How Safe Is the Hardware Where My Data is Stored?
The MINDBODY network is protected behind two redundant, enterprise-level hardware firewalls. The web servers are then separated from the data servers by two additional redundant, industrial firewalls. Meaning, even if someone could get through the firewalls between the web servers and the internet, they would then need to get through the firewalls separating the web servers from the data servers. We put the data servers behind so much security because they contain sensitive data like your clients’ names, addresses, financial information, and encrypted credit card numbers.
Credit card numbers and passwords are all encrypted with 512-bit encryption keys. Every time a browser connects to a MINDBODY server, it does so using the safest way possible: on the Secure Sockets Layer (SSL). The entire network is also protected by enterprise-level anti-virus software. All files are watched with audit logs. Meaning, anytime a file on the production network is changed, the Director of IT and the rest of the server response team is alerted. The Director of IT also does not have access to the Development Environment, creating a system of checks and balances between IT and the Software Development Team.
How Redundant Are You?
You probably want to know what happens if, say, a web server hosting crashes. All MINDBODY web servers and data servers are clustered. If one server fails, the others instantly take over its load. From your end, you won’t even notice what happened. Not only are our servers redundant, but our firewalls, routers, power supplies--- all have a counterpart that will quickly take over should one piece fail. Our System Administrator’s mantra is, “there must be no single point of failure.”
What about Your Developers?
All software developers are cut off from accessing the live production environment. All software, after it’s developed by the developer, moves from the development environment and into the QA (Preview) environment. Once it passes QA, it’s tested with a penetration tool. Then our 100+ MINDBODY employees use nothing but the Preview Code for an entire week before we give it to you. The same MINDBODY software that you use to manage your business, we use to manage ours. This creates a fine-tuned system of checks and balances.
What about the Security of Your Primary Data Center?
Our co-location is the same one used by companies such as Apple, Surfline.com, and top US financial institutions. It’s been audited and approved by several PCI approved payment security experts. If the power goes out, it’s equipped with redundant diesel generators that kick in immediately and are tested monthly. The data center is equipped with multiple internet connections from different vendors. Should one vendor lose connectivity to our co-location, another one picks up. No one is allowed inside without an auto-expire badge and an approved MINDBODY escort. Then the door to the actual room with your server can’t be opened without a bio-scan of our system administrator’s hand, which he keeps on him at all times. The floors are cooled and lifted, to keep your servers at an ideal temperature. CCTV cameras monitor every square inch. The servers themselves are locked into steel cabinets. It looks like something out of a James Bond flick.
Network Penetration Testing:
We run a daily scan on our system using an enterprise external scanning tool. It attacks our test environment like an outside hacker would.
We run a monthly internal scan using a heavy-duty penetration application, which logs into a test site and attacks it with HTTP sniffing, excessive form submissions, excessive javascript and ajax executions, massive HTTP requests, manipulation of HTTP headers, sql injections, and cross site scripting. We also hire a PCI-approved, white hat hacker to try and break into our network once a year. They have never been able to do it.
