MessageMedia Security Statement

MessageMedia Security Statement

Compliance and standards

MessageMedia hosts our core web portal platform on infrastructure provided by Amazon Web Services (AWS). We build on Amazon to ensure our infrastructure is compliant with a number of requirements, as AWS is accredited with the following assurance programs/standards: including ISO 27001, HIPAA and SOC2. A full list of compliance standards is available in the AWS Security and Compliance Whitepaper.

MessageMedia hosts other customer data in online platforms that are compliant with other relevant standards, with ISO27001 for all platforms and with PCI-DSS accreditation for our billing platforms.

Other security controls for MessageMedia Platform and Support Services are assessed and implemented as part of our Security Program which is aligned with ISO27001.

Reliability and performance

• Highly available and redundant platform running in AWS in active-active configuration across three availability zones
• Low latency messaging API offering sub 100 millisecond response times and 99.95% uptime
• Messaging gateway offering processing of 95% of messages within 2 seconds
• Redundant connections to major telecommunication networks (in AU) at all layers of the stack (application, data centre, geography, providers)
• A highly scalable platform allowing for large high volume sending
• Message prioritisation capabilities to ensure high priority messages are delivered even when large volume sending is occurring

Security

Data In Transit

Data connections between customers and MessageMedia can be protected with TLS 1.2 using AES ciphers. This encryption, when configured correctly by customers, is equivalent in strength to the recommendations provided by the Australian Government Information Security Manual and aligns with the stringent requirements of a number of other government and industry standards.

Customer data transfers within MessageMedia is protected by segregated networks or Virtual Private Networks. Where MessageMedia Group (MMG) access is required, this is strictly limited only to necessary staff.

Data Encryption

Sensitive Data, including Customer Data, is encrypted at REST using AES Encryption.

Network protection

MessageMedia networks are segregated from normal corporate networks at the internet either physically, using Virtual Private Networks or cloud-based networks. Access to these networks is secured using firewalls and network configuration to limit access to what is required. Where MMG access is required, this is limited only to necessary staff.

Security logging, monitoring & response

Security events and other logs from our platforms are recorded and monitored in accordance with industry practices.

Security Incidents are managed according to our internal Security Incident Response plan, which is compliant with Australian Privacy Act requirements, including in connection with the mandatory data breach notification scheme.

Access Control

Customer access (authentication and authorisation) provides discrete control over accounts who have access to customer accounts, including

• Individual Customer Accounts for each user to improve authentication
• The ability to manage your own API keys for programmatic connectivity in our MessageMedia Web Portal

For MessageMedia staff access, we use:

• A single corporate staff directory supported role-based access control
• Multi-factor authentication (MFA) for all staff access, including re-authentication for Privileged User Access.

Data Residency

Please see Section 10 of our Privacy Policy.

Integrations

Ecosystems

MessageMedia builds its integrations with other ecosystems (including Shopify, HubSpot and NetSuite integrations) securely. MessageMedia cannot secure the customer installations of these ecosystems or configurations of these ecosystems, including access control, auditing of ecosystem functions, infrastructure security or other compliance requirements. Where we have control of integration configuration, we will ensure that Data in Transit is encrypted appropriately according to the guidance above.

This Security Statement applies to users of our MessageMedia web portal and REST API. Different security protocols apply to MessageMedia Manager web portal and users of our SOAP API.