Date last modified: February 26, 2014

Security Policy

This Security Policy is part of the General Terms of Service (“TOS”), a Legally Binding Agreement

PRELIMINARY MATTERS

Ensuring Customer Data is secure and readily available is a high priority at MINDBODY.  We maintain our Digital Properties and all associated data with technical, administrative and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification and improper disclosure.  When you enter sensitive information (such as a credit card number) in our Digital Properties, we encrypt the transmission of that information using industry-standard encryption methods.  No computer system or information can, however, ever be fully protected against every possible hazard.  MINDBODY is committed to providing reasonable and appropriate security controls to protect our Services, Associated Websites, and information against foreseeable hazards.  If you have any questions about MINDBODY security, you can contact us at privacy@mindbodyonline.com.

BACKGROUND

  1. This Security Policy should be read in conjunction with the TOS (Attached), the Privacy Policy and all applicable Addenda (Attached) because these documents constitute the Contract entered into between YOU and US.
  2. This Security Policy contains defined terms, which are defined in Article 1 of the TOS or elsewhere in the TOS.  Please refer to these defined terms in reviewing this Security Policy.
  3. By accessing, viewing or using all or any part of the OUR Digital Properties by, for example, downloading any materials, or by completing any registration process via the Associated Websites, YOU are accepting the terms and conditions of this Security Policy and the entire Contract.
  4. If you are agreeing to this Security Policy and Contract on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Contract.  If you do not have such authority you must not enter into this Contract and may not use any of OUR Services or content.
  5. MINDBODY supports customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).  Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI).  YOU must enter into a Business Associate Contract with MINDBODY if YOU are subject to HIPAA and wish to use OUR Services with PHI.  YOU are solely responsible for determining whether YOU are subject to HIPAA requirements.  If YOU have not entered into a HIPPA AGREEMENT NAME, YOU must not use any of OUR Digital Properties in connection with PHI.
  6. If YOU do not agree with this Security Policy or any portion of the Contract, YOU have not accepted the Contract and YOU may not use any of OUR Digital Properties or content.

AGREEMENT

Having considered the above Preliminary Matters and mutual agreements below, the PARTIES hereby agree as follows:

  1. Cardholder Data Recommended Practices

    1. 1.1 Cardholder Data Recommended Practices.  At a minimum, SUBSCRIBER should implement the practices set forth below:
      1. SUBSCRIBER should do the following:
        1. Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious.
        2. Restrict permission to install software on those computers to SUBSCRIBER’s business owner and/or trusted senior staff.
        3. Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and web browsers (e.g., Internet Explorer, Safari or Firefox), with all security updates and patches installed.
        4. Ensure that every individual that logs into the Services has a unique username and password that is known only by that individual.
        5. Only store credit card account numbers in encrypted credit card fields designed for that purpose.
        6. Destroy any hard copy documents that have Cardholder Data written on them.
      2. SUBSCRIBER should not do the following:
        1. Share the SUBSCRIBER’s account or password;
        2. Record Cardholder Data in notes, contact logs, or other unencrypted text fields within the Digital Properties;
        3. Record Cardholder Data in any locally installed software program, unless that program and SUBSCRIBER's computer network meet all PCI requirements; or
        4. Email End User’s credit card numbers, ask End Users to email credit card numbers to SUBSCRIBER, or record credit card track data.

       

  2. Data Security

    1. 2.1 Location and Backup.  All Subscriber Data is located on secure servers, or backup directories that require access authentication.
    2. 2.2 Firewalls.  All secure servers are protected by multiple, redundant firewalls and intrusion detection and prevention systems that are regularly monitored and tested (details of firewall configuration are not shared publicly for maximum security).
    3. 2.3 SSL Encryption.  256-bit Secure Sockets Layer (SSL) data encryption is employed to protect all data access across the Internet.
    4. 2.4 Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV), delivers accurate vulnerability scanning and actionable reporting, that enables the MINDBODY Network Operations Center to quickly rank risks and gauge compliance against PCI-DSS Standards.  Daily Vulnerability Assessments monitor the MINDBODY network perimeter against daily threats to help protect MINDBODY and OUR customers from hackers, data breaches, adware, spyware, pop-ups, browser exploits, and phishing attempts.
    5. 2.5 PCI-DSS.  MINDBODY complies with the PCI DSS tier 1 standard, and MINDBODY has continued to maintain Level 1 service provider designation since 2007.  WE are dedicated to the six (6) PCI DSS best security practices for credit card protection, which include, but are not limited to:
        1. Maintaining a secure network;
        2. Protecting the Cardholder Data;
        3. Maintaining a Vulnerability Management Program;
        4. Implementing strong access control measures;
        5. Monitoring and testing production and development networks; and
        6. Maintaining an Information Security Program and policies.
      2.6 WE Recommend YOU adopt PCI DSS.  Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (PCI DSS), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data.  WE strongly recommend YOU follow the requirements of the PCI DSS when handling Cardholder Data.  Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply: https://www.pcisecuritystandards.org/.
    6. 2.7 Responsibility for Cardholder Data.  If SUBSCRIBER uses the optional Integrated Merchant Account service to process payments, MINDBODY is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by MINDBODY’s server(s).  SUBSCRIBER remains responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by MINDBODY’s server(s).

     

  3. Data Center SSAE 16 Type II and Type III Compliance

    1. 3.1 SSAE 16 Type II and Type III Compliance.  MINDBODY hosts Subscriber Data at multiple secure and redundant data centers in geographically diverse locations. Each data center is secured and monitored 24x7x365 by a staff of highly trained data center facility experts. The primary data center features:
        1. A Zone 4 earthquake-rated reinforced structure;
        2. Multiple redundant, enterprise switching hardware at every stage;
        3. A monitoring system providing real-time data on equipment operation, enabling instant identification of problems;
        4. Multiple paralleled N+1 UPS modules configured in redundant systems allow for A/B power configuration;
        5. 20 megawatts of expandable N+1 power backup utilizing generators;
        6. A Very Early Smoke Detection Alarm (VESDA) early smoke detection with pre-action dry pipe fire suppression systems;
        7. Multiple fiber route entrances to structures;
        8. Access control systems leveraging a biometric scan and personal identification number (PIN), with separate locks for all MINDBODY server cabinets; and
        9. The backup data center features the same facility specifications as the primary data center.  The backup data center receives a backup of subscriber data at least once per 24 hour period.  
  4.  

  5. Physical and Personnel Security

    1. 4.2 Physical Security Measures.  Physical access to the primary data center and the backup data center is restricted by 24x7x365 on-site security and Network Operations Center staff.  The facility is controlled by alarm systems with cameras on perimeter points of the building along with video and camera surveillance within the facility.  Multi-level access authorization with man trap, biometric verification and security controlled access level assignments are used to verify a limited number of MINDBODY authorized personnel who have been granted access.
    2. 4.3 Personnel Security Measures.
        1. Background Checks and NDA Agreements.  OUR technical or management personnel with access to Subscriber Data are subjected to background checks prior to hiring, and must sign non-disclosure and data security agreements that protect both MINDBODY and Subscriber Data.
        2. Transfer Restrictions.  OUR personnel are not permitted to transfer Subscriber Data onto any hard drive, flash drive, mobile device, or other storage device, except those contained within either the primary data center or backup data center. Subscriber Data is not transferred to MINDBODY corporate workstations.
  6.  

  7. Changes to this Security Policy

    MINDBODY reserves the right to change this Security Policy.  MINDBODY will provide notification of the material changes to this Security Policy through a notification on the Associated Websites or via email at least thirty (30) business days prior to the change taking effect.
  8.  

  9. Contact Us

    If YOU have any questions regarding this Security Policy YOU can contact US by email at privacy@mindbodyonline.com or by postal mail at:
    Vice President, I.T. Security
    4051 Broad Street Suite 220
    San Luis Obispo, Ca 93401
    (805) 706-0476