This overview offers answers to common questions about Mighty Networks security. For more technical specifics, we share additional details in our EU DPA in Section 6. We have completed the SOC2 process and the report is available under a signed NDA. A complete list of Mighty’s privacy policies can be found here. Mighty’s uptime and application performance can be reviewed here.
Mighty’s software engineers complete regular API reviews and code reviews to address security issues upfront. In addition, a full suite of tests runs in our Continuous Integration (CI) systems to verify the security measures that have been put in place continue to function on an ongoing basis.
Our core team includes engineers with security training from Microsoft and Symantec (among others), experienced in threat modeling and security reviews. They bring this experience to bear when reviewing the work of other engineers and making security decisions.
Security
Is there a formal procedure for reporting a suspected security violation?
Any security violation should be reported to our Customer Support team (security@mightynetworks.com) to ensure it is logged as a ticket. It will be promptly escalated to engineering for investigation and resolution.
Are Mighty Networks systems subjected to penetration testing?
Yes. Our most recent penetration test was conducted in May 2023.
How does Mighty Networks test for vulnerabilities in its service/application?
Mighty Networks tests for proper security enforcement through our automated testing suite. We also regularly upgrade all software packages/dependencies in order to prevent security vulnerabilities due to third-party code.
API
Does Mighty Networks offer API access? What form do the APIs take?
Customer API access can be done through a third party called Zapier. These APIs allow the most commonly requested actions and triggers requested by our customers. For more information about what is available, please see here.
Are API calls authenticated and encrypted?
All Zapier API calls are authenticated by a revocable API key and operate only over HTTPS.
All mobile and web traffic (both APIs and HTML) also requires HTTPS. These APIs are authenticated as appropriate according to the data and privacy options. For example, registration APIs and Network search APIs are public. Similarly, Public Networks that allow content to be viewed publicly do not require authentication for access. All protected content (in Private/Secret or Plan Access Networks) as well as all write-operations use OAuth/Session authentication on the web and an access token on mobile.
Does Mighty Networks support SAML 2.0 for user authentication?
No.
Process
What code review process does Mighty Networks use?
Code reviews must be performed by at least one other engineer for mobile, and two engineers for server on any code before it is merged into a “master” branch. Code reviews address the security, privacy, performance, and maintainability of the code as well as anticipating potential bugs, or looking for missed code coverage in tests.
How does Mighty Networks comply with key regulations?
We do not store any financial instruments (credit cards or full billing addresses), so PCI DSS 3.0 or Sarbanes-Oxley do not apply. All financial transactions are processed by Stripe or Apple.
We are GDPR and CCPA-compliant. Please see here.
We do not store medical data (except socially shared in health-related networks), so do not offer HIPAA compliance.
Data
How does Mighty Networks secure access to the data facilities where customer data is stored?
All data is stored in Amazon Web Services (AWS). For more information, please see here.
Is data deleted completely when deleted from the application?
Data is soft-purged initially in order to allow recovery from any mistakes. In addition, old soft-purged data will be permanently deleted on a periodic basis.
What form of encryption does Mighty Networks use over the wire and at rest?
All communications with the service are encrypted through HTTPS using TLS1.2 or higher.
Member and Host content is encrypted at rest on AWS.
All user passwords have an extra layer of encryption when at rest with a one-way hash, which cannot be reversed.
Mighty Networks does not backup or store physical media. Backups are handled in AWS.
How does Mighty Networks perform backups?
We use Amazon’s world-class infrastructure. Here is a brief summary of the services we use:
Amazon’s RDS Aurora handles both daily snapshots as well as the ability to restore to the minute based on transaction logs. For more, see here.
AWS’s Elastic Cache has backups configured as well. See here.
Amazon’s RedShift continuously backs up to S3. For more information, see here.
Elasticsearch is snapshotted on a regular basis to Amazon’s S3.
All binary assets are stored in Amazon’s S3 which is fully geo-distributed and backed up.
What is Mighty Networks’ disaster recovery plan?
Every tier of our application infrastructure is fully redundant and resilient to failures.
In the worst-case scenario, should Amazon lose an entire data center (all of Northern Virginia for example), though a large portion of the entire internet will be non-functional, Mighty Networks will be able to recover in under 24 hours. Of course, this is the absolute worst-case scenario, and the vast majority of outages can be expected to be resolved in a much faster timeframe.
A full rebuild of the system in another AWS Region would be performed from backups using scripts that are already in place. We perform partial tests of these scripts several times a year when deploying staging or performance-testing environments or maintaining machines in the production system.