Customer Data Protection Policy
MuleSoft is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing robust security and data protection mechanisms that provide both MuleSoft and the customer with mechanisms to ensure the security of data across our Products and Services.
This Customer Data Protection Policy (“Policy”) provides customers with a standard set of security safeguards used in the performance of MuleSoft Products and Support Services purchased under the Master Subscription Agreement (“Agreement”).
- a) Definition. For purposes of this Policy, the term “Data” shall mean Confidential Information and any data or other information provided by customer to which MuleSoft has or has had access in connection with the Cloud Offerings and Software (“Products”) or professional consulting services and support and maintenance (“Support Services”) purchased under the Agreement.
- b) Security and Data Protection Obligations. This Policy applies to: (i) MuleSoft and its personnel who may access Data in the course of providing the Products or Support Services; (ii) all Data collected, stored, processed or transmitted by customer using the Cloud Offerings; (iii) all information systems owned or operated by MuleSoft that are used in connection with the provision of the Support Services; and (iv) all information hosting facilities used in connection with the provision of the Cloud Offerings. This Policy applies to any subcontractors and their personnel to the same extent as it applies to MuleSoft. More information around the security of MuleSoft Products may be found in the Security Whitepaper at: https://www.mulesoft.com/lp/whitepaper/saas/cloud-security. MuleSoft may update this Security Whitepaper provided any such updates do not degrade or materially decrease the overall security of the Products.
2. Information Security Controls – General.
- a) Security Control Program. MuleSoft represents and warrants that it developed, implemented, and maintains a comprehensive written information security control program (“Program”) applicable to the Products, that contains administrative, technical, and physical safeguards that are appropriate to the need for security and confidentiality of the Data. The safeguards contained in such Program are and shall remain consistent with the safeguards set forth in any state or federal regulations applicable to the Products and practiced by top tier providers of services similar to those provided by MuleSoft.
- b) Information Security Controls. At customer’s request, MuleSoft shall provide customer with written evidence of its Program covering all information systems, equipment and facilities used in connection with the provision of the Products. This proof shall be in the form of an SSAE 16 SOC 2 report, ISO 27001 certificate or PCI-DSS attestation of compliance.
- c) Hosting Facility . MuleSoft use Amazon Web Services (AWS) as a hosting provider for its Cloud Offerings. Amazon provides robust physical and perimeter facility of its data centers with a strong combination of controls, including physical, technical and administrative. MuleSoft has reviewed appropriate documentation provided by Amazon to validate those controls.
3. Personnel, Communications and Operations Management.
- a) Without limiting the generality of the foregoing, MuleSoft Program includes:
- i) A designated team responsible to maintain MuleSoft information security controls.
- ii) Identifying, assessing and promptly correcting reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any Data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
- (1) ongoing employee (including temporary and contract employee) training;
- (2) employee compliance with policies and procedures; and
- (3) means for detecting and preventing security system failures.
- iii) Security policies for employees relating to the access of Data.
- iv) Imposing and enforcing disciplinary measures for violations of the comprehensive information security controls.
- v) Preventing terminated employees from accessing any Data.
- vi) Overseeing subcontractors by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect Data consistent with these Information Security and Data Protection obligations.
- vii) Provides regular monitoring to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Data and upgrading information safeguards as necessary to limit risks.
- viii) Reviews the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Data.
- ix) Notifies customers of any breach, or actual non-compliance by MuleSoft of any applicable Data protection law or any provision of this Policy as soon as reasonably possible after becoming aware of such breach or actual non-compliance.
- x) Documents and records responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Data.
4. Computer System Security Requirements.
MuleSoft Program includes commonly requested security protocols that include the following elements:
- a) Secure user authentication protocols including:
- i) Adherence to the principles of “Deny all”, “Need to know” and “Least privilege”;
- ii) Strong control of user IDs and other identifiers;
- iii) Secure method of assigning and selecting passwords, with appropriately strong parameters, as well as the use of unique identifier technologies;
- iv) Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
- v) Access is restricted to active users and active user accounts only; and
- vi) Access is blocked to user after multiple unsuccessful attempts to gain access to a system.
- b) Secure access control measures that:
- i) Restrict access to records and files containing Data to only those who need such information to perform their job duties; and
- ii) Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
- c) Encryption is used to:
- i) Protect transmitted records and files containing Data that will travel across public networks, and, if applicable, encryption of all Data to be transmitted wirelessly, with encryption in all cases at a strength that is commercially reasonable given the nature of the data transmitted and the transmission method(s).
- d) Systems are monitored for unauthorized use of or access to Data.
- e) Encryption is in place on all Data stored on laptops or other portable devices.
- f) For files containing Data on a system that is connected to the Internet, there must be up-to-date firewall protection and operating system security patches designed to maintain the integrity of the Data.
- g) Up-to-date versions of system security agent software, which must include malware protection and up-to-date patches, or a version of such software that can still be supported with up-to-date patches, and is set to receive the most current security updates on a regular basis.
- h) Education and training of employees on the proper use of the computer security system and the importance of Data security.