Security of Customer Data

Protecting customer data is the top priority of Mojo AI, and we use industry-standard best practices to safeguard your sensitive data.

 

Mojo AI’s security protocols are compliant with:

  • ISO 27001:2013
  • SOC2 Type 2
  • Privacy Shield Certification Compliance
  • Mojo AI’s next generation environment in Microsoft Azure is SOC 2 certified, in addition to Mojo AI’s implementation of Barracuda’s NextGen Firewall inside of Microsoft Azure.

 

Mojo AI Security Architecture

Mojo AI’s security architecture is designed to protect the confidentiality and integrity of all customer information that we host. We apply stringent, risk-adjusted security controls in layers ranging from facilities (physical security) to network infrastructure (network security), IT systems (system/host security) and information and applications (application security).

Mojo AI Security Controls and Policies

  • Secure data centers –Mojo AI leverages Microsoft Azure as our datacenter provider. Microsoft Azure provides customers with the ability to view their SOC2 Type 2 report. Mojo AI further protects certain types of data with a Barracuda NextGen Firewall implemented inside of Microsoft Azure.
  • Mojo AIi’s Cloud Infrastructure is designed in accordance with best practices guidelines from Defense Security Services (DSS) and Payment Card Industry Data Security Standards (PCI).
  • Security monitoring – Our networks and systems are continuously monitored for security issues. Security events are correlated for evaluation by our security team, using a Security Information and Event Management System (SIEM) tool.
  • Strict access controls (both system and network) – Mojo AI enforces strict access control on all its systems. We perform regular internal audits and use automated tools to verify desired configurations.
  • Everything is internally audited, including strong internal auditing in the form of SOC2.
  • Strict ingress and egress points – Access to the application is restricted to ports 80/443. Mojo AI administration is limited to a small group of Mojo AI workers using a secure 2-factor VPN to access customer environments. All activity is logged.
  • Hardened operating systems – All operating systems are configured to only use the minimal number of required services.
  • Encryption – Mojo AI provides strong encryption for customers to use, which secures the Data in Transit (DIT) from the client side, to our core services.
  • Separated services (web, database and storage) – All services are isolated and not shared, minimizing the risk of unintended data disclosure.
  • Cookies – More information on how our cookies are used is available in privacy policy document available at www.getmojo.ai/security-policy.
  • Restricted access to customer data – Mojo AI’s access to customer data is highly restricted, and access requests by our support personnel follows a highly controlled and documented process. Before access is granted, employees must complete special security training to handle customer data.
  • Logging and audit – All activity is logged in a protected system and is audited using automated tools.
  • Incident and response – Mojo AI has an incident response process designed to handle customer data incidents.
  • Training – All Mojo AI employees are required to participate in security training.
  • Certified Security Personnel – Mojo AI’s Security team includes certified Information Security professionals with expertise in application, network and architecture security who help define our security policies and security controls. The Mojo AI security team is composed of professionals with graduate-level degrees, 25 years industry experience, and security certifications including CISSP, CISA, CRISC, ITIL v3, and DoD security clearance.

External Audit​

Mojo AI will be performing an annual security audit starting in 2021 by a respected third-party IT security audit agency.  The unedited results of the audit are shared with customers and prospective customers upon signing a non-disclosure agreement.  It is available by request by contacting your Mojo AI representative.

Software Engineering Security Process

Security is continuously improved and tested throughout the Mojo AI product lifecycle. All new feature designs are audited for high-level security considerations, and feature implementations are checked for security flaws throughout development. Existing features are audited for security vulnerability regressions, and application-wide audits are performed to ensure that feature integration is secure. Third-party components used by Mojo AI are researched and monitored carefully for vulnerabilities. Mojo AI has a security team focused on application security testing, using both manual and automated methodologies.

Best Practices

Mojo AI maintains secure programming best practice documents based on OWASP requirements. Best-practice documents are updated regularly to reflect current vulnerability knowledge, and also provide developers with real-world examples of previous programming mistakes and how to avoid them. Topics covered include input/output data sanitation, proper usage of authentication and authorization, avoiding information disclosure and secure file system (and other resource) usage.

Mojo AI performs a comprehensive security review of its product, based on OWASP standard methodologies.

Such tests include:

  • Application discovery and reconnaissance
  • Identification of weak point
  • Penetration testing using tools and techniques that mimic malicious attackers
  • Reporting of vulnerabilities
  • Patch verification
  • Application Security Process
  • Security Assessment Policy

Mojo AI’s release readiness workflow includes continuous security tests and assessments. Manual and automated security tests are conducted at critical milestones, prior to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality and assigned to Engineering for resolution. Based on criticality, the issue may be resolved prior to release, or addressed in a future update.

Managing Vulnerabilities

Mojo AI conducts continuous vulnerability scanning of our cloud and hosted environments, and has a Patch and Vulnerability Policy that provides oversight of our patching process. Mojo AI leverages US-CERT alerts, open source data and internal testing to identify potential vulnerabilities. Remediation efforts are prioritized based on the risk level calculated by the Common Vulnerability Scoring System (CVSS).

Tools

Mojo AI utilizes best-in-class security tools to monitor our environment, such as:

  • Intrusion Detection Systems (IDS) monitoring
  • Distributed Denial of Service (DDoS) detection and mitigation
  • Security Information and Event Management (SIEM) logging and analysis
  • Web Application Firewall (WAF)
  • Application security scanning, using multiple products
  • Availability

Office 365 Communications Data Security and Information Transfer Process

Mojo AI uses metadata from Office 365 to provide deep insights on engagement, cross-team collaboration, and diversity and inclusion from across your organization. Following is the process of obtaining Office 365 meta-data:

  • Your organization sets up a web service inside your Azure instance, and into which Mojo AI publishes an Azure-approved app.  You then go into that app and authenticate Mojo AI into your Office 365 via a user created specifically for Mojo AI. That user has limited, read-only privileges to header data and body data only, with no access to either view or download attachments.
  • Once you authenticate the Mojo AI user, Mojo AI will start transferring data via secure and encrypted Azure point-to-site transmission directly into Mojo AI’s Barracuda NextGen Firewall secured Azure instance.
  • As each message is retrieved from your Office 365 instance, the web service immediately replaces any number in the body with an “X”—removing sensitive information that may exist in the body of a message. Thus, before messages even leave your Azure environment, all numbers are removed.
  • The message is then sent via secure, 1024-bit encrypted point-to-site transmission from your Azure environment to Mojo AI’s Azure environment inside of a Barracuda NextGen Firewall.  The public/private keys used for transmission are generated at the time of compiling the Mojo AI web service and are unique to your organization.
  • Once inside of Mojo AI’s Azure environment, the message is immediately analyzed and processed and discarded.  The analysis generates meta data about the message, including sentiment analysis for the message and for each entity in the message.  Attached is a document showing the type of data stored about each message.
  • Mojo AI does not store raw messages from Office 365 in any persistent storage location.  The messages are immediately processed and discarded.  Only the meta-data is stored.
  • Mojo AI has architected compartmentalized and reactive security and protections by creating separate and isolated services for each step of the data extraction process. If any kind of intrusion happens, that service immediately shuts itself down and the intrusion is stopped. Each service has hardcoded restrictions about which services it can share data with.  Any attempt to retrieve data from unauthorized sources causes the service to shut down immediately.

Demo Request

We just need a few details to get started.

*” indicates required fields

Let's Get Started

Send us a message and we`ll respond as soon as possible

*” indicates required fields