lock Created with Sketch.

Mural Security

We take security seriously here at MURAL. And for good reason: every person and team using our service expects their data to be secure and confidential. We are constantly working on bringing in state-of-the-art security practices into our product, so you can take advantage of cutting edge features designed to safeguard your data and work to maintain your trust.

logo logo logo logo logo

Security Overview

We take the security of your data very seriously at MURAL. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

Full redundancy for our core services

MURAL core services have spare deployments across multiple datacenters and across multiple hosting platform providers. We keep many platforms up-to-date allowing us to be flexible when infrastructure goes down in order to guarantee business continuity.

Secure Infrastructure

MURAL takes advantage of the industry’s most sophisticated cloud providers like Microsoft Azure and Amazon AWS platforms. The platform has implemented the most advanced protections for network and operation security controls that are carefully audited as part of the vendor management review.

Account Verification

Users of the systems and services must be authenticated against the user’s unique account credentials before granting access. Users are required to validate their accounts via a link provided in an automated e-mail.

Move fast, break nothing

MURAL has a formal software development lifecycle methodology and change management procedures that governs the design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.

Standards-based Identity

MURAL recommends BYOIDP (bring your own identity provider), we currently support LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. We make it easy to leverage these powerful standards to protect your valuable information.

Encryption, Password Hashing

MURAL helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely. All network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored MURAL's SSL implementation as "A" on their SSL Server test.

We don’t store payment details

MURAL is not in the business of storing or processing payments. All payments made to MURAL goes through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.

SOC 2

MURAL is SOC 2 Type I certified - an independent auditor has evaluated our product, infrastructure, and policies, and certifies that MURAL complies with their stringent requirements.

A copy of MURAL’s most recent report is available upon request from compliance@mural.co

Security Practices

At MURAL we follow a number of best practices that improve our security posture. Here are a few examples:

Personnel

We intend to hire awesome people who are passionate about building products that customers love by delivering simple, functional, and usable applications. We’ve developed a hiring process to acquire the most capable and efficient personnel through a series of steps. We do background checks and confidentiality agreements for all employees who access our systems or who might come into contact with customer data.

Availability

In order to provide and maintain high availability on the application, we leverage Microsoft Azure Availability Sets, whenever a group of machines are in the same Availability Set, Microsoft guarantees no more than 20% of those machines will be taken down for maintenance at a given time.

Risk management

An annual risk assessment is performed to identify threats and vulnerabilities for the in-scope systems. Mitigation strategies are discussed based on the results of the risk assessment.

Penetration Testing

Independent penetration testing is completed on periodically, bringing real-world expertise and insight to bear in validating the security of MURAL’s implementations and procedures.

Logging

We provide comprehensive logging for every transaction on on the system, and we also keep a special log entry for detecting unsuccessful logging access attempts. We used the most advanced reporting tools backed by the sharp eyes of our security team.

Logical Access

Employee’s level of access is determined by the job position, and permissions are granted or revoked by explicit request of team managers after a proper security review.

System logs are available for detection of unauthorized access, and user access reviews are performed on a periodic basis and access is immediately removed if no longer necessary.

We enforce multi factor authentication for EVERY EMPLOYEE leveraging Google 2-Factor authentication.

Access to the production environments within Microsoft Azure and Amazon AWS also requires a two factor authentication. - title: Customer Data Protection description: | Client data only resides in the production environment. Our employees don’t have access to clients data. Customer Data backup process consists on daily snapshot of the whole database plus a 4-hour incremental backup. These backups are stored on a different cloud provider using encryption at rest.

Reporting service disruption incidents or maintenance windows

We use StatusPage.io to keep both customers and employees users up to date. This service provides several notifications options (Email, SMS, Twitter, Phone, to name a few) for internal and external users to subscribe for notifications.

Incident management

Security and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints should be immediately addressed to support@mural.co and will be resolved in accordance with established incident policy.

An incident response policy is in place to provide guidance for MURAL employees on escalation and resolution of incidents and to ensure that incidents are resolved timely

Incidents are tracked in a ticketing system through to resolution