Last Reviewed and Updated: 16-Sep-2021
*For clarity, this document solely outlines MessageBird’s security overview for MessageBird for products, which does not include products and services purchased from its Affiliates.
1. Purpose
MessageBird is a cloud communications platform offering a suite of APIs that enable developers and enterprises to communicate with customers in virtually every corner of the planet. It is the platform behind the technology that allows you to call or text your Uber driver or delivery person within the app. It also powers mission-critical communication: Amber Alerts, medication reminders from hospitals, appointment alerts from services like Dr. Doctor, and fraudulent activity notices from banks.
The company has more than 17,000 customers, from rapidly-growing disruptors to innovative enterprises including Uber, Hello Fresh, SAP and DHL. MessageBird enables consumers to connect with businesses in the same way they connect with their friends — seamlessly, on their own timeline and with context. We cater to a wide range of clients and understand that we need to safeguard their customer’s data. We have prepared this documentation to provide an assurance that we are serious about security and privacy. Close attention to local rules and regulations, employee-screening, and data encryption are just a few ways we ensure absolute security and reliability.
2. Security Certification
MessageBird is ISO/IEC 27001:2013 certified.
We are also registered with the Dutch Authority for Consumers and Markets (ACM). This means we’re always accountable and fully transparent with our clients.
We are an Associate Member of the Groupe Speciale Mobile Association (GSMA). The GSMA represents the interests of mobile operators across the globe.
We are always up to the date with all applicable laws and regulations, including the General Data Protection Regulation (GDPR).
All our hosting providers are ISO/IEC 27001:2013 compliant, the globally recognised information security standards for Information Security Management Systems (ISMS).
3. Information Security Management System at MessageBird
The goal of information security and the Information Security Management System (ISMS) at MessageBird is to protect the confidentiality, integrity and availability of information to the organization, employees, partners, customers and the (authorised) information systems, and
to minimise the risk of damage occurring by preventing security incidents and managing security threats and vulnerabilities.
Our Legal team, Data Protection Officer and Security Team ensure that applicable regulations and standards are factored into our security frameworks. We have a number of policies which refer to the handling and labelling of sensitive, personal and customer data. All our information security policies are reviewed annually.
The Leadership Team of MessageBird is accountable for information security and needs to formally approve decisions regarding the ISMS. The Leadership Team reviews the ISMS on a yearly basis to verify it’s actuality and to draft plans to address identified nonconformities.
We have a Security Steering Committee (SSC) which provides a consistent, dedicated environment where management and staff can be directed in the Business As Usual (BAU) aspects of MessageBird security in its maintenance of regulatory compliance.
We do not consider that security and privacy is a single person’s responsibility. All MessageBird employees are responsible for safeguarding company assets. All our employees are screened for expertise, experience and integrity. Anyone who works with information within and on behalf of MessageBird must adhere to the
requirements of the MessageBird Information Security Policy. Employees are informed about security and privacy at the on-boarding stage, as well as by way of regular team-specific trainings and other general all-hands presentations about data protection and security compliance.
In addition to the Security Steering Committee we have an Information Security squad and Security Engineering Squad which works in collaboration of all aspects within the security domain.
4. Security and Privacy Awareness Program
Security and data protection training sessions are carried out during onboarding. There are mandatory team/job-specific sessions as well. We have an ongoing annual security and privacy awareness training for all employees.
Non-Disclosure and Confidentiality agreements are signed by employees during onboarding. Secure coding guidelines are provided to all the developers.
5. People Security
All employees undergo a comprehensive screening process prior to being granted access to any of our systems. These checks include criminal, education and employment history. All personnel are required to sign confidentiality agreements to protect customer information, as a condition of employment.
6. Security Policies and Procedures
Our information security program is set up in a systematic and well organised way. In addition, legal and regulation requirements apply to ensure the confidentiality, integrity and availability of information to the organization, employees, partners and customers. All these are translated into our information security policies, procedures and guidelines. The Security team is responsible for these policies and for working with our Engineering, Operations, Customer Support and other tribes to craft procedures that allow them to accomplish their tasks while protecting our customers’ data.
Other main policies are: MessageBird Security Policy, MessageBird Data Protection Policy, MessageBird Data Breach Policy, MessageBird Data Retention Policy, MessageBird Access Rights Policy, Cryptographic Policy and Software Development Policy, Acceptable Usage Policy.
7. Incident Management Program
The Security Team is involved in any incident where the content of the incident is related to the following scope:
- Physical security incidents,
- Third party IT security policy violations, attacks or intrusions
- Internal IT security policy violations
- Attempted policy violations, attacks or intrusions.
We have policies that define our standards and guidelines of the program, with documented procedures that detail handling, communication, and reporting to customers, regulators, and law enforcement.
The team will follow the Data Breach Notification Procedure to notify relevant internal and external parties.
Security incidents are reviewed regularly by the Security Steering Committee which consists of senior stakeholders from across the business.
8. Infrastructure Security
All of our applications, services and tools are hosted on Google Cloud Platform (GCP). Each engineering team has a fully isolated development, staging and production environments.
Customers data is logically segmented.
Other controls are:
- Multi factor authentication
- Vulnerability Management
- Perimeter Security
- Data Encryption
- JAMF to centrally manage devices, Hardening
- Monitoring of Admin Activity, Data Access, and System Event logs
- Annual third-party penetration test on our customer facing systems.
MessageBird has allowed “Work from Anywhere” so our employees are free to work from any place they want. However, we still have our office premises.We have no secure areas on our premises. Our office floors are protected by physical access controls, CCTV and manned security.
MessageBird takes a unified approach to patch and vulnerability management to ensure that our standard SLA timelines are maintained whether vulnerabilities exist in our underlying infrastructure, operating platforms or source code.
9. Change Management
MessageBird follows a consistent change management process for all the changes to the Communication Platform as a Service production environment. To elaborate further, all RFCs need to be approved by a designated party and executed according to the formal change control process. The control process ensures that changes proposed are reviewed, authorised, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored.
10. Encryption
All personal data is encrypted in transit and at rest, and, to the extent relevant from a security standpoint, treated as if it were classified as sensitive data. GCP stores encrypted data by default. We have also taken further measures by implementing record-level encryption of sensitive and customer data.
Information is always transmitted over TLS with up-to-date encryption methodologies by default.
11. Access Management
MessageBird follows principles of “need to know “and least privilege. We promote the use of Role based access control. Provisioning and deprovisioning is overseen by the security team, with SSO and 2FA by default.
Owners have been defined for each information asset who are responsible for ensuring access to their systems are appropriate and reviewed on a regular basis. Whenever dealing with sensitive information or taking critical action, we use the four-eyes principle.
Access is terminated on the same day if and when an employee leaves MessageBird.
12. Data Retention
MessageBird will either return or delete (or both) as instructed by the customer. However, in compliance with the applicable laws and regulations, we only retain personal data when we have a specified purpose that allows us to keep it. Our legal obligations include;
- detection and prevention of misuse of MessageBird's services and products (such as fraud, phishing and other fraudulent behaviour), for which account holder data, traffic data and content data are retained for 6 months after the electronic communication;
- financial purposes; obligations from the Dutch tax authorities and EU MOSS, for which invoices and personal data related to it are retained for 7-10 years;
- Proof of exercising rights has been fulfilled. MessageBird has to be able to show that requests made have been fulfilled based on the Dutch General Administrative Law Act (Algemene Wet Bestuursrecht), for which confirmation emails and closed tickets are kept for 5 years;
- Provision of the services, for which account holder data is retained for as long as the service is used.
13. Application Security
Applications are designed and developed based on the MessageBird Secure Code Guidelines
- Appropriate corrections are implemented prior to release
- Code changes are reviewed by skilled individuals (who are familiar with code review and secure development) other than the originating developers
- Code reviews are performed to ensure code is developed according to secure coding guidelines such as OWASP
- Applications will undergo rigorous application security testing to identify any new threats and vulnerabilities at least annually (in accordance with industry standards and best practice).
- All code changes for applications that are pushed to production environments are reviewed
using manual and/or automated processes
Penetration tests are conducted annually and case-by-case on new products/features. Automated source code analysis tools are being used to detect security defects in code prior to deployment, based on the language.
14. Third Party Risk Management
Within MessageBird a clear distinction is made between two categories of third parties; vendors and suppliers.
A supplier is a third party providing communication connectivity services to MessageBird. A vendor is a third party providing ‘ancillary services’, required for the day-to-day business operations. These services do not directly affect the communication products as part of the CPaaS environment.
In order to ensure that third party security management is applied consistently and continuously throughout the provision of the services, third party vetting procedures have been defined and implemented:
- Third-Party Vendor Vetting Procedure
- Third-Party Supplier Vetting Procedure
MessageBird manages third party services and security by applying a strict risk based approach.
15. Business Continuity and Disaster Recovery
MessageBird's business continuity policy is to prepare MessageBird in the event of extended outages caused by factors beyond its control and to restore services to the widest extent possible in a minimum time frame.
All of our business continuity plans were designed to ensure the recovery and restoration of our platform services while minimizing negative impact. We understand the services we provide are mission critical to our customers and therefore have very little tolerance for service disruptions. Our timeframes for recovery are designed to ensure we can meet our obligations to all of our customers. We do not provide RTO's for review. Customers can subscribe to real time status updates for all MessageBird Services at https://status.messagebird.com/