Skip to content

Security & Privacy

We take our responsibility to help protect your data and environments which starts with protecting our own.

Governance

Building Security is one thing — providing it is another.

  • Mission's security and compliance posture is governed by a custom Mission Information Security Management System (ISMS). This ISMS is developed by looking at external compliance regimes (SOC2, ISO, etc.), best practices from organizations like SANS and AWS, and internal Mission requirements.

  • Mission systems and personnel are expected to abide by the requirements in the ISMS and its sub-policies and procedures. This activity is then mapped to external compliance regimes to provide evidence for our auditors. Mission currently audits against SOC2 and ISO27001 on an annual basis. In addition to these regimes, we are able to map our ISMS to many other regimes or requirements at customer request.

Access to your AWS Environment

  • Many Mission products and services require that customers provide some form of access to customer-controlled AWS accounts to Mission personnel. This access is protected using native AWS security tools like Identity and Access Management (IAM).

  • Any access to customer infrastructure starts with the Mission resource authenticating to Mission’s IAM tooling (currently Okta) which requires Multi-Factor Authentication (MFA). Note that only roles that require customer access are allowed to authenticate following a least privilege model and all authentications on the Mission side are logged and audited.

Once authentication is complete, the Mission resources may access the customer environment in a variety of ways.

  • AWS Portal

    Mission may interact directly with the AWS portal in the customer account to make manual changes or gather information.

  • AWS API

    Mission may use internal tools and open source tooling like Terraform to interact with the customer’s account through the AWS APIs.

  • AWS Infrastructure

    Mission may use AWS Systems Manager (SSM) to interact with customer AWS infrastructure such as EC2 instances.

Data Protection

  • Mission differs from many of your SaaS partners in that our job is to help manage your AWS environment. Your data will stay in your AWS accounts with full access to your team and under your control. Mission does not collect, process or store any data that you have in your AWS account.

  • Mission does collect data about the team we will interface with — primarily contact information like names, emails and phone numbers. We also collect data that we need for billing — this includes the usage generated in your AWS environment. Data that Mission collects is protected both in transit (using common protections like TLS) and at rest using standard AWS encryption techniques.

Enterprise Security

Mission is capable of assisting customers with a wide range of security needs. You can visit our Mission Cloud One product page for more information. This section details Mission’s approach to security for our internal systems.

  • Identity & Access Management

    Mission may interact directly with the AWS portal in the customer account to make manual changes or gather information.

  • Security Education

    Mission may use internal tools and open source tooling like Terraform to interact with the customer’s account through the AWS APIs.

  • Endpoint Protection

    Mission may use AWS Systems Manager (SSM) to interact with customer AWS infrastructure such as EC2 instances.

Report A Security Problem

Mission believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Vanta’s service, please notify us; we will work with you to resolve the issue promptly.

  • Disclosure Policy

    • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@missioncloud.com. We will acknowledge your email within one week.

    • Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

    • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Mission services. Please only interact with accounts you own or for which you have explicit permission from the account holder.

    • Mission does not currently offer a formal bounty program. Reports demanding bounties before disclosure will be ignored.

Exclusions

Mission is providing this service to help ensure a safe and secure environment for all of its users. As such, any users believed to be engaging in the below activities will have their user credentials immediately deactivated.

While researching, we’d like you to refrain from:

  • Denial-of-Service (DoS)
  • Spamming
  • Social engineering or phishing of Mission’s employees, customers, or contractors
  • This policy applies to the Mission Cloud Application hosted at control.missioncloud.com and to any other subdomains or services associated with the Mission CloudApp. ‍
  • Thank you for helping to keep Mission and our customers safe!
Rectangle 50

Have any feedback, questions, or suggestions?

Mission is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us.

Contact Us