Mago Information Security
Mago has established an information security management framework describing the purpose, direction, principles, and basic rules for how we maintain trust. This is accomplished by assessing risks and continually improving the security, confidentiality, integrity, and availability of the service. We regularly review and update security policies, provide security training, perform application and network security testing, monitor compliance with security policies, and conduct internal and external risk assessments.
We’ve established a thorough set of security policies covering the areas of information security, physical security, incident response, logical access, change management, and support. These policies are reviewed and approved at least annually, and are enforced by the Mago Security team. Employees, interns, and contractors participate in mandatory security training when joining the company and ongoing security awareness education.
Policies pertaining to user and Mago information, with key areas; authentication requirements; data and systems security; user data privacy; restrictions on and guidelines for employee use of resources and handling of potential issues
How we maintain a safe and secure environment for people and property at Mago (see Physical security section below)
Our requirements for responding to potential security incidents, including assessment, communication, and investigation procedures
Policies for securing Mago systems, user information, and Mago information, covering access control to corporate and production environments
Policies for code review and managing changes that impact security by authorised developers to application source code, system configuration, and production releases
User metadata access policies for our support team regarding viewing, providing support for, or taking action on accounts
Upon hire, each Mago employee is required to complete a background check and sign a security policy acknowledgement and non-disclosure agreement. Only individuals that have completed these procedures are granted physical and logical access to the corporate and production environments, as required by their job responsibilities.
In addition, all employees take part in mandatory security training for new hires, an annual security education program, and receive regular security awareness training via informational emails, talks/ presentations, and resources available on our corporate knowledge base. Employee access to the Mago environment is authenticated using a combination of strong passwords, passphrase-protected SSH keys and two-factor authentication. Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team.
Access between networks is strictly limited to the minimum number of employees and services. For example, production network access is SSH key-based and restricted to engineering teams requiring access as part of their duties. Firewall configuration is tightly controlled and limited to a small number of administrators.
In addition, our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys. Access to other resources, including data centres, server configuration utilities, production servers, and source code development utilities are granted through explicit approval by appropriate management. A record of the access request, justification, and approval are recorded by management, and access is granted by appropriate individuals.
Mago employs technical access controls and internal policies to prohibit employees from arbitrarily accessing user activity, user data and other information about users’ accounts. In order to protect end user privacy and security, only a small number of engineers responsible for developing core Mago services have access to the environment where user data are stored. Accessing users’ data is only performed for troubleshooting needs, and only with users’ explicit consent. All employee access is promptly removed when an employee leaves the company.