Last Updated: May 1, 2023
MoveData maintains administrative, physical, and technical safeguards designed for protection of the security, confidentiality, and integrity of Personal Information uploaded to the Service, as described in this Schedule.
1. Security Governance
1.1. MoveData maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to:
a. help our customers secure their data processed using MoveData Services against accidental or unlawful loss, access, or disclosure,
b. identify reasonably foreseeable and internal risks to security and unauthorised access to MoveData Services, and
c. minimise security risks, including through risk assessment and regular testing.
1.2. Security Governance covers the following core functions:
a. application security (secure development, security feature design, and secure development training)
b. infrastructure security (data centres, cloud security, and strong authentication)
c. monitoring and incident response (cloud native and custom)
d. vulnerability management (vulnerability scanning and resolution)
e. compliance and technical privacy
f. security awareness (onboarding training and awareness campaigns)
2. Access Control
2.1. Preventing Unauthorised Product Access
| Third party data hosting and processing | MoveData exclusively uses Amazon Web Services for data hosting and processing purposes and as such inherits their compliance (read more). Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with this Addendum. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed and/or stored by these vendors. |
| Physical and environmental security | MoveData hosts product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of such providers are audited for SOC 2 Type II and ISO 27001 compliance (amongst other certifications). Additional information about physical and environmental security can be found here. |
| Authentication | Customers who interact with MoveData Services are required to authenticate before they are able to access their non-public data. Since MoveData is installed into Salesforce it inherits Salesforce’s own Multi-Factor Authentication (read more). |
| Authorisation | Customer Content (content transferred in and out of integrations or other MoveData Services) is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorisation model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customisation options. Authorisation to data sets is performed through validating the user’s permissions against the attributes associated with each data set. |
| Application Programming Interface (API) access | Public product APIs may be accessed using an API key or through OAuth authorisation. Authorisation credentials are stored encrypted. |
2.2. Preventing Unauthorised Product Use
We implement industry-standard access controls and detection capabilities for the internal networks that support our products.
| Access controls | Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. |
| Static code analysis | Automated security reviews of code stored in our source code repositories, performed through static code analysis, checking for coding best practices and identifiable software vulnerabilities. |
| Security testing | The MoveData application and APIs are certified by Salesforce for the Salesforce AppExchange. To achieve this, MoveData has passed an exhaustive suite of tests including static code analysis and penetration testing. We are reviewed periodically by the Salesforce Security Review team in order to remain compliant (read more). |
2.3. Limitations of Privilege & Authorisation Requirements
| Product access | A subset of our personnel have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect, and respond to security incidents, and implement data security. |
| Personnel Security | MoveData personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. MoveData conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local law and regulations. |
3. Encryption Technologies
| In-transit | We make HTTPS encryption (also referred to as SSL or TLS) available on all our login interfaces and for free on every customer site hosted on the MoveData products. Our HTTPS implementation uses industry-standard algorithms and certificates in combination with additional to application-specific controls. |
| At-rest | We store user passwords following policies that follow industry standard practices for security. We have implemented hardware-based cryptographic technologies to ensure that stored data is encrypted at rest. |
4. Input Controls
| Detection | We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents. |
| Response and tracking | We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and/or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and customer damage or unauthorised disclosure. Notifications will be in accordance with the terms of the Agreement. |
5. Data Deletion and Portability
Please see Data Retention and Deletion
6. Availability Controls
Our products are designed to ensure redundancy and seamless failover. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
| Redundancy | The infrastructure providers use designs to eliminate single points of failure and minimise the impact of anticipated environmental risks. MoveData’s product is designed to allow the company to perform certain types of preventative and corrective maintenance without interruption. |
| Business Continuity | MoveData has designed and regularly plans and tests its business continuity planning/disaster recovery programs. |