The security of your data is paramount. We have deployed a wide range of controls and measures to manage risk, monitor, assess and respond to emerging threats and mitigate vulnerabilities. Both Mavim and our cloud-hosting partner are ISO 27001:2013 certified. Mavim has the full scope of the ISO 27001 standard in our statement of applicability. Our Information Security Management System (ISMS) utilizes best practices based on ISO 27001:2013. Some of the key measures we deploy include:
- Logically isolated customer-specific network regions ensuring separation of each customer’s data;
- Data encryption in transit and at rest, using strong encryption methods;
- Secure encryption key management, including customers to use their own encryption keys if desired;
- Access control based on user role and authentication, with integration to identity and directory services available (e.g. Active Directory, SAML, etc.);
- Secure service operations based on least privilege principles with operational access protected by multi-factor authentication and encrypted VPNs;
- Active vulnerability management via infrastructure hardening, frequent software patch management and application code analysis with our software development life cycle (SDLC), using best practices such as the open web application security project (OWASP);
- Regular penetration tests on our infrastructure and applications (including customer penetration tests with prior arrangement;
- Secure activity monitoring and logging for audit trail purposes;
- Secure media disposal and no use of tapes or removable media in our SaaS service infrastructure;
- Invalidates session ID after logout or session timeout. We also close sessions within 30 minutes after idle timeout, absolute timeout (within 4 hrs) and user logout button;
- We secure our application sessions by using "Secure" and HttpOnly cookie attributes, changing session ID's, validating security related cookies and sessions ID's;
- We periodically audit and remove unnecessary accounts from all components of our infrastructure. To ensure immediate removal of system access which is no longer necessary, we have rigorous HR joiner, mover, leaver processes in place as well as an escalation process in case of an urgency;
- To connect to our infrastructure, our system and database admins use Multi Factor Authentication (MFA) with One Time Passwords (OTP). System passwords are periodically changed (without the need of a service outage). Role-based access control (RBAC) is used to authorize users on our administration API;
- Data return and secure destruction at contract end.
FSQS (Financial Services Qualification System) is a community of financial institutions including banks, building societies, insurance companies and investment services, collaborating to agree a single standard for managing the increasing complexity of third and forth-party information needed to demonstrate compliance to regulators, policies and governance controls. Mavim obtained the FSQS registration.