MURAL core services have spare deployments across multiple datacenters and across multiple hosting platform providers. We keep many platforms up-to-date allowing us to be flexible when infrastructure goes down in order to guarantee business continuity.

MURAL takes advantage of the industry’s most sophisticated cloud providers like Microsoft Azure and Amazon AWS platforms. The platform has implemented the most advanced protections for network and operation security controls that are carefully audited as part of the vendor management review.

Users of the systems and services must be authenticated against the user’s unique account credentials before granting access. Users are required to validate their accounts via a link provided in an automated e-mail.

MURAL has a formal software development lifecycle methodology and change management procedures that governs the design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.

MURAL recommends BYOIDP (bring your own identity provider), we currently support LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. We make it easy to leverage these powerful standards to protect your valuable information.

MURAL helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely. All network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labs scored MURAL's SSL implementation as "A" on their SSL Server test.

MURAL is not in the business of storing or processing payments. All payments made to MURAL goes through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe's security page.

We intend to hire awesome people who are passionate about building products that customers love by delivering simple, functional, and usable applications. We’ve developed a hiring process to acquire the most capable and efficient personnel through a series of steps. We do background checks and confidentiality agreements for all employees who access our systems or who might come into contact with customer data.

In order to provide and maintain high availability on the application, we leverage Microsoft Azure Availability Sets, whenever a group of machines are in the same Availability Set, Microsoft guarantees no more than 20% of those machines will be taken down for maintenance at a given time.

An annual risk assessment is performed to identify threats and vulnerabilities for the in-scope systems. Mitigation strategies are discussed based on the results of the risk assessment.

Independent penetration testing is completed on periodically, bringing real-world expertise and insight to bear in validating the security of MURAL’s implementations and procedures.

We provide comprehensive logging for every transaction on on the system, and we also keep a special log entry for detecting unsuccessful logging access attempts. We used the most advanced reporting tools backed by the sharp eyes of our security team.

Employee’s level of access is determined by the job position, and permissions are granted or revoked by explicit request of team managers after a proper security review.

System logs are available for detection of unauthorized access, and user access reviews are performed on a periodic basis and access is immediately removed if no longer necessary.

We enforce multi factor authentication for EVERY EMPLOYEE leveraging Google 2-Factor authentication.

Access to the production environments within Microsoft Azure and Amazon AWS also requires a two factor authentication. - title: Customer Data Protection description: | Client data only resides in the production environment. Our employees don’t have access to clients data. Customer Data backup process consists on daily snapshot of the whole database plus a 4-hour incremental backup. These backups are stored on a different cloud provider using encryption at rest.

We use StatusPage.io to keep both customers and employees users up to date. This service provides several notifications options (Email, SMS, Twitter, Phone, to name a few) for internal and external users to subscribe for notifications.

Security and confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints should be immediately addressed to support@mural.co and will be resolved in accordance with established incident policy.

An incident response policy is in place to provide guidance for MURAL employees on escalation and resolution of incidents and to ensure that incidents are resolved timely

Incidents are tracked in a ticketing system through to resolution