Mixpanel Security Questionnaire
How does Mixpanel collect data and produce its reports? When customers implement their integration with Mixpanel, they have full control over what data is tracked and sent into Mixpanel. Data is pushed from the customer endpoints based on what it allows for collection and sent to Mixpanel’s proprietary database. Customers then can visit www.mixpanel.com to initiate processing of the data and generate reports to view in our user interface.
Data Center Features
Where are Mixpanel’s data centers? Mixpanel persistently stores customer data in the United States with a third party, on the Google Cloud Platform. What security features does Mixpanel’s data center provide? The Google Cloud Platform data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Access to Google’s data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Additionally, Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Google meticulously tracks the location and status of all equipment within their data centers from acquisition to installation to retirement to destruction, via bar codes and asset tags. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data center floor without authorization. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.
Data Retention and Deletion
How is customer data backed up? All client data is fully backed up on a daily basis to secondary data centers. Can Mixpanel delete customer data? Currently, customer data can be deleted with written request to Mixpanel. In connection with our GDPR compliance efforts, we will be updating our data deletion abilities. Does Mixpanel have the ability to sanitize computing resources of client data if a customer leaves Mixpanel? Google is our production hosting provider. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed. Does Mixpanel keep customer information after termination? Mixpanel allows customers to export their raw data at any time in the industry-standard JSON format. Details on how to perform this operation are at: https://mixpanel.com/help/reference/exporting-raw-data. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with Mixpanel’s internal data retention policies.
Data Security and Management
Does Mixpanel keep one customer’s data separate from other customer data? All customer data is tagged with a project-specific token, and a customer must have access to the corresponding API key and secret in order to retrieve that data via API (access to the web UI is controlled via username and password). This provides logical separation between data belonging to multiple clients. Mixpanel is the sole tenant on our infrastructure. A customer’s data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one client from another client’s data. Does Mixpanel support single sign-on and multifactor authentication? Our product supports single sign-on and provides authentication options through these providers. We also support multifactor authentication outside of single sign-on. Details on how to enable sign-on are located at: https://mixpanel.com/help/questions/articles/single-sign-on-okta-setup.
Encryption and Password Management
Does Mixpanel encrypt customer data? When a user visits a website or application with Mixpanel instrumented, the details of their interactions are captured and sent to Mixpanel through API calls over HTTPS/HTTP, based on how the instrumentation is configured by the customer. All of our other APIs and websites use HTTPS exclusively. All data transferred over HTTPS is encrypted. Mixpanel uses NIST Suite B compliant cipher suites to secure data in transit and at rest. The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption. What are Mixpanel’s key management procedures? Our policies require unique keys be used for each use case, and that keys not be reused for unrelated purposes. Keys for encryption of customer data at rest are managed by our cloud provider, Google. You can find additional information about Google’s key management procedures here: https://cloud.google.com/kms/. We use public/private keys to secure access to code repositories. Keys used by staff are generated by Mixpanel employees on an individual basis and stored on local machines (full-disk encryption is enforced). Access to the repositories can be provisioned or revoked by senior engineering staff. Are customer passwords encrypted? Customer passwords are hashed using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. What are Mixpanel’s corporate password requirements? We use Okta for a single sign on platform. This application controls our access to the various applications that Mixpanel uses. Okta uses multi factor authentication to gain access to the system. With regards to the password policy specifically, they are set as follows: (a) passwords must be a minimum of 8 characters; (b) they must contain some lower case letters, and they cannot contain part of the username; and (c) users are locked out after 10 failed login attempts.
Does Mixpanel run background checks on its employees? We run background checks on all incoming employees, or contractors who will be working in any Mixpanel office, before starting at the Company. Additionally, all employees sign confidentiality agreements to protect customer information. Does Mixpanel subcontract any of its services? Mixpanel uses a third-party vendors to provide the services, namely the Google Cloud Platform to persistently store customer data. Mixpanel additionally uses vendors to monitor the performance of the Application Services after they have been vetted and signed the appropriate contractual protections to handle customer data. In connection with our GDPR compliance, we can disclose additional information. How does Mixpanel select its subcontractors? Mixpanel has a vendor assessment policy that includes security team review of the vendor use case, their security posture, and their ability to access personal information. The legal team additionally requires privacy and security provisions in the contract where necessary to protect customer information.
Does Mixpanel process personal information? Mixpanel’s customers can customize and decide what information to send into our database, with certain restrictions as governed in our agreement with a customer. This may include personal information, but whether there is personal information sent is ultimately determined by the customer and their decisions on what data to send to Mixpanel to process. Note that Mixpanel does restrict certain types of highly regulated information listed in its contracts with customers from being sent to our APIs. Is Mixpanel a data controller or processor? When customers send data to the Mixpanel platform, Mixpanel is the data processor, as defined in the GDPR, for purposes of the services provided; the Customer is the data controller. Does Mixpanel comply with GDPR? Mixpanel is committed to complying with, and enabling our customers to comply with, the GDPR by May 2018.
Does Mixpanel have security certifications? Mixpanel has passed security evaluations for multiple security conscious enterprises, including those in highly regulated industries such as finance and healthcare. Mixpanel stores customer data with our hosting provider, Google, who has annual audits for the following standards: SSAE16 / ISAE 3402 Type II: SOC 1; SOC 2; SOC 3 public audit report; ISO 27001, one of the most widely recognized, internationally accepted independent security standards; ISO 27017, Cloud Security. This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services; ISO 27018, Cloud Privacy. This is an international standard of practice for protection of personally identifiable information in public clouds services; PCI DSS v3.1. Does Mixpanel conduct regular internal and external audits? We undergo an annual third-party penetration test and source code audit of our production services. We complement these assessments by performing regular, automated, vulnerability scans on our external and internal networks. Further, security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.
Threat and Vulnerability Management
How does Mixpanel approach patching of software? We have automated systems to inventory installed software and software versions on both corporate and production systems. These systems also ingest feeds of vulnerability information from public sources, and uses them to identify unpatched systems and services. All high-risk vulnerabilities are addressed within 90 days of discovery. Most medium-risk vulnerabilities are addressed within 180 days of discovery. Does Mixpanel have anti-malware programs installed? Our corporate endpoints run anti-virus/anti-malware software, which is kept up to date and monitored to ensure that it is operational. Our production servers run Ubuntu Linux, where we achieve security by making our production systems immutable and frequently recycling them. This prevents malware from gaining a persistent foothold, and ensures that there is a minimal window in which malware could stay memory-resident. In our view, this approach is more robust than relying on a detective approach to preventing malware compromise. How does account management work on Mixpanel? The Mixpanel product features 3 security levels: Owner, Admin and Analyst. Owner: The owner (one per project) has full access to the project. Admin: Admins have full reporting access and can manage team member roles in the project. Analyst: Analysts have the ability to view all reports in Mixpanel, but cannot create any external marketing communications or manage team member roles. Authorized Mixpanel employees, such as our support staff, have access to customer projects for the purposes of supporting and operating the service. Employees are trained on appropriate access, and access is monitored for inappropriate use.