COMPLIANCE & SECURITY
Cloud Security
Our security, confidentiality, and availability architecture is built on top of ISO 27001:2013 controls, SOC 2 Focus Points, PCI DSS, and HIPAA frameworks to enable best practice protection controls, implemented based on industry standards.
Physical Security and Data hosting
Mezmo uses Amazon Web Services (AWS) Data Centers which are located in the United States of America. For IBM Customers, there are data centers located across multiple regions.
Dedicated Security Team
Mezmo's Security Team is actively monitoring and on-call to respond to security alerts and/or events.
Logical Access
Mezmo's Production Environment uses role-based (RBAC) security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. These measures are actively monitored and audited based on the industry standard frameworks. Access reviews are performed quarterly to ensure all access is appropriate.
Back Ups
Mezmo does not store customer log data for more than 30 days. For longer retention, we provide an archiving service that automatically exports older logs to customer preferred cloud storage service. Mezmo offers 7/14/30 days searchable log data plans, and our systems are configured to automatically purge the logs securely after 30 days.
Disaster Recovery
Non-Log Production data are replicated among discrete operating environments to protect the availability of Mezmo's service in the event of catastrophic events. Mezmo performs restoration testing annually to ensure the completeness and accuracy of backup data. The available Mezmo data archiving service provides the mitigation of data loss for customer logs in the event of catastrophic events.
Intrusion Detection and Prevention
Mezmo utilizes intrusion detection and prevention systems to detect and/or prevent intrusions into the environment. Active monitoring, alerts, and tools are in place to ensure action is taken by the appropriate on-duty teams if any intrusion and/or security events exceed predetermined thresholds.
Pentests & Vulnerability Scanning
Mezmo utilizes third-party security scanning tools to perform continuous vulnerability scans. Our dedicated security team reviews and responds to the security vulnerabilities in a timely manner. Annually, we engage independent third-party security experts to perform detailed penetration tests on the Mezmo application and network.
Security Incident Response
Mezmo has established policies and procedures for responding to potential security incidents. All incidents are managed by Mezmo's dedicated Incident Response Team. Mezmo defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.
Encryption
Mezmo transmits data over public networks using strong encryption. This includes data transmitted between Mezmo clients and the Mezmo service. Mezmo supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS protocols, encryption, and hashing algorithms, as supported by the clients. This applies to all types of data at rest within Mezmo's systems.
SECURE BY DESIGN - APPLICATION SECURITY
Mezmo's products and capabilities have been designed to be foundationally secure.
Software Development Life Cycle (SDLC)
Mezmo assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Mezmo undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages the OWASP Top 10. Based on this analysis, Mezmo creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. Annually, engineers are required to participate in secure code training covering the OWASP top 10 security risks, common attack vectors, and security controls.
Framework Security Controls
Mezmo leverages modern and secure frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Buffer Overflows, Broken Authentication/Session, and Cross Site Request Forgery (CSRF), among others.
Separate Environments
Testing and staging environments are logically separated from the Production environment. No Production Data is used in our development or test environments.
ORGANIZATIONAL SECURITY
Mezmo has established a security program dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned with the SOC 2, ISO 27001:2013, HIPAA and PCI standards and is regularly audited and assessed by third parties.
Onboarding and Training
All employees complete the latest available Security and Awareness training modules during onboarding and annually thereafter.
Personnel Security
Mezmo's personnel practices apply to all members of the Mezmo workforce. All workers are required to understand and follow internal policies and standards. Upon termination of work at Mezmo, all access to Mezmo systems is removed immediately.
Policies and Procedures
Mezmo maintains a set of policies, standards, procedures, and guidelines (“security documents”) that provide the Mezmo workforce with the “rules of the road” for operating. Our security documents help ensure that Mezmo customers can rely on our workers to behave ethically and for our service to operate securely. These policies are living documents, they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.
Employee Screening
Mezmo performs background checks on all new employees in accordance with local, federal and state laws applicable to our business.
Confidentiality
All employee contracts include a confidentiality agreement.
Compliance
HIPAA
The Health Insurance Portability and Accountability Act of 1996 Title II (HIPAA) addresses safeguards to secure electronically protected health information (ePHI), including log management and audit requirements. Mezmo's systems and processes are fully compliant with HIPAA, and we are audited for HIPAA and HITECH compliance every year by a third-party qualified security assessor. For customers on our HIPAA-compliant logging plan, Mezmo will sign a Business Associate Agreement (BAA) and take on the associated legal liability of handling your sensitive data.
To ensure compliance, Mezmo provides a secure and convenient archiving service for logs older than the retention period of your Mezmo plan.Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.
GDPR
Mezmo is committed to ensuring the highest level of privacy protection. As a General Data Protection Regulation (GDPR) compliant organization, Mezmo has standardized user data privacy across the EU nations, regardless of where the organizations themselves are located.
SOC 2 Type 2
The SOC 2 Report demonstrates Mezmo's commitment to meeting the most rigorous security, availability, and confidentiality standards in the industry. It verifies that Mezmo's security controls are in accordance with the AICPA Trust Services Principles and Criteria.Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.
PCI-DSS
Mezmo has been audited by an independent PCI-DSS Qualified Security Assessor (QSA) and is certified as a PCI-DSS Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Please contact your account manager or outreach@mezmo.com to request Mezmo's most recent report.
DATA PRIVACY FRAMEWORK
To comply with EU data protection requirements Mezmo complies with Data Privacy Framework (DPF). This enacts protections for the personal data of EU individuals when it is transferred to the United States.
Learn more about 's approach to DPF.
Learn more about Mezmo’s Active Participant Detail with DPF.
CCPA
Mezmo complies with the California Consumer Privacy Act (CCPA) and supports our customers’ compliance with the CCPA. As a provider of enterprise log management tools, Mezmo is primarily a service provider under the CCPA. You can read more about Mezmo's commitment to compliance in our Privacy Policy.
Digital Services Act
In accordance with the Digital Services Act, we have appointed a representative to handle compliance matters. You can contact our DSA representative at:
Name: Data Protection Representative Limited (trading as DataRep)
Postal Address: DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Email: digitalrequest@datarep.com
Telephone: +353 (1) 919 8899
ISO 27001
Mezmo Inc. achieves ISO 27001:2013 Certification San Jose, CA – November 2, 2022 – Mezmo Inc., the industry leader in centralized log management today announced that it has received ISO 27001:2013 certification for its Information Security Management System (ISMS).
ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Mezmo Inc.’s certification was issued by A-lign, an independent and accredited certification body based in the United States on successful completion of a formal audit process. This certification is evidence that Mezmo Inc. has met rigorous international standards in ensuring the confidentiality, integrity, and availability of the defined scope.
Security Concern?
Get compliant
Mezmo is compliant with CCPA, GDPR, HIPAA, SOC 2, PCI-DSS and US/EU Privacy Shield