Our approach
Mio is making cross-platform communication between teams a reality. In doing so, protecting the integrity and security of your data is of paramount importance to us. This post presents our approach to security so your company has a high degree of confidence when communicating over our systems.
Security by design
It is our philosophy that security should be incorporated into our product design from day one. Mio has received SOC 2 Type II certification and is always improving the product with security in mind.
All projects undertaken are subject to a risk assessment to ensure we don’t compromise our underlying security policies.
Organizational security
We educate our team to understand the importance of keeping your user data secure. This includes industry-standard authentication and authorization methods and maintaining the privacy of the personal information you transmit over our network.
Protecting your data
Classifying and prioritizing data
We classify and prioritize data to ensure we can provide the highest tier of security to your online messaging transactions. If we can avoid storage of your data we will do so. If we need to retain sensitive or critical data, we will encrypt it and ensure it can be destroyed.
Data encryption in transit and at rest
All data that is transmitted via Mio systems uses the TLS 1.2 protocol. It’ssensitive payloads are encrypted using AES-256 or equivalent ciphers. We connect to external messaging partners using the highest supported encryption protocols they support. We always proactively upgrade when new standards become available. Data at rest is encrypted to a minimum AES-256 standard at the vendor layer with additional controls applied at the application level for sensitive data.
Authorizing access
We will never store end-user plain text passwords or similar sensitive credentials on our system. Whenever possible we require users to use our platform partners authentication systems and as a result, only process and store encrypted tokenized access credentials for each of our users.
Network security
For customers relying on our dedicated managed hosting, Mio isolates each tenant within its own personal private network and provides a set of dedicated and isolated services for maximum privacy, security, and compliance. Public access to Mio is restricted to a limited number of front-end servers with a minimal number of open ports required to operate our service. Internal access by Mio’s employees is tiered and restricted by IP and VPN credentials and we work on a principle of least privilege.
Software security
Our servers and systems are actively monitored and are regularly updated with the latest security updates as needed. Any errors or omissions found in our own applications are proactively patched and retested at the earliest opportunity. All new servers are hardened before deployment to minimize accidental exposure to potentially insecure default services or credentials. Mio periodically invites external auditors to test and report on our system in its entirety and any feedback is prioritized and acted upon accordingly.
Change control
All application software built and deployed by Mio is subject to version control as part of our secure software development lifecycle. Prior to each production release software is extensively tested and versioned before being made available to the public.
System monitoring and logging
To continuously improve its level of service, Mio may log and inspect traffic passing over its systems. Administrative access by senior members of the team is required to access this information. Log retention is typically for 72 hours and is automatically destroyed after this timeframe.
Legal compliance
Mio has its own internal guidelines towards data privacy and security to help ensure it meets its legal, ethical and socially responsible obligations. Additionally, Mio commissions dedicated legal professionals when needed to help meet legal and regulatory requirements.
Data requests
By default, Mio tries to minimize personal data retention and typically only stores highly anonymized or obfuscated data on its systems. If Mio receives requests from users or government agencies to disclose or delete data outside of its regular day to day operations, we will meet all legal obligations deemed necessary by our legal counsel.
For more information on the Mio and to keep up to date with the latest messaging trends, visit our blog.
