Mello employs strict security standards and measures throughout the entire organization. Every team member is trained and kept up to date on the latest security protocols. We regularly undergo testing, training, and auditing of our practices and policies.
This policy defines behavioral, process, technical, and governance controls pertaining to security at Mello that all personnel are required to implement in order to ensure the confidentiality, integrity, and availability of the Mello service and data ("Policy"). All personnel must review and be familiar with the rules and actions set forth below.
This Policy defines security requirements for:
In the event of a conflict, the more restrictive measures apply.
This Policy was created in close collaboration with and approved by Mello executives. At least annually, it is reviewed and modified as needed to ensure clarity, sufficiency of scope, concern for customer and personnel interests, and general responsiveness to the evolving security landscape and industry best practices.
The Mello security team oversees the implementation of this Policy, including:
The security team maintains a Risk Management Framework derived from NIST SP 800-39 - "Managing Information Security Risk: Organization, Mission, and System View" and NIST SP 800-30 - "Guide for Conducting Risk Assessments". Risk assessment exercises inform prioritization for ongoing improvements to Mello's security posture, which may include changes to this Policy itself.
Our Risk Management Framework incorporates the following:
Mello is committed to protecting its customers, personnel, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly, in the context of its established employment culture of openness, trust, maturity, and integrity.
This section outlines expected personnel behaviors affecting security and the acceptable use of computer systems at Mello. These rules are in place to protect our personnel and Mello itself, as inappropriate use may expose customers and partners to risks including malware, viruses, compromise of networked systems and services, and legal issues.
The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.
All employees and contractors must complete the Mello security awareness and data handling training programs at least annually.
It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to Mello offices must be registered as such or accompanied by a Mello employee.
Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.
Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.
Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only Mello-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access Mello data.
Mello classifies data into the following categories:
All sensitive data must be encrypted both at rest and in transit using industry-standard encryption protocols. We utilize:
Mello maintains a data retention schedule that defines how long different types of data should be kept before secure deletion. When data reaches the end of its retention period, it is securely destroyed using methods that prevent recovery.
Access to Mello systems and data is granted following the principle of least privilege. Users receive only the access permissions necessary to perform their job functions.
All system access requires:
Access privileges are reviewed quarterly to ensure they remain appropriate.
Mello implements multiple layers of network security including:
Our network is segmented to isolate critical systems and limit the potential impact of security breaches.
Mello maintains detailed incident response procedures for identifying, containing, eradicating, and recovering from security incidents.
In the event of a data breach, Mello will notify affected customers in accordance with applicable laws and regulations.
Critical data is automatically backed up according to defined schedules with backups stored in geographically diverse locations.
Disaster recovery procedures are tested at least annually to ensure they remain effective.
All third-party vendors with access to Mello systems or data undergo a security assessment before engagement and periodically thereafter.
Vendors must agree to security provisions in their contracts that protect Mello data and systems.
Mello maintains compliance with applicable laws, regulations, and industry standards relevant to our business.
Regular internal and external security audits are conducted to validate the effectiveness of our security controls.
Violations of this Security Policy may result in disciplinary action, up to and including termination of employment or service contracts.
Exceptions to this policy may be granted only after a formal risk assessment and must be approved by the Security Team and relevant executives.
For questions about this Security Policy or to report security concerns, please contact the Mello Security Team at [email protected].