Trusted by leading companies
Our Security Commitment
Middleware works tirelessly to ensure the protection of customers’ data in its custody and is committed to continuously improving its information security management practices. Middleware aims to maintain appropriate confidentiality, privacy, integrity, and availability practices in accordance with the requirements of data security standards outlined by the SOC2 Trust Service Principles.
We ensure that our security commitments are well-documented and clearly communicated to user entities through our website, contract agreements, or service level agreements.
Organizational Security & Compliance
Middleware is committed to ensuring that personal data is obtained and processed in accordance with associated regulations and/or codes of conduct laid out by SOC2 Trust Service Principles, HIPAA, GDPR, and their principles. Formal IT policies and procedures exist that describe:
- Physical Security
- Logical Access
- Operations
- Change Control
- Data Communication Standards
Personnel Security & Training
Middleware’s workforce includes partners, regular employees, and independent contractors who have direct access to Middleware’s internal information systems. Middleware has established personnel policies and practices relating to:
- Employee Hiring
- Orientation
- Training
- Evaluation
- Counseling
- Promotion
- Disciplinary Activities
Security and Privacy training are conducted upon hire and on a semi-annual basis, covering topics such as:
- Device Security
- Acceptable Use
- Malware Prevention
- Data Privacy
- Incident Reporting
- Data Breach Procedures/li>
All employees must acknowledge that they have read and will follow Middleware’s information security policies at least annually. Any issues related to security and privacy must be reported immediately to the Compliance team. Upon termination of work at Middleware, all access to Middleware systems is removed without undue delay.
Physical Security
Middleware is exclusively hosted on Amazon Web Services (AWS) facilities (us-east-1) in Northern Virginia, USA, which provides robust physical data center security and environmental controls. AWS offers secure, high-performing, resilient, and efficient infrastructure. Middleware’s corporate offices require badge access for entry, maintain video surveillance, and require all visitors to sign in and be accompanied while present.
Security by Design
Middleware understands the security risks associated with software changes introduced during the Secure Development Lifecycle. Our security team adheres to OWASP Top 10 to categorize risks as High, Medium, or Low. All updates or changes to the production system, whether code or system configuration changes, require review before deployment to the production environment. Middleware applies change control requirements to systems storing data at higher sensitivity levels, including Personally Identifiable Information.
Infrastructure Security
Middleware’s network, infrastructure, and architecture have multiple protection layers ensuring the highest levels of security and control, including:
1. Access Control
Multi-factor authentication over HTTPS encrypted protocol controls access to our production networks. Strict firewall rules restrict access to vulnerable ports, ensuring secure and limited access to the production environment. Our corporate network utilizes intrusion detection systems to identify potential security threats.
2. Login Security
Users can log in with their unique username and password, with specific authorization and permission levels controlled by the account administrator. Password complexity conforms to defined password standards and configuration.
3. Logical Access
Access to data, system utilities, and program source code libraries are controlled and restricted to authorized users with legitimate business needs. Responsibilities and duties are well-segregated to avoid repudiation and incompatibility of responsibilities.
4. Datacenter
Middleware services are hosted in an advanced data center operated by Amazon Web Services (AWS), a recognized industry leader. Our vendor adheres to the highest industry standards of quality, security, and reliability, continuously monitoring the environment using automated compliance checks based on AWS best practices and industry-recognized standards.
Application Security
Middleware’s network, infrastructure, and architecture have multiple protection layers ensuring the highest levels of security control, including:
1. Vulnerability Assessment and Penetration Testing
Vulnerability scans are performed at least quarterly on the environment to identify control gaps and vulnerabilities. Found vulnerabilities are resolved within the timeframe by our security team. A third party performs penetration testing annually to identify and exploit vulnerabilities within the environment.
2. Incident Response and Data Breach
Middleware has documented incident response and escalation procedures for reporting security incidents, guiding users in identifying, reporting, and mitigating failures, incidents, concerns, and other complaints. When security events are detected, they are escalated to the respective response team; the response time to address the event is 2 hours. We notify the supervisory authority of Personal Data Breach within 72 hours of becoming aware of the breach.
3. Data Encryption in Transit and at Rest
All data sent to or from Middleware is encrypted in transit using AES256 bit encryption. Middleware uses end-to-end encryption for data in transit, ensuring only communicating users can read what is sent, and nobody in between, even Middleware. Middleware uses a Security Hash Algorithm (SHA2) for all password entries. Middleware stores customers’ sensitive data in a MySQL Database, encrypting data automatically in real-time before writing to storage.
4. Backup and Disaster Recovery
Middleware ensures customers can balance the need to store backups at multiple locations in case of a disaster with the need to keep their data out of certain geographies. AWS provides clear data maps and geographic boundary information for all data centers. A disaster recovery plan is tested annually.
5. Data Collection & Disposal
As an Application Service Provider, Middleware collects Personal information on behalf of the brand and use of our app. Customer data will be deleted from Middleware systems upon termination of the account or data retention expiration deadlines. Middleware hard deletes all information from currently running production systems. Backups are destroyed within 15 days.
Middleware follows industry standards and advanced techniques for data destruction.
A multi-layered approach is implemented by Middleware to support its People, Process, and Technological security requirements. For more advice and help, contact our Compliance team at [email protected]