MURAL Security Overview

We take security seriously here at MURAL. And for good reason: every person and team using our service expects their data to be secure and confidential. We are constantly working on bringing in state-of-the-art security practices into our product, so you can take advantage of cutting edge features designed to safeguard your data and work to maintain your trust.

MURAL is SOC 2 Type II certified - an independent auditor has evaluated our product, infrastructure, policies, and certifies that MURAL complies with their stringent requirements.

A copy of MURAL’s most recent report is available upon request from but you will need to sign an NDA. Not ready to sign an NDA or you are just taking a look? Check our Cloud Security Alliance Self Assessment Data here.

MURAL Security

We take the security of your data very seriously at MURAL. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

Full redundancy for our core services

MURAL core services have spare deployments across multiple datacenters. We keep many platforms up-to-date allowing us to be flexible when infrastructure goes down in order to guarantee business continuity.

We don’t store payment details

MURAL is not in the business of storing or processing payments. All payments made to MURAL goes through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.

Secure Infrastructure

MURAL takes advantage of the industry’s most sophisticated cloud providers like Microsoft Azure. The platform has implemented the most advanced protections for network and operation security controls that are carefully audited as part of the vendor management review.

Standards-based Identity

MURAL recommends BYOIDP (bring your own identity provider), we currently support LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. We make it easy to leverage these powerful standards to protect your valuable information.

Account Verification

Users of the systems and services must be authenticated against the user’s unique account credentials before granting access. Users are required to validate their accounts via a link provided in an automated e-mail.

Move fast, break nothing

MURAL has a formal software development lifecycle methodology and change management procedures that governs the design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.


We leverage Azure most advanced Intrusion Detection technology to keep your information safe from attackers. We also scan our infrastructure and applications periodically to detect any existing vulnerability.


Your data will never leave the US, even in the case of a major datacenter disaster. Not in the US? No problem. We are EU-US Privacy Shield compliant.

Encryption, Password Hashing

MURAL helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely with a SHA512 encryption. All network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.

Security Practices

At MURAL we follow a number of best practices that improve our security posture. Here are a few examples:


We intend to hire awesome people who are passionate about building products that customers love by delivering simple, functional, and usable applications. We’ve developed a hiring process to acquire the most capable and efficient personnel through a series of steps. We do background checks and confidentiality agreements for all employees who access our systems or who might come into contact with customer data. We also train our developers in Information Security and Secure Development Practices.


You need your user deprovisioning process compliant with GDPR? we've got your back. Contact us for more details about how can you integrate your deprovisioning with our endpoints.

Security program

We have an stablished and mature information security program in place as the result of being SOC2 Type 2 compliant for many years in a row.


We provide comprehensive logging for every transaction on on the system, and we also keep a special log entry for detecting unsuccessful logging access attempts. We used the most advanced reporting tools backed by the sharp eyes of our security team.


In order to provide and maintain high availability on the application, we leverage Microsoft Azure Availability Sets, whenever a group of machines are in the same Availability Set, Microsoft guarantees no more than 20% of those machines will be taken down for maintenance at a given time.

Risk management

An annual risk assessment is performed to identify threats and vulnerabilities for the in-scope systems. Mitigation strategies are discussed based on the results of the risk assessment. Monthly risk assesments are also performed with any findings we may have both from internal or external sources.

Penetration Testing

Independent 3rd party penetration testing is completed periodically, bringing real-world expertise and insight to bear in validating the security of MURAL’s implementations and procedures. We guarantee that we will fix all issues flagged as critical or high in 30 days maximum.

Customer Data Protection

Client data only resides in the production environment encrypted at rest with AES-256. Our employees don’t have access to clients data.

Customer Data backup process consists on snapshots of the whole database taken every 4-hours, kept for 7 days and a monthly full backup. All backups are stored encrypted.

Logical Access

Employee’s level of access is determined by the job position, and permissions are granted or revoked by explicit request of team managers after a proper security review.

System logs are available for detection of unauthorized access, and user access reviews are performed on a periodic basis and access is immediately removed if no longer necessary.

We enforce multi factor authentication for EVERY EMPLOYEE leveraging Google 2-Factor authentication.

Access to the production environments within Microsoft Azure requires a two factor authentication.

Incident management

Security and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints should be immediately addressed to and will be resolved in accordance with established incident policy.

An incident response policy is in place to provide guidance for MURAL employees on escalation and resolution of incidents and to ensure that incidents are resolved timely

Incidents are tracked in a ticketing system through to resolution.

Reporting service disruption incidents or maintenance windows

We use to keep both customers and employees users up to date. This service provides several notifications options (Email, SMS, Twitter, Phone, to name a few) for internal and external users to subscribe for notifications.

Copyright © 2019 Tactivos Inc. Some rights reserved.