Skip to main content
mindbody cybersecurity white paper

How Mindbody Keeps Your Data Secure—and What You Should Ask Your Software Provider About Cybersecurity

By Jason Loomis

Do you know how secure your business’s data is? If you can’t answer that with 100% certainty, this is what Mindbody can do to help.

No business can take cybersecurity for granted. It’s a necessity that grows more complicated every day and becomes increasingly tied to the success of your business.

A quick look back 

According to the FBI’s most recent Internet Crime Report, the 467,361 complaints they received in 2019 resulted in over $3.5 billion worth of damage to businesses. Layer on the Solarwinds attack and the 100% YoY increase in ransomware attacks in 2020, and it’s safe to say the last few years alone are enough to pay closer attention to cybersecurity.

2021 and “supply chain” security 

2021 is shaping up to be the year of supply chain security. We’ve already seen supply chain violations, third-party hacks, and breaches at large companies like Microsoft, Internet of Things companies like Verdaka, and even other health and wellness software providers. With breaches like that, it’s a good time to ask, “How secure are your vendors and SaaS providers?”

How Mindbody keeps your data secure 

Keeping your data secure, confidential, and readily accessible are our greatest priorities. Our industry-leading cybersecurity program is based on the concept of Defense in Depth: securing our organization and your data at every layer.

Our commitment to your business includes spending more than $4 million per year securing your data. We have 15+ dedicated cybersecurity team members with over 120 combined years of security experience, as well as 18 different layers of security encryptions overseeing our every effort. While no system can guard against every potential threat, Mindbody's defensive line is advanced and monitored 24/7, 365 days a year by those 15+ skilled, highly trained professionals.

Almost every company has three priorities: revenue generation, cost-saving, and risk reduction. With my experience in startups, cybersecurity is predominantly a “risk reduction” activity. The model for startups, especially in the SaaS space, is to achieve low-cost, high-growth objectives. They do this by focusing on revenue generation and cost savings, not risk mitigation.

However, at Mindbody, we put security and risk mitigation at its core (it’s one of the reasons I was attracted to join the team here). It's a requirement and supported feverishly across our board and at the executive level.

Mindbody certifications support this commitment 

  • PCI DSS LEVEL 1 Service Provider—PCI Level 1 Service Provider Certified: the most thorough and stringent security standard in the payment card industry. Mindbody provides payment offerings that secure consumer data, reduce fraud, and provide secure online services.
  • HITRUST CSF Certified: 75% of Fortune 20 companies are HITRUST certified. HITRUST is the most widely adopted security framework in the U.S. healthcare industry.

  • SOC 1 Type 2 Certified: giving our customers the assurance that the controls of our financial and reporting systems are designed and operating correctly.

The truth is, cybersecurity is hard no matter what your size. We know this at Mindbody. And we know what's it like as a small SaaS provider to not prioritize security. In 2018, we purchased FitMetrix, a SaaS startup. Months later, a data exposure was discovered that leaked FitMetrix customer data. We've been through acquisitions since then, and I ensure that my teams jump in on day one to bring them up to our cybersecurity standards.

Questions to ask your SAAS provider 

Ultimately, data breaches can result in significant financial and reputational loss for your company. To minimize your risk, being aware of your third-party supply chain risk is critical.

Here are some simple questions you can ask your vendor or SaaS provider to help vet their cybersecurity readiness:

  • Do they have a dedicated chief information security officer or equivalent role? If a third party deploys dedicated resources to manage risks and safeguard its critical information, it shows they approach their security with the utmost seriousness.
  • Do they have industry certifications? Are those certifications theirs or THEIR vendors’ (like Stripe)? While industry certification may not necessarily indicate the effectiveness of third-party security controls, it does provide additional assurance about the vendor's commitment to protecting their systems and customers' information. Have them share their proof of certification. Our industry certification outlines our dedication to keeping your data secure.
  • Do they have comprehensive security policies? Can they share? A good cybersecurity program starts with good policies. Think of it like a "say/do" thing. If you're not documenting what you need to do for security, the chances of you actually doing it are not great. Our policies are publicly available.
  • Do they have a mature incident response plan? Regulations regarding data protection and privacy have become stringent, and organizations are obligated to disclose material breaches within a specified timeframe. The responsibility of the disclosure is with the data owners and custodians, so your organization would need to work closely with an affected vendor to meet those timelines to avoid potential non-compliance or penalties. We have extensive plans; those plans are practiced and improved continually.
  • Do they have a mature cyber risk management program? It's crucial to ascertain the effectiveness of their security controls. This can be done by reviewing independent security audit reports (PCI, HITRUST) to assess the vendor's vulnerability management, secure software development processes, and threat management programs, such as cyber intelligence. Organizations can also internally report on cyber risk. We do. We have a dedicated IT risk team that continuously measures and reports on the effectiveness of our cybersecurity program.

Cybercrime is lucrative and target-rich for criminals around the world. Since nothing succeeds like success, don't expect cybercriminals to abandon their attacks any time soon. Partnering with companies that take cybersecurity seriously is your best way to mitigate the risk of a third-party breach.

For more information, download our Cybersecurity whitepaper.

Visit our enterprise management page and schedule a call with a Mindbody expert to see how we can partner with you to grow your business—and provide you with the highest level of data security.

About the author:

jason loomis headshot

Jason Loomis

Vice President, Cybersecurity & CISO

Jason Loomis, Mindbody Chief Information Security Officer oversees the Mindbody enterprise-wide information security program, leading a globally-dispersed team. He manages all enterprise data protection, including information security policy and strategy, digital forensics, incident response, cyber threat intelligence, application security, third-party risk management, client audit and go-to-market support, vulnerability management, regulatory and compulsory compliance, controls assurance, crisis management, merger and acquisition risk assessments, and post-M&A integration.

New resources, straight to your inbox

Get updates on the latest industry trends, tips, and news.

We're committed to your privacy. Mindbody uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe at any time. View Privacy Policy

Back to top