MeBeBot, Inc.’s security & compliance principles guide how we deliver our products and services, enabling people to access the digital world simply and securely. We pride ourselves on training, managing, and maintaining best-in-class security practices and controls to protect our customers and our product.
Secure Personnel
MeBeBot, Inc. takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All MeBeBot, Inc. contractors and employees undergo background checks prior to employment in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
- All development projects at MeBeBot, Inc., including on-premises software products, support services, and our own offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
MeBeBot, Inc. deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.
Cloud Security
MeBeBot, Inc.’s solution provides maximum security with a modern, multi-tenant cloud architecture.
MeBeBot, Inc.’s solution leverages the native physical and network security features of the cloud service and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained MeBeBot, Inc. experts.
- Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Compliance
MeBeBot, Inc. is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of MeBeBot, Inc.’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices MeBeBot, Inc. has in place.
Reporting
If you believe you have found a security vulnerability relating to our solution, please submit a vulnerability report to [email protected].
In your report, please include details of:
- The website, IP or page where the vulnerability can be observed.
- A brief description of the type of vulnerability, for example, “XSS vulnerability”.
- Steps to reproduce. These should be benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
What to expect
After you have submitted your report, we will respond and aim to keep you informed of our progress.
Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify our guidance, so please do continue to coordinate public release with us.
Guidance
You must NOT:
- Break any applicable law or regulations.
- Access unnecessary, excessive, or significant amounts of data.
- Modify data in our systems or services.
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Attempt or report any form of denial of service, e.g., overwhelming a service with a high volume of requests.
- Disrupt our services or systems.
- Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
- Submit reports detailing Transport Layer Security (“TLS”) configuration weaknesses, for example, “weak” cipher suite support or the presence of TLS1.0 support.
- Communicate any vulnerabilities or associated details other than to [email protected].
- Social engineer, ‘phish’ or physically attack our staff or infrastructure.
- Demand financial compensation in order to disclose any vulnerabilities.
You must:
- Always comply with data protection rules and must not violate the privacy of any data that MeBeBot, Inc. holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause MeBeBot, Inc. or our partner organizations to be in breach of any legal obligations.
SOC 2 Type 2
MeBeBot, Inc. successfully completed the AICPA Service Organization Control (SOC) 2 Type 2 audit. Achieving SOC 2 Type 1 certification confirms that MeBeBot, Inc.’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security. SOC 2 Type 2 certification takes it a step further by evaluating the controls over a longer period of time to ensure that the design and operational effectiveness meet requirements.
MeBeBot, Inc. was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SaaS companies worldwide. Prescient Assurance is a registered public accounting firm in the US and Canada that provides risk management and assurance services which includes but is not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc. For more information about Prescient Assurance, you may reach out to them at [email protected]
An unqualified opinion on a SOC 2 Type I audit report demonstrates to MeBeBot, Inc.’s current and future customers that they manage their data with the highest standard of security and compliance.
Customers and prospects can request access to the audit report here.
For questions about security, contact [email protected]