Data Security Standards
The following describes Mochadocs Groups’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.
Mochadocs Group emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.
2. Security Program
Mochadocs Group maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (e) penetration testing performed on an annual basis; and (f) having resources responsible for information security efforts.
3. Data Centers
Mochadocs Group uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in the European Economic Area (EEA). AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
4. Acces, Controls and Policies
Access to manage Mochadocs Group’s AWS environment requires multi-factor authentication, ssh access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Mochadocs Group employees. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures.
5. Audits and Certifications
Mochadocs Group has been awarded ISO 270001 certification with respect to the suitability of its controls to meet the criteria related to security, availability, and integrity. On an annual basis the Mochadocs Group and its Information Security Management System (ISMS) is audited by an Accredited Assessor.
6. Vendor Management
Mochadocs Group takes reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated in this attachment. Before software is implemented or a software vendor can be used at Mochadocs Group, Mochadocs Group’s Security Officer carefully reviews the vendor’s security protocols, data retention policies, privacy policies, and security track record. Mochadocs Group’s Security Officer may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Mochadocs Group’s data and End Users.
7. Testing and Remediation
On a regular and irregular basis, Mochadocs Group performs on its own and engages third-parties to perform a variety of testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Service. To the extent Mochadocs Group determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue.
8. Security Incident Response
Mochadocs Group performs incident response tabletop exercises annually and maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, proprietary data or personal data transmitted, stored, or otherwise processed by Mochadocs Group. If Mochadocs Group detects and subsequently confirms unauthorized access to or disclosure of Customer Data, Mochadocs Group shall promptly report such breach to Customer, timely perform a root cause assessment, and remedy such breach in a timely manner. Mochadocs Group shall use reasonable efforts to communicate and cooperate with Customer during the course of any such relevant remediation.
9. Security Monitoring
Anti-virus or anti-malware applications have been installed to detect or prevent unauthorized or malicious software. Mochadocs Group also uses intrusion detection systems (IDS) for our corporate networks and production environments. Mochadocs Group runs security scans on a regular basis. For virus monitoring, Mochadocs Group automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Mochadocs Group maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Mochadocs Group’s IT team performs vulnerability scans at least weekly and determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation. Vulnerability scans are also run after any significant change to the production environment as determined by the Mochadocs Group Security Officer.
Customer Data is encrypted in transit and, subject to the applicable version for the Service selected by Customer, encrypted at rest (and remains encrypted at rest). The connection to Mochadocs is encrypted with 256-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.
11. Backup and Restoration
Mochadocs Group takes hourly snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production. Additionally, Customer Data is stored cross-regionally within AWS.
12. Change Management
Mochadocs Group has established a change management policy to ensure changes meet Mochadocs Group's security, confidentiality, and availability requirements. Management reviews and approves the policy annually. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility prior to deployment.
13. Disaster Recovery and Business Continuity
Mochadocs Group maintains a business continuity plan for extended service outages caused by unforeseen or unavoidable disasters in an effort to restore services to the widest extent possible in a reasonable time frame. This plan covers mission-critical business functions and associated systems. Mochadocs Group has documented a set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Database snapshots are taken daily, data backups are encrypted in storage, backups are stored in a separate region, and the Service resides on a redundant network and server infrastructure located in geographically separate data centers. This plan is reviewed and tested on an annual basis.
Mochadocs Group reserves the right to update these terms from time to time and modify its security practices.