lockCreated with Sketch.

Mural Security

We take security seriously here at MURAL. And for good reason: every person and team using our service expects their data to be secure and confidential. We are constantly working on bringing in state-of-the-art security practices into our product, so you can take advantage of cutting edge features designed to safeguard your data and work to maintain your trust.

logo logo logo logo logo logo

Security Overview

We take the security of your data very seriously at MURAL. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

Full redundancy for our core services

MURAL core services have spare deployments across multiple datacenters. We keep many platforms up-to-date allowing us to be flexible when infrastructure goes down in order to guarantee business continuity.

Secure Infrastructure

MURAL takes advantage of the industry’s most sophisticated cloud providers like Microsoft Azure. The platform has implemented the most advanced protections for network and operation security controls that are carefully audited as part of the vendor management review.

Account Verification

Users of the systems and services must be authenticated against the user’s unique account credentials before granting access. Users are required to validate their accounts via a link provided in an automated e-mail.

Move fast, break nothing

MURAL has a formal software development lifecycle methodology and change management procedures that governs the design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.

We don’t store payment details

MURAL is not in the business of storing or processing payments. All payments made to MURAL goes through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.

Standards-based Identity

MURAL recommends BYOIDP (bring your own identity provider), we currently support LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. We make it easy to leverage these powerful standards to protect your valuable information.

Encryption, Password Hashing

MURAL helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely with a SHA512 encryption. All network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.

Monitoring

We leverage Azure most advanced Intrusion Detection technology to keep your information safe from attackers. We also scan our infrastructure and applications periodically to detect any existing vulnerability.

Data

Your data will never leave the US, even in the case of a major datacenter disaster. Not in the US? No problem. We are EU-US Privacy Shield compliant.

SOC 2

MURAL is SOC 2 Type II certified - an independent auditor has evaluated our product, infrastructure, policies, and certifies that MURAL complies with their stringent requirements.

A copy of MURAL’s most recent report is available upon request from compliance@mural.co but you will need to sign an NDA. Not ready to sign an NDA or you are just taking a look? Check our Cloud Security Alliance Self Assessment Data here

Security Practices

At MURAL we follow a number of best practices that improve our security posture. Here are a few examples:

Personnel

We intend to hire awesome people who are passionate about building products that customers love by delivering simple, functional, and usable applications. We’ve developed a hiring process to acquire the most capable and efficient personnel through a series of steps. We do background checks and confidentiality agreements for all employees who access our systems or who might come into contact with customer data. We also train our developers in Information Security and Secure Development Practices.

Security program

We have an stablished and mature information security program in place as the result of being SOC2 Type 2 compliant for many years in a row.

Availability

In order to provide and maintain high availability on the application, we leverage Microsoft Azure Availability Sets, whenever a group of machines are in the same Availability Set, Microsoft guarantees no more than 20% of those machines will be taken down for maintenance at a given time.

Risk management

An annual risk assessment is performed to identify threats and vulnerabilities for the in-scope systems. Mitigation strategies are discussed based on the results of the risk assessment. Monthly risk assesments are also performed with any findings we may have both from internal or external sources.

Penetration Testing

Independent 3rd party penetration testing is completed periodically, bringing real-world expertise and insight to bear in validating the security of MURAL’s implementations and procedures. We guarantee that we will fix all issues flagged as critical or high in 30 days maximum.

Integrations

You need your user deprovisioning process compliant with GDPR? we've got your back. Contact us for more details about how can you integrate your deprovisioning with our endpoints.

Special requirements

We know that some industries have specific security or privacy requirements. When you choose to go with an Enterprise plan, you can include those requirements in the contract and we will make our best efforts to satisfy your needs.

Logging

We provide comprehensive logging for every transaction on on the system, and we also keep a special log entry for detecting unsuccessful logging access attempts. We used the most advanced reporting tools backed by the sharp eyes of our security team.

Logical Access

Employee’s level of access is determined by the job position, and permissions are granted or revoked by explicit request of team managers after a proper security review.

System logs are available for detection of unauthorized access, and user access reviews are performed on a periodic basis and access is immediately removed if no longer necessary.

We enforce multi factor authentication for EVERY EMPLOYEE leveraging Google 2-Factor authentication.

Access to the production environments within Microsoft Azure requires a two factor authentication.

Customer Data Protection

Client data only resides in the production environment encrypted at rest. Our employees don’t have access to clients data.

Customer Data backup process consists on daily snapshot of the whole database plus a 4-hour incremental backup. All backups are stored encrypted.

Reporting service disruption incidents or maintenance windows

We use StatusPage.io to keep both customers and employees users up to date. This service provides several notifications options (Email, SMS, Twitter, Phone, to name a few) for internal and external users to subscribe for notifications.

Incident management

Security and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints should be immediately addressed to support@mural.co and will be resolved in accordance with established incident policy.

An incident response policy is in place to provide guidance for MURAL employees on escalation and resolution of incidents and to ensure that incidents are resolved timely

Incidents are tracked in a ticketing system through to resolution