Privacy, Security and Compliance
Customer trust is Movable Ink’s top priority. Privacy, security, and compliance are core to everything we do. As part of that commitment, Movable Ink continuously enhances its product with new privacy and security features as well as updates its policies to reflect industry best practices. We take a Privacy and Security by Design approach to protecting our platform and clients. Our compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied.
Table of Contents
- Trust
- Platform Description
- Privacy
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Privacy Shield
- Data Collection and Retention
- Data Storage and Encryption
- Compliance and Third-Party Verification
- Security
- Physical Security
- Network Infrastructure
- Identity and Access Management
- Asset Management
- Resource Ownership
- Configuration Management
- Cryptographic Controls
- System Monitoring and Logging
- Vulnerability and Patch Management
- Threat Management
- Third-Party Risk
- Systems/Software Development Lifecycle (SDLC) and Change Management
- Intrusion Prevention and Detection
- Training and Awareness
- Incident Management
- Business Continuity and Disaster Recovery
Trust
Customer trust is Movable Ink’s top priority. Privacy, security and compliance are core to everything we do. As part of that commitment, Movable Ink continuously enhances its product with new privacy and security features as well as updates its policies to reflect industry best practices. We take a Privacy and Security by Design approach to protecting our platform and clients. Our compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied.
Platform Description
Movable Ink provides a web-based application (the Studio Application) that enables clients to generate personalized creative email, web, and mobile application content with associated business logic for marketing campaigns at scale. The solution works with a client’s existing Email Service Provider (ESP) and does not send emails. Dynamic creative email content is automatically generated at the time of open. Optionally, Movable Ink’s personalized content can also be included within clients’ web sites and mobile applications. Additionally, Movable Ink’s Studio Application provides a dashboard for reporting and viewing marketing campaign analytics.
Movable Ink’s Da Vinci System enables clients to automate and optimize email marketing campaigns using machine learning models which serve as the key component in optimization processes. An internet facing web application is available to clients that allows users to configure their email marketing campaigns. This configuration, along with machine learning algorithms, control the timing (when the email is sent), target (to whom it is sent), and content (what is included in the email) of email marketing campaigns. The solution works with a client’s email service provider (ESP) and does not send emails directly to consumers.
PRIVACY
At Movable Ink, protecting customer data is a first-order priority. We continuously monitor the evolving regulatory and legislative landscape to inform our policies, data security, and product development. Customer data is managed, processed, and stored in accordance with applicable global data protection legal and regulatory requirements. Movable Ink takes a Privacy by Design approach characterized by proactive rather than reactive data privacy measures.
General Data Protection Regulation (GDPR)
Movable Ink has implemented technologies and processes to meet the GDPR requirements for data processors. We consistently protect data in accordance with client instructions and the GDPR’s rules for data processors including full support for Data Subject Requests (DSRs).
State Privacy Laws
Movable Ink has implemented both technologies and processes to handle user rights requests and has adopted best-practice data protection principles that meet all state requirements.
Privacy Shield
Movable Ink is Privacy Shield certified. Additionally, Movable Ink fully supports The European Commission Standard Contractual Clauses (SCCs) for data transfers.
Data Collection and Retention
Movable Ink is committed to data management best practices such as processing and retaining only the data needed to provide our services. Additionally, dedicated data owners ensure the confidentiality, integrity, and availability of client data throughout the complete data lifecycle. Movable Ink securely deletes client data within 30 days upon contract termination. Additionally,Movable can provide a copy or transfer client data within 30 days upon request by an authorized representative.
Data Storage and Encryption
Customer data is stored exclusively in the United States and is encrypted in transit utilizing TLS and at rest using AES-256. The Movable Ink Platform Application is available only over HTTPS and is encrypted using TLS.
COMPLIANCE AND THIRD-PARTY VERIFICATION
Movable Ink’s compliance programs enable our clients to verify that our privacy and security measures are well designed and consistently applied. Movable Ink Studio and Da Vinci have undergone a SOC 2 (Type 2) audit with an accredited auditor and are able to share a copy of its SOC 2 reports with stakeholders upon request. Our policies, standards, and procedures are based on the ISO 27,000 series and Movable Ink is both ISO 27,001 as well as 27,701 certified. Additionally, a qualified, independent security firm conducts comprehensive application and network penetration testing on an annual basis.
SECURITY
Movable Ink’s dedicated Information Security & Compliance team is responsible for the Company’s information security and compliance programs, which address technical, operational, and organizational measures for data governance, privacy, and security.
Physical Security
Movable Ink utilizes AWS and GCP to host its infrastructure and store customer data. All data centers are staffed 24/7/365 and utilize biometric access controls, security cameras, and record an audit trail of all access events. Administrator access to datacenter nodes is limited to authorized personnel required to carry out administrative tasks. Access controls are maintained via an automated provisioning system to ensure that access controls are up to date.
Network Infrastructure
The Company utilizes a multi-tier network structure with a secure perimeter. Intrusion Prevention and Detection Systems are deployed, maintained, and monitored, and the application and database tiers are only accessible from within the Company’s Virtual Private Cloud (VPC). Movable Ink Studio’s and DaVinci’s production environments are configured to implicitly deny all traffic and explicitly allow only well-defined, permitted traffic.
Identity and Access Management
Movable Ink takes a need-based and least-privileged approach to managing access. Access is strictly granted based on role and business need and regular recertifications are conducted. Segregation of duties is established for critical functions within the environment to minimize the risk of unauthorized changes to production systems. For external/client users, the Company enables clients to employ a self-service model. The Studio Application offers multiple user roles to enable clients to assign access rights based on business need and manage users throughout the complete lifecycle. For the Da Vinci application, access is granted upon request through Movable Ink’s enterprise-class ticketing system.
Asset Management
Movable Ink maintains network architecture diagrams and a detailed inventory of all assets encompassing hardware, software, and data resources. All assets require clear ownership as well as categorization by type, sensitivity, and criticality.
Resource Ownership
Movable Ink ensures its systems and data have designated resource owners, including clearly documented and communicated roles and responsibilities as they pertain to system and data ownership. Resource owners are responsible for protecting the confidentiality, integrity, and availability of assigned resources as well as their appropriate use throughout the complete life cycle.
Configuration Management
Configuration baselines have been established for network architecture, network devices, operating system deployments, as well as for approved protocols and ports. The DevOps team regularly reviews and updates baseline configurations, and automated solutions have been implemented to safeguard against deviations from these configurations.
Cryptographic Controls
Data at rest is stored in encrypted form utilizing AES-256. Data in transit is encrypted via the TLS. The Movable Ink Studio and Da Vinci Platform Applications are available only over HTTPS and are encrypted using TLS.
System Monitoring and Logging
Movable Ink conducts infrastructure and application monitoring and logging utilizing third-party industry-standard software solutions as well as Movable Ink’s own custom telemetry infrastructure.
Vulnerability and Patch Management
Movable Ink maintains vulnerability and patch management policies and procedures to track its systems for vulnerabilities, defects, and available patches. Internal and external application and network scans are conducted and reviewed at regular intervals according to related policies and procedures. Additionally, Movable Ink conducts annual network and application penetration testing with an independent qualified third-party firm. As an integral part of our risk management program, any needed remediation is identified, documented, tracked, prioritized, and completed according to risk rating calculations.
Threat Management
Movable Ink utilizes threat protection services and internal threat analysis to correlate external threat indicators with its assets. Real-time threat intelligence feeds include threat indicator types such as Zero Day, Denial of Service, Public Exploits, and Actively Attacked vulnerabilities. Validated vulnerability disclosure information is continuously considered in the context of Movable Ink’s assets and mapped where applicable down to the individual asset level in order to facilitate rapid, prioritized remediation.
Third-Party Risk
Movable Ink has a comprehensive Procurement and Supplier/Partner Management Policy. For all suppliers and partners, Movable Ink conducts privacy, security, and compliance assessments which result in assigned risk ratings. Vendor and partner systems are reviewed and validated against Movable Ink’s Policies to ensure compliance with Movable Ink’s own privacy and security requirements.
Systems/Software Development Lifecycle (SDLC) and Change Management
Movable Ink takes a Privacy and Security by Design approach throughout the Systems/Software Development Lifecycle. Secure coding best practices are followed including required training, code analysis, segregation of duties, peer code review, approval process, and QA/testing in a dedicated staging environment.
Intrusion Prevention and Detection
Movable Ink has implemented intrusion prevention and detection capabilities across its production and corporate environments that are monitored by the DevOps, Information Security & Compliance, and IT teams. Movable Ink has implemented a SIEM tool for anomaly detection. Logs are ingested from various sources including application, host, and network-level logs. Anomalous activity triggers alerts which are triaged and investigated as they occur. Movable Ink’s intrusion prevention and detection solutions proactively monitor our production environment for anomalous activity, conduct file integrity monitoring, and reference a centralized database of known threats which is updated at least daily. All corporate laptops are equipped with centralized management and alerts. Movable Ink has implemented DLP to protect its core enterprise applications as well as its production environment.
Training and Awareness
Employees must complete privacy, security, and compliance awareness training upon hire and annually thereafter. Annual training includes, but is not limited to, how to define and protect personal information as well as applicable laws and regulations such as GDPR and CPRA. Additional customized privacy and security training is conducted based on roles and responsibilities, including secure coding training for engineers that includes OWASP Top 10 and SANS Top 20 best practices. Phishing simulations are conducted at least quarterly.
Incident Management
Movable Ink has implemented an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents. Comprehensive incident response procedures, centralized tracking tools, and multiple channels for reporting incidents are maintained. Where applicable, the security program and/or platform are updated to incorporate improvements identified as a result of incidents.
Business Continuity and Disaster Recovery
Movable Ink has documented Business Continuity and Disaster Recovery Policies and Plans that outline the procedures to be followed in the event of a serious business disruption affecting the operation of our key functions and provides a framework to improve its resilience and ability to continue to operate in the event of a major disruption. Movable Ink Studio has implemented active- active replication across its redundant, geographically disparate data centers with multiple redundant nodes. Da Vinci storage data is stored in encrypted files on Google Cloud Storage. The staging environment takes a copy of the database every half hour. Google Cloud monitoring is used for availability monitoring and alerting. Comprehensive Business Continuity & Disaster Recovery testing is conducted at least annually including restoration of Movable Ink’s primary database with verification, as well as tabletop exercises on a quarterly basis.