Communication

• All connections to Mode are encrypted by default, in both directions using modern ciphers and cryptographic systems. We maintain an A+ from Qualys/SSL Labs.

• Any attempt to connect over HTTP is redirected to HTTPS.

• We use HSTS to ensure browsers interact with Mode only over HTTPS.

Application, Network, Servers, and Data

• Web development follows industry-standard secure coding guidelines, such as those recommended by OWASP.

• Mode uses standard, well-reviewed cryptographic protocols and message formats when transferring and storing data.

• Mode regularly installs security updates and patches on its servers.

• Security settings of applications are tuned to ensure appropriate levels of protection.

• Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.

Physical

Mode's servers are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors. Amazon provides as extensive list of compliance and regulatory assurances, including SOC 1, 2, and 3, and ISO27001. See Amazon compliance and security docs for more detailed information.

Your Organization Permissions

• Only members of your organization have access to your data.

• Members can use Single Sign-On.

• Organization administrators can remove access for users at any time.

Mode Company Policies

• Mode mandates that employees act in accordance with security policies designed to keep customer data safe.

• Mode requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.

• Mode controls access to sensitive data, application data, and cryptographic keys.

• Two-factor authentication and strong password controls are required for administrative access to systems.

• Access to secure services and data is strictly logged, and audit logs are reviewed regularly.

• Security policies and procedures are carefully documented and reviewed on a regular basis.

Compliance & Privacy

• Service Organization Controls (SOC2) (Type II) Trust Principles

• Privacy Shield

• Health Insurance Portability and Accountability Act (HIPAA)

• Mode's Privacy Policy may be found at https://mode.com/privacy.

Research & Disclosure

Mode Analytics is committed to working with security experts across the world to stay up to date with the latest security techniques. If you believe you have found a security vulnerability on Mode, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. If you believe you have discovered a problem or have any questions, please contact us at security@modeanalytics.com.