Last Reviewed and Updated: 16 December 2022

1. Purpose

MessageBird is a cloud communications platform offering a suite of APIs that enable developers and enterprises to communicate with customers in virtually every corner of the planet. It is the platform behind the technology that allows you to call or text your Uber driver or delivery person within the app. It also powers mission-critical communication: medication reminders from hospitals, appointment alerts from health care services, and fraudulent activity notices from banks. The company has more than 25,000 customers, from rapidly-growing disruptors to innovative enterprises. MessageBird enables consumers to connect with businesses in the same way they connect with their friends — seamlessly, on their own timeline and with context. MessageBird caters to a wide range of clients and understands that it needs to safeguard its customer’s data. MessageBird has prepared this documentation to provide an assurance that MessageBird is committed to provide best practice security and privacy technical and organizational measures. Close attention to local rules and regulations, employee-screening, and data encryption are just a few ways MessageBird ensures absolute security and reliability.

2. Certifications and Registrations

MessageBird communications infrastructure and the products that go over it are either ISO/IEC 27001:2013 or SOC2 Type II certified, or both.

MessageBird is also registered with the Dutch Authority for Consumers and Markets (ACM). This means MessageBird is always accountable and fully transparent with its clients.

MessageBird is an Associate Member of the Groupe Speciale Mobile Association (GSMA). The GSMA represents the interests of mobile operators across the globe.

MessageBird conducts its business in accordance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR).

All hosting service providers are SOC 2 Type II and ISO/IEC 27001:2013 certified, the globally recognized information security standards for Information Security Management Systems (ISMS).

3. Information Security Management System at MessageBird

The goal of information security and the Information Security Management System (ISMS) at MessageBird is to protect the confidentiality, integrity and availability of information to the organization, employees, partners, customers, and the (authorized) information systems and to minimize the risk of damage occurring by preventing security incidents and managing security threats and vulnerabilities. The MessageBird Legal Team, Data Protection Officer and Security Team ensure that applicable regulations and standards are factored into its security frameworks. MessageBird has a number of policies which refer to the handling and labeling of sensitive, personal and customer data. All information security policies are reviewed annually. The Leadership Team of MessageBird is accountable for information security and needs to formally approve decisions regarding the ISMS. The Leadership Team reviews the ISMS on a yearly basis to verify its actuality and to draft plans to address identified non-conformities. MessageBird has a Security Steering Committee (SSC), which provides a consistent, dedicated environment where management and staff can be directed in the business-as-usual aspects of MessageBird security in its maintenance of information security compliance. MessageBird does not consider that security and privacy is a single person’s responsibility. All MessageBird employees are responsible for safeguarding company assets. All MessageBird employees are screened for expertise, experience and integrity. Anyone who works with information within and on behalf of MessageBird must adhere to the requirements of the MessageBird Information Security Policy. Employees are informed about security and privacy at the on-boarding stage, as well as by way of regular team-specific trainings and other general all-hands presentations about data protection and security compliance. In addition to the Security Steering Committee, MessageBird has an Information Security Squad and Security Engineering Squad which works in collaboration of all aspects within the security domain, including the formation of a Technical SSC.

4. Security and Privacy Awareness Program

Security and data protection training sessions are carried out during onboarding. There are mandatory team/job-specific sessions as well. MessageBird has an ongoing annual security and privacy awareness training for all employees.

Non-Disclosure and Confidentiality Agreements are signed by employees during onboarding.

Secure coding guidelines are provided to all the developers.

5. People Security

All employees undergo a comprehensive screening process prior to being granted access to any of its systems. These checks include criminal, education and employment history. All personnel are required to sign confidentiality agreements to protect customer information, as a condition of employment.

6. Security Policies and Procedures

The MessageBird information security program is set up in a systematic and well-organised way. In addition, legal and regulatory requirements apply to ensure the confidentiality, integrity and availability of information to the organization, employees, partners and customers. All these are translated into information security policies, procedures and guidelines. The Security Team is responsible for these policies and for working with Engineering, Operations, Customer Support and other tribes to craft procedures that allow them to accomplish their tasks while protecting customers’ data. Some of the policies are: Information Security Policy, Incident Management Policy, Business Continuity Policy, Data Protection Policy, Data Retention Policy, Data Classification Policy, Access Control Policy, Cryptographic Key Management Policy, Secure Development Policy, and an Acceptable Use Policy.

7. Incident Management Program

The Security Teams are involved in any incident where the content of the incident is related to the following scope:

• Physical security incidents

• Third-party IT security violations, attacks or intrusions

• Internal IT security policy violations

• Attempted policy violations, attacks or intrusions

MessageBird has policies that define its standards and guidelines of the program, with documented procedures that detail handling, communication, and reporting to customers, regulators, and law enforcement.

MessageBIrd will follow the Data Breach Notification Procedure to notify relevant internal and external parties.

Security incidents are reviewed regularly by the Security Steering Committee which consists of senior stakeholders from across the business.

8. Infrastructure Security

All of the MessageBird applications, services, and tools are hosted on either Google Cloud Platform (GCP) or Amazon Web Services (AWS).

All systems have fully isolated development, staging and production environments. Customer data is logically segmented. Some of these controls are:

• Multi-factor authentication

• Vulnerability management

• Perimeter security

• Data encryption

• Central device management and hardening

• Monitoring of admin activity, data access, an system event logs

• Annual third-party penetration test on customer facing systems.

MessageBird has allowed “Work from Anywhere” so that employees are free to work from any place they want. However, MessageBird still has its office premises. Office floors are protected by physical access controls, CCTV and manned security.

MessageBird takes an unified approach to patch and vulnerability management to ensure that its standard SLA timelines are maintained whether vulnerabilities exist in the underlying infrastructure, operating platforms or source code.

9. Change Management

MessageBird follows a consistent change management process for all the changes to the Communication Platform as a Service production environment. To elaborate further, all changes need to be approved by a designated party and executed according to the formal change control process. The control process ensures that changes proposed are reviewed, authorised, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored.

10. Encryption

All personal data is encrypted in transit and at rest and, to the extent relevant from a security standpoint, treated as if it were classified as sensitive data. GCP stores encrypted data by default and MessageBird utilizes encrypted options within AWS. MessageBird has also taken further measures by implementing record-level encryption of sensitive and customer data.

Information is always transmitted over TLS with up-to-date encryption configurations by default.

11. Access Management

MessageBird follows principles of “need to know “and least privilege. MessageBird promotes the use of Role based access control. Provisioning and de-provisioning are overseen by the Security Team, with SSO and MFA by default.

Owners have been defined for each information asset who are responsible for ensuring access to their systems are appropriate and reviewed on a regular basis.

Whenever dealing with sensitive information or taking critical action, MessageBird uses the four-eyes principle.

Access is terminated on the same day if and when an employee leaves MessageBird.

12. Data Retention

MessageBird will either return or delete (or both) as instructed by the customer. However, in compliance with the applicable laws and regulations, MessageBird is required to retain personal and business data in order to fulfil a legal obligation. Legal obligations include:

• Record keeping and financial purposes; obligations to retain records of transactions between the five and ten years. Such records include but are not limited to books of account, invoices, tax statements, contracts, letters, emails, memoranda or other transactional papers;

• Detection and prevention of misuse of MessageBird's services and products (such as fraud, phishing and other fraudulent behavior), for which account holder data, traffic data and content data are retained for six months after the transmission of the electronic communication;

• Proof of exercising rights has been fulfilled. When requested, MessageBird has to be able to demonstrate to the supervisory authorities that requests made have been fulfilled, for which confirmation emails and closed tickets are kept for up to five years;

• Provision of the services, for which customer account holder data is retained for as long as the service is used.

13. Application Security

Applications are designed and developed based on the MessageBird Secure Code Guidelines:

• Appropriate corrections are implemented prior to release;

• Code changes are reviewed by skilled individuals (who are familiar with code review and secure development) other than the originating developers;

• Code reviews are performed to ensure code is developed according to secure coding guidelines such as OWASP;

• Applications will undergo rigorous application security testing to identify any new threats and vulnerabilities at least annually (in accordance with industry standards and best practice);

• All code changes for applications that are pushed to production environments are reviewed using manual and/or automated processes.

Penetration tests are conducted annually and case-by-case on new products/features.

Automated source code analysis tools are being used to detect security defects in code prior to deployment, based on the language.

14. Third-Party Risk Management

Within MessageBird, a clear distinction is made between two categories of third parties; vendors and suppliers.

A supplier is a third party providing communication connectivity services to MessageBird.

A vendor is a third party providing ‘ancillary services’, required for the day-to-day business operations. These services do not directly affect the communication products as part of the CPaaS environment.

In order to ensure that third-party security management is applied consistently and continuously throughout the provision of the services, third-party vetting procedures have been defined and implemented:

• Third-Party Vendor Vetting Procedure

• Third-Party Supplier Vetting Procedure

MessageBird manages third-party services and security by applying a strict risk-based approach.

15. Business Continuity and Disaster Recovery

MessageBird's business continuity policy is to prepare MessageBird in the event of extended outages caused by factors beyond its control and to restore services to the widest extent possible in a minimum time frame.

Business continuity plans are designed to ensure the recovery and restoration of the MessageBird platform services while minimising negative impact. MessageBird understands the services it provides are mission critical to its customers and therefore have very little tolerance for service disruptions. Timeframes for recovery are designed to ensure MessageBird can meet its obligations to all of its customers. MessageBird does not provide RTO's for review. Customers can subscribe to real time status updates for all MessageBird Services at https://status.messagebird.com/, https://status.pusher.com/, and https://status.sparkpost.com/.