How does MailUp infrastructure guarantee compliance with the GDPR?

For many sectors, the GDPR [General Data Protection Regulation] represents an important social innovation. In fact, it clarifies and allows individuals to manage their own privacy. MailUp has considerable experience in threat protection, in privacy protection, and in an array of compliance regulations.

We maintain a policy of transparency and aim to provide you with the information you need to feel secure when you use the platform.

Every day we renew our commitment to our principles in terms of trust in the cloud, data protection, and data security.

• Contractual commitments: Relationships with MailUp are supported by contractual commitments for our services, including security standards, support, and timely notifications in accordance with the new GDPR requirements.
• Sharing our experience: We will share the information we gather from various data protection authorities and other reputable organizations, so that we can adapt what we have learned to help you create the best possible approach for your organization.

As required by regulations, our infrastructure and security policies have been subjected to an assessment for gauging adequacy and preliminary impact on data protection. These assessments will continue to be conducted regularly to keep to the highest standards of data protection compliance.

To safeguard the confidentiality, integrity, and availability of data, the MailUp platform relies on a physical data center located in Italy. It is accessible by our staff both physically (via biometric access control) and through a virtual private network.

MailUp believes that data loss prevention features are of critical importance as they prevent sensitive information from being shared without permission.

An organization’s data is fundamental to its success. Data must be immediately available to enable decision making, but at the same time it must be protected to prevent it from being shared with those who are not authorized to access it.

For this reason we have implemented a series of organizational and technical measures that allow us to guarantee our customers not only the prevention of unauthorized access, but also adequate security – in relation to the classification of the treated data — for all authorized accesses.

The infrastructure is designed to be resilient to DDoS (Distributed Denial of Service) attacks through DDoS mitigation systems that can automatically detect and filter excess traffic by including scalability to handle unexpected traffic volumes using dedicated load balancers.

• At the physical level, we protect our data through a methodology which, in case of theft of physical memory supports, does not allow the extraction of sensitive data. The technology used to store data on physical media aims to increase performance, render the system resilient to the loss of one or more disks, and capable of replacing media without any interruption to service.
• At the application level, we have the possibility to secure the data contained in customer databases with encryption of data at rest.
• At the transport level, data is vulnerable to unauthorized access while traveling through the Internet or within networks. For this reason, the protection of data in transit has a high priority.
• We use TLS/SSL cryptographic protocols that employ symmetric encryption based on a shared key to provide secure communications. These ensure data integrity for the network.
• To provide even greater security, we use a block cipher algorithm within TLS/SSL, which is called AES-256 (Advanced Encryption Standard). This replaces public key cryptography technology DES (Data Encryption Standard) as well as RSA 2048.

• We use advanced systems for searching for viruses in email (whether incoming or outgoing), for detecting spoofing (use of fraudulent senders), and we have a clear anti-spam policy.
• Anti-phishing analysis tools and advanced protections for such threats as spear phishing and any Zero Day Attacks.
• Identifying and blocking of malicious files in our internal network thanks to the use of antivirus and proxy systems.
• We regularly and automatically check that all our servers are up-to-date and have the latest security patches installed.

• Business infrastructure is protected by several integrated network firewalls.
• There are also firewalls for web applications and IDS (Intrusion Detection System) devices that are used for monitoring computer resources, i.e., patterns. Thanks, once again, to the meticulously scheduled data traffic analysis carried out by our highly specialized staff, it is possible to detect attacks on the network or computers through the “anti-theft” function of the Intrusion Detection System.
• Multi-factor authentication is an authentication method that requires more than one verification method, where at least a second level of security is added for user access and transactions. This method is used by system administrators and for services provided by Google and Amazon.

• Advanced visibility on API calls.
• Log aggregation options to optimize surveys and compliance reporting.
• Definition, application, and management of user access policies across all services.
• The monitoring of suspicious access attempts makes it possible to detect potential intrusions by means of very solid machine learning functions.
• Warning notifications that can be programmed if thresholds are exceeded or for event verifications.
• Employee access rights and levels are based on job and workplace role using the “least-privilege” and “need-to-know” principles, depending on the responsibilities defined for the employee.
• Requests for greater access follow a formal process that requires approval by the owner of the data, or by the system, or by supervisors or other managers, according to established security criteria.

• MailUp cyclically performs vulnerability tests on all infrastructure systems and on clients connected to it.
• We regularly perform security penetration tests, using different suppliers.
• The tests include high-level server penetration tests, in-depth tests for vulnerabilities within the application, and social engineering exercises.
• Finally, upon request, it is possible to authorize one vulnerability assessment from third parties.

• We have a rigorous incident management process for security events that can affect the confidentiality, integrity, or availability of systems or data.
• If an incident occurs, the security team records and establishes a priority level based on severity. Events that have a direct impact on customers have the highest priority.

• Our data centers are monitored 24/7 by high-resolution internal and external video cameras that are capable of detecting and monitoring intruders. Access logs, activity logs, and video footage are available if an incident should occur.
• Data centers are also regularly monitored by experienced security guards who have received rigorous background checks and training.
• As one approaches the data center, security measures increase. Access to the data center is governed by the use of a personal security badge and only approved employees with specific roles are permitted access.
• We must not fail to mention our advanced cooling systems, which maintain a constant operating temperature for servers and other hardware, thereby reducing the risk of service interruptions. Fire detection and suppression equipment, on the other hand, help to prevent hardware damage. Heat, fire, and smoke detectors activate audible and visible alarms in the affected area, on security consoles, and at remote monitoring desks.

To ensure data availability, in the event of hardware malfunctions, backup copies are scheduled at least once per day for the most critical servers. This data is saved on systems installed in a dedicated backup site, which is also located within the European Union.

MailUp maintains a backup copy of the databases loaded by customers for the time necessary that is specified in the data retention policy and then they are automatically deleted.

These backups are checked periodically, are organized in such a way as to ensure the separation of data for each customer and are securely encrypted to ensure maximum confidentiality of the data.

• Control starts with its acquisition, follows with installation, all the way to its being taken out of service and eventual destruction.
• For the disposal of the hardware, we rely on a highly qualified and experienced supplier that guarantees the destruction of the disk and the deletion of data. The supplier furnishes a document certifying that the destruction has taken place.

Where provided, we use service/partner providers only after verifying that they can provide an adequate level of security, privacy, and specific guarantees on the possibility of managing data processing entirely in Europe.
Our Partners:

• Amazon AWS
  For the provision of network support services and storage of images uploaded by customers, including the Content Delivery Network (CDN) and Web Proxy services.
  Amazon AWS complies with many international and industry-specific standards.
  Further information can be found directly at the AWS compliance page
• Google
  Tools for productivity and company security.
  The Google platform complies with many international and industry-specific standards. Greater information may be found on their pages devoted to security and compliance.