The company requires users to authenticate to systems and applications using unique credentials.

Remote administrative access to production systems requires the use of multi-factor authentication.

Access to systems and data is provisioned based on job role and business need.

Privileged access to systems is limited to authorized personnel.

User access is removed when no longer required, including upon employee termination or role change.

The Mobly Platform is hosted within a virtual private cloud environment operated by a cloud service provider.

Perimeter security controls are used to protect production environments from unauthorized external access.

Public and private network segments are implemented to restrict access to sensitive systems.

Connections to the Mobly Platform are encrypted using secure Transport Layer Security (TLS).

Security monitoring and threat detection capabilities are used to support the identification of potential security events.

Production infrastructure is designed to support availability and failover within the cloud environment.

Confidential customer data is encrypted during transmission over public networks.

Security monitoring controls are designed and operated to support detection of potential security events.

Externally facing, in-scope systems are subject to recurring vulnerability scanning.

Independent external penetration testing is performed on in-scope systems to identify security weaknesses.

Penetration test results are reviewed to determine appropriate remediation actions.

The company has completed a SOC 2 Type 2 examination covering controls relevant to security.

An independent service auditor evaluated the design and operating effectiveness of security controls.

Risks that could impact service commitments and system requirements are identified and assessed.

Information security policies and procedures are formally documented and maintained.

Security commitments are documented and communicated through customer agreements and service documentation.

Formal procedures exist for identifying, managing, and responding to security incidents.

Security incidents are documented and managed in accordance with established procedures.

Procedures exist to notify customers of security incidents in accordance with contractual and regulatory requirements.

Business continuity considerations are documented as part of system operations.

A Data Processing Agreement defines roles, responsibilities, and data protection obligations.

Employees and contractors are subject to confidentiality obligations.

Customer data is deleted or returned upon service termination in accordance with documented procedures.