Infrastructure Security
Cloud Hosting Provider
Merken IT. does not host any product systems or data within its physical offices. Merken IT. outsources hosting of its product infrastructure to leading cloud infrastructure providers such as Google Cloud Platform Services and Amazon Web Services. Our product infrastructure resides in the United States. We place reliance on Google’s and AWS’s audited security and compliance programs for the efficacy of their physical, environmental, and infrastructure security controls.
Google provides a monthly uptime percentage to customers of at least 99.5%. You can find more information about the controls, processes, and compliance measures implemented by Google on their publicly available Compliance Resource Center.
AWS guarantees between 99.95% and 100% service reliability, ensuring redundancy to all power, network, and HVAC services. The business continuity and disaster recovery plans for the AWS services have been independently validated as part of their SOC 2 Type 2 report and ISO 27001 certification. AWS’s compliance documentation and audit reports are publicly available at the AWS Cloud Compliance Page and the AWS Artifacts Portal.
Network and Perimeter
The Merken IT. product infrastructure enforces multiple layers of filtering and inspection on all connections across our web application, logical firewalls, and security groups. Network-level access control lists are implemented to prevent unauthorized access to our internal product infrastructure and resources. By default, firewalls are configured to deny network connections that are not explicitly authorized. Changes to our network and perimeter systems are controlled by standard change control processes. Firewall rulesets are reviewed periodically to help ensure that only necessary connections are configured.
Configuration Management
Automation drives Merken IT.’s ability to scale with our customers’ needs and rigorous configuration management is baked into our day-to-day infrastructure processing. The product infrastructure is a highly automated environment that expands capacity as needed. All server configurations are embedded in images and configuration files, which are used when new containers are provisioned. Each container includes its own hardened configuration and changes to the configuration and standard images are managed through a controlled change pipeline.
Server instances are tightly controlled from provisioning through deprovisioning, ensuring that deviations from configuration baselines are detected and reverted at a predefined cadence. In the event that a production server deviates or drifts from the baseline configuration, it will be overwritten with the baseline within 30 minutes. Patch management is handled using automated configuration management tools or by removing server instances that are no longer compliant with the expected baseline.
Logging
Actions and events that occur within the Merken IT. application are consistently and comprehensively logged. These logs are indexed and stored in a central logging solution hosted in Merken IT.’s cloud environment. Security relevant logs are also retained, indexed, and stored to facilitate investigation and response activities. The retention period of logs depends on the nature of the data logged. Write access to the storage service in which logs are stored is tightly controlled and limited to a small subset of engineers who require access.
Alerting and Monitoring
Merken IT. invests in automated monitoring, alerting, and response capabilities to continuously address potential issues.
The Merken IT. product infrastructure is instrumented to alert engineers and administrators when anomalies occur. In particular, error rates, abuse scenarios, application attacks, and other anomalies trigger automatic responses or alerts to the appropriate teams for response, investigation, and correction. Many automated triggers are also designed to immediately respond to anomalous situations. For example, traffic throttling, process termination, and similar functions are triggered at predefined thresholds.
Application Security
Web Application Defenses
All customer content hosted on the platform is protected by firewall and application security. The monitoring tools actively monitor the application layer and can alert on malicious behavior based on behavior type and session rate. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP), specifically the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure customers’ web sites and other parts of the Merken IT. products are continuously available.
Development and Release Management
Merken IT. optimizes our products through a modern continuous delivery approach to software development. New code is regularly deployed. Code reviews, testing, and merge approval is performed before deployment. Static code analysis runs regularly against code repositories and blocks known misconfigurations from entering the code base. Approval is controlled by designated repository owners and once approved, code is automatically submitted to Merken IT.’s continuous integration environment where compilation, packaging, and unit testing occur.
Dynamic testing for security vulnerabilities is performed periodically against our applications. Newly developed code is first deployed to a dedicated and separate QA environment for the last stage of testing before being promoted to production. Network-level and project-level segmentation prevents unauthorized access between QA and production environments. All code deployments are automated and in case of failures, the changes can be reverted. The deploying team manages notifications regarding the health of their applications and if a failure occurs, rollback processes are immediately engaged. We use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch).
Merken IT. features seamless updates and, as a SaaS application, there is no downtime associated with releases. Major feature changes are communicated through in-app messages and/or product update posts.
Vulnerability Management
The Merken IT. team manages a multi-layered approach to vulnerability management, using a variety of industry-recognized tools and threat feeds to ensure comprehensive coverage of our technology stack. Vulnerability scans are configured to scan for vulnerabilities on a regular basis, using adaptive scanning inclusion lists for asset discovery as well as the latest vulnerability detection signatures. We perform annual penetration tests against our applications and infrastructures to identify vulnerabilities that may present security related risks. Relevant findings are assessed, and mitigations are prioritized accordingly.
Customer Data Protection
Data Classification
Per the Merken IT.’s Terms of Service, our customers are responsible for ensuring they only capture appropriate information to support their marketing, sales, services, content management, and operations processes. The Merken IT. products should not be used to collect or store sensitive information, such as credit or debit card numbers, financial account information, Social Security numbers, passport numbers, financial or health information except as otherwise permitted.
Tenant Separation
Merken IT. provides a multi-tenant SaaS solution where customer data is logically separated using unique IDs to associate data and objects to specific customers. Authorization rules are incorporated into the design architecture and validated on a continuous basis. Additionally, we log application authentication and associated changes, application availability, and user access and changes are logged.
Encryption
All data is encrypted in transit with TLS version 1.2, or 1.3 and 2,048 bit keys or better. Transport layer security (TLS) is also a default for customers who host their websites on the Merken IT. platform.
Merken IT. leverages several technologies to ensure stored data is encrypted at rest. Platform data is stored using AES-256 encryption. User passwords are hashed following industry best practices and are encrypted at rest.
Key Management
Encryption keys for both in transit and at rest encryption are securely managed by the Merken IT. platform. TLS private keys for in transit encryption are managed through our content delivery partner. Volume and field level encryption keys for at rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated at varying frequencies, depending upon the sensitivity of the data they govern. In general, TLS certificates are renewed annually. Merken IT. is unable to use customer-supplied encryption keys at this time.
Data Backup & Disaster Recovery
System Reliability and Recovery
Merken IT. is committed to minimizing system downtime. All Merken IT. product services are built with redundancy. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and all web, application, and database components are deployed with a point in time recovery.
Backup Strategy
System Backups
Systems are backed up on a regular basis with established schedules and frequencies. Seven days’ worth of backups are kept for any database in a way that ensures restoration can occur easily.
Backups are monitored for successful execution, and alerts are generated in the event of any exceptions. Failure alerts are escalated, investigated, and resolved. Data is backed up daily to the local region. Monitoring and alerting is in place for replication failures and triaged accordingly.
Physical Backup Storage
Because we leverage public cloud services for hosting, backup, and recovery, Merken IT. does not implement physical infrastructure or physical storage media within its products. Merken IT. does not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
Backup Protections
By default, all backups are protected through access control restrictions and write once read many (WORM) protections on Merken IT. product infrastructure networks, and access control lists on the file systems storing the backup files.
Customer Data Backup Restoration
Merken IT. customers don’t have access to the product infrastructure in a way that would allow a customer-driven failover event. Disaster recovery and resiliency operations are managed by Merken IT. product engineering teams. In some cases, customers can use the recycle bin to directly recover and restore contacts, opportunities, custom fields, custom values, tags, notes, and tasks up to 30 days after they were deleted. Changes to web pages, blog posts, or emails can be restored to previous versions of content using version history. For customers who wish to additionally back up their data, the Merken IT. platform provides many ways of ensuring that you have what you need.
Many of the features within your Merken IT. portal contain export options, and the Merken IT. library of public APIs can be used to synchronize your data with other systems.