Access management, encryption & endpoint security

Access management

• Mode adheres to the principles of least privilege and role-based permissions when provisioning access; workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
• Mode employs multi-factor authentication for access to internal systems. VPN and SSH is required for accessing the production environment.
• Mode requires personnel to use an approved password manager.

Encryption

• Mode encrypts data using industry standard protocols
• Data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256.
• Key management is in place for encryption keys for production services

Endpoint security

• All workstations issued to Mode personnel are configured by Mode to comply with our standards for security.
• These standards require all workstations to be properly configured, updated, and tracked and monitored by Mode’s endpoint management solutions.
• Mode’s default configuration sets up workstations to encrypt data at rest, have strong passwords, and lock when idle.
• Workstations run up-to-date monitoring software to report potential malware.

Network security & system monitoring

Network security and server hardening

• Mode segments its systems into separate networks with modern, restrictive firewalls between networks to better protect sensitive data.
• Testing and development systems are hosted in a separate network from production infrastructure systems.
• All servers within our production fleet are hardened according to industry standard CIS benchmarks.
• Network access to Mode’s production environment from open, public networks is restricted, with only the load balancers accessible from the Internet.
• Mode logs, monitors, and audits all system calls, and has alerting in place for calls that indicate a potential intrusion or exfiltration attempt.

System monitoring, logging, and alerting

• Mode monitors infrastructure of servers and workstations to gain a comprehensive view of the security state.
• Administrative access, use of privileged commands, and system calls on all servers in Mode’s production network are logged and monitored.
• Analysis of logs is automated to detect potential issues and alert responsible personnel.

Penetration testing & vulnerability disclosure

Penetration testing

• In addition to our compliance audits, Mode engages independent entities to conduct application-level and infrastructure-level penetration tests at least twice per year.
• Results of these tests are prioritized, and remediated in a timely manner, and shared with senior management.
• Customers may receive executive summaries of these activities by requesting them from their success team representative.

Research & disclosure

• Mode is committed to working with security experts across the world to stay up to date with the latest security techniques.
• To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. If you believe you have discovered a problem or have any questions, please contact us at security@modeanalytics.com.

Disaster recovery & incident response

Disaster recovery and business continuity plan

• Mode utilizes services deployed by its hosting provider to distribute production operations across separate availability zones. These distributed zones protect Mode’s service from loss of connectivity, power infrastructure, and other common location-specific failures.
• Mode performs daily backups and replication for its core databases across these zones and supports restore capability to protect the availability of Mode’s service in the event of a site disaster affecting any of these locations.
• Full backups are saved at least once per day and transactions are saved continuously.
• Mode tests backup and restore capabilities annually to ensure successful disaster recovery.

Responding to security incidents

• Mode has established policies and procedures for responding to potential security incidents.
• All security incidents are managed by Mode’s dedicated Incident Response Team. The policies define the types of events that must be managed via the incident response process and classifies them based on severity.
• In the event of an incident, affected customers will be informed via email from our customer success team. Incident response procedures are tested and updated at least annually.

Data privacy

Mode’s data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with legitimate business purposes.

Data sharing and processing

• Mode follows GDPR and CCPA guidelines to ensure data protection obligations to our customers. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
• Mode provides controls for deleting customer data when it is no longer needed for a legitimate business purpose, and also provides users the option to opt-out of tracking cookies on our website.
• Mode also requires our data processing vendors to certify the use of customer data for no other purposes than the provision of services.

Data disposal

• As a customer, you can request data deletion at any time during the subscription period. After a period of inactivity, the data is removed by default.
• Mode’s hosting providers maintain industry standard security practices for ensuring removal of data from storage media.

Vendor management

• Mode has established agreements that require subprocessors to adhere to confidentiality commitments and take appropriate steps to ensure our security posture is maintained.
• Mode monitors these sub-processing vendors by conducting reviews of their controls before use and at least annually.