Policies
Table of contents
Last modified: February 3rd, 2023
Mailjoy has established a set of principles and rules (Information Security Management Program, "ISMP") for how we maintain trust and security programs. We accomplish this by continually evaluating risks to our operations and improving the security, confidentiality, integrity, and availability of our Mailjoy services. We regularly review and update security policies, perform application and network security testing of our environment, and monitor compliance with security policies.
Below is a list and short description of our major Security & Technology policies that Mailjoy has put in place for our internal & cloud environments.
Information Security Policy
This policy sets out the general principles and guidelines for managing information security at Mailjoy.
In short, the basic principles include:
- Mailjoy will manage access to company information and customer information based on business need.
- Mailjoy will implement a series of controls to manage the implementation of security in line with this policy
- Mailjoy will periodically review risks and the effectiveness of controls intended to manage those risks
- Mailjoy will maintain support for and show commitment in achieving compliance with applicable PII protection legislation and our Privacy Policy
Identity & Access Control Policy
This policy sets out the general principles and guidelines for data access management.
In short, the basic principles include:
- Mailjoy will maintain an Access Control policy outlining how to manage access to systems
- Individual user accounts will be used to manage access
- All users have responsibility to manage access to their systems
- Systems will be logged and monitored for potential inappropriate access
- Remote access will be enabled via multi-factor authentication
- Duties should be segregated where appropriate
Asset Management Policy
This policy sets out the general principles and guidelines for management of our IT assets and how those assets should be handled.
In short, the basic principles include:
- Mailjoy will maintain an inventory of assets;
- Assets maintained in an asset management database will have identified owners;
- Acceptable use of assets will be identified, documented and implemented;
- Assets will be returned to Mailjoy if employment is terminated.
Disaster Recovery Policy
This policy sets out the general principles that establish our approach toward resilience, availability and continuity of processes, systems and services at Mailjoy. It defines requirements around business continuity, disaster recovery and crisis management processes.
In short, the basic principles include:
- Mission critical system, process or Service Owners must ensure proper Business Continuity and/or Disaster Recovery that is inline with the tolerance for disruption in case of disaster.
- Continuity plans must include appropriate fail-over environment, that provides core functionality (at the minimum), and a plan to fail to that environment. Considerations for business-as-usual resumption must also be included.
- No mission critical system, process or function could be deployed in production without appropriate continuity plan
- Plans must be tested quarterly and issues identified and addressed.
Network Security Policy
This policy sets out the general principles and guidelines for managing the security of our our networks.
In short, the basic principles include:
- Network access should be controlled
- Network access is supplied and all users should be familiar with all Security Policies
Data Encryption Policy
This policy sets out the general principles to ensure that Mailjoy implements appropriate encryption & cryptography to ensure confidentiality and integrity of critical data. Mailjoy deploys cryptographic mechanisms to mitigate the risks involved in storing sensitive information and transmitting it over networks, including those that are publicly accessible (such as the internet). Facilitating the use of encryption technologies that are reliable, secure and proven to work effectively is a key objective of this standard in order to mitigate the risk of unauthorised access to and/or modification of sensitive company information.
In short, the basic principles include:
- Sensitive data is encrypted appropriately;
- Strength of selected encryption corresponds with information classification;
- Cryptographic keys will be securely managed;
- Only approved cryptographic algorithms will be used.
Data Classification Policy
This policy establishes and defines data classification ratings and includes descriptions, examples, requirements, and guidelines regarding the treatment of data included within each classification rating. The classification ratings are based on legal requirements, sensitivity, value, and criticality of the data to Mailjoy, Mailjoy's customers, and Mailjoy's partners and vendors.
In short, the basic principles include:
- Data must be classified in terms of legal requirements, value, and criticality to Mailjoy
- Data must be identified and labeled and kept current in a data flow map to ensure appropriate handling
- Media being disposed of must be securely deleted
- Media containing company information must be protected against unauthorized access, misuse, or corruption during transport
Data Incident & Breach Response
This policy sets out the general principles and guidelines to ensure that Mailjoy reacts appropriately to any actual or suspected security incidents. Mailjoy has a responsibility to monitor for incidents that occur within the organisation that may breach confidentiality, integrity or availability of information or information systems. All suspected incidents must be reported and evaluated. The policy has been implemented so that the Mailjoy team can limit their duration and adverse impact on Mailjoy and its customers as well as learn from incidents.
In short, the basic principles include:
- Anticipate security incidents and prepare for incident response
- Contain, eradicate and recover from incidents
- Invest in our people, processes and technologies to ensure we have the capability to detect and analyze an security incident when it occurs
- Make protection of Personal data and customer data the top priority during security incidents
- Regularly exercise the security incident response process
- Learn from and improve the security incident management function
- Communicate critical security incidents to the Mailjoy leadership team
Third Party Vendor Policy
This policy sets out the general principles and guidelines to select, engage, monitor and off-board third party vendors.
In short, the basic principles include:
- Mailjoy will be purposeful in managing our vendor selection process
- All suppliers must be onboarded and managed in accordance with Mailjoy's vendor risk management and due diligence processes
- Mailjoy will perform oversight of the relationship to ensure it meets our standards
- Mailjoy reserves the right to terminate the contract with any vendor when the service is no longer required
Cybersecurity Policy
This policy sets out the general principles and guidelines for managing security threats and vulnerabilities both in our environment and in our products.
In short, the basic principles include:
- Manage security vulnerabilities in our products and services, including issuing updates, patches or advisories
- Manage security threats and vulnerabilities throughout our environment, both internal and hosted environments
- Manage the threat of malware in the environment
Compliance & Audit Policy
This policy sets out the general principles for managing and auditing control compliance at Mailjoy.
In short, the basic principles include:
- We implement controls to properly manage risk and ensure compliance with relevant policies, regulations and external industry standards
- We use audits as a way to verify the appropriateness and operational effectiveness of our controls
- Audits are coordinated and delivered as appropriate to achieve high level of confidence in our control environment, as well as to achieve internal or external certification
- Mailjoy maintains a consolidated view of all its relevant control objectives, control activities and tests