Level 1 PCI Compliant
Secure Data Centers
MINDBODY co-locates with secure, Tier 4 data centers in Irvine, California, and Las Vegas, Nevada. Each data center is monitored 24/7, 365 days a year by skilled and experienced IT professionals.
- SSAE Type II and Type III compliant
- Zone 4 earthquake-rated reinforced structure
- Monitoring system providing real-time data on equipment operation, enabling instant identification of problems
- Multiple paralleled N+1 UPS modules configured in redundant systems to allow for A/B power configuration
- Twenty megawatts of expandable N+1 power backup utilizing generators
- A Very Early Smoke Detection Alarm (VESDA) with pre-action dry pipe fire suppression systems
- Multiple fiber route entrances to structures
- Access control systems (biometric scans and Personal Identification Number (PIN) access) with separate locks for each MINDBODY server cabinet
MINDBODY’s networks are monitored to protect our perimeter against potential threats. Possible threats include hackers, data breaches, adware, spyware, pop-ups, browser exploits and phishing attempts.
- All secure servers are protected by layer 7 firewalls, best-of-class router technology, TLS encryption, file integrity monitoring and network intrusion detection that identifies malicious traffic and network attacks. Network security scanning helps us quickly identify out-of-compliance systems.
- All networks are monitored using a Security Incident Event Management (SIEM) system that gathers logs from all network systems and creates alert triggers based on correlated events.
- In addition to our own capabilities, and those of our hosting providers, we contract with on-demand Distributed Denial of Service (DDoS) scrubbing providers that allow us to mitigate DDoS attacks.
- Intrusion detection sensors throughout our internal network report events to the SIEM system for logging, alerts and reports.
Disaster Recovery (DR)
To ensure availability of our systems should we encounter a serious problem at our primary data center, we engineered a DR data center where we regularly run tests.
- The DR data center is located in a state other than MINDBODY headquarters with Internet access and power that would be unaffected if a catastrophic event were to strike California.
- We perform real-time file replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center.
- Disaster recovery tests verify our projected recovery times and the integrity of customer data.
- Our design provides the ability to rapidly restore all MINDBODY services, should a catastrophic loss occur.
Vulnerability Analysis and Reporting
MINDBODY and its supporting data security infrastructure are frequently reviewed for potentially harmful vulnerabilities.
- All MINDBODY Security Analysts maintain a Certified Information Systems Security Professional (CISSP) certification.
- We use industry-recognized, third-party security specialists, enterprise-class security solutions, and custom in-house tools to regularly analyze the application and production infrastructure to ensure that all vulnerabilities are identified and swiftly mitigated.
- We employ a number of third-party, qualified security tools to provide both regular dynamic scanning of our application and continuous static analysis of our codebase.
- A third-party service provider continuously scans the network externally and alerts us of changes in our baseline configuration.
- View our most recent quarterly scan.
Secure Transmission and Sessions
We use Transport Layer Security (TLS), a form of data encryption, to ensure the privacy of all Internet communications.
- Individual user sessions are identified by a unique username at login
- Multiple layers of monitoring devices, including Web Application Firewall (WAF)
- Intrusion Prevention System capabilities
PCI-DSS & HIPAA Compliance
We take security seriously, which is why our existing network protocols exceed the highest level’s standards: PCI DSS, Tier 1. To maintain our PCI Level 1 certification, MINDBODY undergoes an annual audit. MINDBODY also performs an annual HIPAA risk assessment that is analyzed and approved by the HITRUST CSF Assurance Program.
We are dedicated to the six best security practices for the protection of electronic protected health information (ePHI) and credit card data, which include, but are not limited to:
- Maintaining a secure network
- Encrypting and protecting ePHI and cardholder data
- Maintaining a Vulnerability Management Program
- Implementing strong access control measures
- Monitoring and testing production and development networks
- Maintaining an information security program and policies
Learn more on how we validate our PCI compliance with VISA.
MINDBODY works to backup subscriber data in multiple ways to protect from any potential data loss or corruption. Each backup is stored on a secure and encrypted server.
- All client data is stored on a secure server or backup directory that requires access authentication.
- Each client’s information is stored on its own designated database which is backed up to protect against accidental or malicious data deletion or corruption.
- To protect against data loss, snapshots of all subscriber data are made at 15-minute intervals. Archival backups of all subscriber databases are also made daily and monthly, and are retained for 30 days and 13 months, respectively.
Incident and Breach Notification
Content regarding MINDBODY’s lines of defense is well documented and made available to our clients upon request.
- MINDBODY maintains runbooks with over 500 procedures on how to respond to system alerts and events, including security events.
- A Crisis Communications Plan is maintained companywide that includes instructions on how to notify customers, should a large-scale event occur.
- Any confirmed, unauthorized access resulting in compromised data launches an Incident Response Team that utilizes a defined and audited notification process.
- MINDBODY generates an ePHI and Credit Card Breach Report with all of the available facts regarding the scope of the breach in compliance with PCI-DSS and HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.
View our security policy for more information.