12/1/20 Security Policy

This Security Policy governs the processing of data provided by a Subscriber in connection with their user license agreement ("Agreement") or through the use of the Mosaic Services. By using the software, our services, our website, or by signing an Agreement with Mosaic, you signify your acceptance of this policy.

Servers Security

Being a cloud solution, the software and all client data are stored on Mosaic Servers, hosted on the Amazon Web Services ("AWS") platform. To provide data science services to our users, Mosaic also has servers hosted on the Google Cloud Platform. Mosaic stores data on servers in the United States, but as part of our Enterprise Plan, you can choose to store data elsewhere or on another server service (i.e. Azure) if required, as a customization not included in the base contract.

AWS is a leading cloud services platform, providing database storage, content delivery, and a range of other functions. It is the largest cloud platform provider in the world.

AWS makes security its top priority, providing a data center and network architecture built to meet the requirements of the most security-sensitive organizations such as NASA, Intuit (QuickBooks), and CapitalOne. You can find out more about AWS security in the AWS Security & Compliance Quick Reference Guide (2018).

Mosaic Security

Mosaic has an in-house Information Security team dedicated to maintaining client data security in Mosaic and all our operational data and systems that support our business.

We keep your Mosaic data safe by adhering to Information Security best practices. AWS and Google Cloud provide monitoring reports and logs to examine potential security risks, track access, and analyze administrator activity. Our servers are monitored 24 hours a day, seven days a week, 365 days a year, and we implement updates and patches in line with best practices prescribed by AWS & Google Cloud.

Backup Policy

Mosaic makes backups of servers multiple times daily, weekly, and monthly, so your Mosaic data will be up to date as of the last time you connected to the Internet.

Security Controls

Mosaic utilizes multiple layers of security controls (hardware, software, and procedural) to protect our client data, including but not limited to:

  • You Local & AWS VPC Firewalls
  • Web Application Firewalls
  • Intrusion Detection Systems (IDS)
  • Access Control Lists
  • Security Patch Management
  • Identity and Access Management
  • Centralized Log Management
  • Symmetric and Asymmetric Encryption systems
  • Single Sign-On (SSO, Enterprise Accounts Only)
  • Two-Factor Authentication (Enterprise Accounts Only)
  • Separation of Duties
  • Anomaly Detection
  • Codebase Vulnerability Assessment
  • Remote Monitoring & Alerting

What you can do

Mosaic understands security is of utmost importance to your business. In addition to our implementations, here are some security measures you can implement to strengthen the security of your company's data:

Your PC Anti-Virus and Malware

Without proper security precautions, all information on your PC is vulnerable to attack. It is essential to ensure every PC in your company has the necessary and up-to-date anti-virus, malware, and security protection. Security on your PC is the responsibility of you and your IT provider. Should your PC be compromised or lost, all your data on the Mosaic servers will be safe and unaffected, ready for access on your new PC.

Data Encryption

Each Mosaic application is accessed via HTTPS using Transport Layer Security (“TLS”). TLS is a cryptographic protocol designed to protect information transmitted over the Internet against eavesdropping, tampering, and message forgery. Once client data reaches the Mosaic cloud infrastructure, all data is encrypted at rest, using AES-256, military-grade encryption.

Service Availability

Mosaic has been designed to be a highly available, active-active solution. As part of our Enterprise Plan, clients may request Mosaic services to be split over multiple AWS data centers within the United States at additional cost. In the event of one data center going offline in a disaster scenario, the second data center continues to serve data with minimal, if any, service interruption. Mosaic is not responsible for any delays resulting from AWS or other server downtimes.

Two Factor Authentication, Enterprise Only

Mosaic's Enterprise Plan provides for Two Factor Authentication ("2FA") to login or change a password to prevent the theft of login information. When users log in or create a new password, a verification code is sent by SMS to another device, usually a personal mobile device. The phone number of this mobile device must be entered in Mosaic to allow you to create a new password. An Authentication Application on a personal mobile device may also be used. To protect your company, all Mosaic users should set up 2FA immediately.

Mosaic and Your Data Security Responsibilities

Authorization

If you provide Mosaic any personal or sensitive data relating to other individuals, either directly, through our websites, through our software, or otherwise, you represent that you have the authority to do so and permit us to use, access, or host that data in accordance with this policy.

Account Access

Mosaic employs industry-standard security measures to ensure the security of information. However, the security of information transmitted through the Internet can never be guaranteed. Mosaic is not responsible for any interception or interruption of any communications through the Internet or for changes to or losses of information. Site users are responsible for maintaining the security of any password, user ID, or other forms of authentication involved in obtaining access to password protected or secure areas of any Mosaic websites.

Data Breach Notification

Mosaic will notify the Subscriber without undue delay and in writing on becoming aware of any Data Breach regarding our client&amps;s data. If a vulnerability is identified or data is available publicly outside of the Mosaic Software, please contact Mosaic immediately via support@mosaicapp.com.

To protect you and your information, Mosaic may suspend your use of a website, without notice, pending an investigation, if any breach of security is suspected. Access to and use of password protected and/or secure area of any Unauthorized access to such areas is prohibited and may lead to criminal prosecution. If you have reason to believe that your account or our service is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please notify us of the problem immediately by contacting us at support@mosaicapp.com.

Use of Information

We may use your information as we believe to be necessary or appropriate:
(a) under applicable law, including laws outside your country of residence;
(b) to comply with legal process;
(c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence;
(d) to service providers who act or provide services for us for the processing of payments, and as to such service providers their use of Personal Information is subject to our agreements with them and any applicable laws;
(e) to enforce our terms and conditions;
(f) to protect our operations or those of any of our affiliates;
(g) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and
(h) to allow us to pursue available remedies or limit the damages that we may sustain.

Questions?

This statement reflects the security policy of Mosaic and is regularly reviewed and updated. It should be regarded as the primary source of truth regarding security within Mosaic. Any questions should be directed to support@mosaicapp.com.