment B, the parties are deemed to be signing the UK SCCs, including without limitation the Mandatory Clauses in Part 2 and its applicable Tables and Appendix Information. Any undefined capitalized terms used in this Attachment B have the meanings assigned to such terms in the UK SCCs.

Table 1:  List of Parties

Start Date As set forth in Section 9 of the DPA
The Parties Data Exporter Data Importer
Full Legal Name Customer’s full legal name Tactivos, Inc.
Trading Name (if different) Customer’s trading name MURAL
Address As provided in your MURAL Customer account information 611 Gateway Boulevard
Suite 120 - #1015
South San Francisco, CA 94080
Official Registration Number As applicable to Customer N/A
Key Contract As provided in your MURAL Customer account information Marina Len Clements
VP of Legal
privacy@mural.co

Table 2: Selected SCCs, Modules and Selected Clauses

The “Approved EU SCCs” referenced in Table 2, to which this Addendum is appended, will be the EU SCCs as executed by the parties and completed as set forth in Attachment A.

Table 3: Appendix Information

As provided in Attachment A to this DPA, with specific reference to Annex I(A), Annex I(B), Annex II, and Annex III.

Table 4: Ending this Addendum with the Approved Addendum Changes

Either party may end the UK SCCs as set out in Section 19 of the UK SCCs.

ATTACHMENT C
SECURITY MEASURES

The following provides an overview of some of MURAL’s key Security Measures. More information is available at https://www.mural.co/security or upon request to: compliance@mural.co

Encryption
  • At Rest: Your data only reside in the production environment encrypted with AES-256.
  • In Transit: All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.
Password Hashing Passwords are salted and hashed using the SHA-512 algorithm.
Payment Information Payment information is not stored by MURAL and all payments made to MURAL go through our payment processing partner, Stripe, a PCI compliant company.
Standards Based Identity We support Single Sign On (SSO) with multiple identity providers via SAML 2.0. Non-SSO users are required to validate their accounts via a link provided in an automated email, as well as verify their account with a one-time code in addition to their password (2FA).
Infrastructure
  • Our cloud provider is Microsoft Azure. We leverage their tools to set up firewall rules, intrusion, and DMZ policies.
  • Every component of our infrastructure has redundancy.
  • We have an automated process that patches our virtual machines on a regular cadence.
  • We utilize a Web Application Firewall in addition to other technologies to perform real-time monitoring and proactive blocking of malicious user behavior.
  • All actions on the back-end are logged.
Continuous Security Assessments
  • We periodically utilize an independent 3rd party to perform penetration tests.
  • We run an ongoing public Vulnerability Disclosure Program (VDP) as well as continuous automated security tests.
  • Our SOC 2 and SOC 3 reports are available at https://www.mural.co/security or upon request.
Vendor Selection All of our vendors offer industry-leading products and go through an exhaustive security audit as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards.
Personnel
  • Level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary.
  • MURAL uses a VPN solution to ensure personnel that require privileged access have secure access to our corporate network from multiple endpoints.
  • Multi-factor authentication is enforced for all personnel.
  • Personnel devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches.
  • We run background checks and sign confidentiality agreements with all personnel.
  • We regularly provide security training for all personnel.
Policies & Plans Among other company policies and plans, MURAL has a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability, and an incident response plan in the event of a Security Incident or Personal Data Incident.
Website Data Collection Preferences
This button might not work if you have an ad blocker running.