We take security seriously here at Mixmax. Here are some of the enterprise-grade security and privacy controls we use to protect our customers’ data.
Mixmax provides robust tools and analytics to enhance users’ outbound, electronic communications via Gmail and Google Inbox. Features include: analytics regarding open and click-through rates of recipients, automated calendar scheduling from within an email, and easy-to-use email templates.
When a user installs the Mixmax Chrome extension, we create a Mixmax account for the user and link it with the user’s Google account. We ask the user for permission to connect to his or her Google account and authenticate that connection via Google Apps OAuth. This means that each users’ Mixmax account has the same industry-leading login security as their Google account. Users can add 2-factor authentication via Google if they choose.
Mixmax requests access to the following Google information so that our features can work:
The integration with Google provides Mixmax with access to, for instance, a Google user’s email, calendar, and contacts, as described above. However, Mixmax only collects the user’s name and email address, and, while a user is writing an email, the content of the draft email message is stored on our servers. Once the message is sent, we transfer the content back to the user’s Gmail account where it is stored on Google’s servers. In addition, when a user sends an email, the recipient’s email address and IP address are stored on our servers, to provide the user with tracking and analytics.
Mixmax protects user data throughout the data flows of the Mixmax product, from account creation and integration through Google’s OAuth service, to encryption of data in transit to Mixmax servers (using browser-based TLS) and encryption of that data at rest (using AES-256), to a variety of administrative, physical, and technical safeguards designed to create a secure environment for our customers’ data. As a result, the Mixmax product can be implemented within a HIPAA-compliant environment.
We work with industry-leading cloud PaaS and IaaS providers. All Mixmax applications run in a virtual private cloud (VPC) hosted by AWS, including failover and backup instances. User data transferred to Mixmax is hosted by our cloud-based database provider, Mongo, which also store and process the data using industry standard infrastructure. These infrastructure providers maintain industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3 and PCI DSS Level 1.
Mixmax has created a robust security program designed to meet the requirements of a ‘business associate’ under HIPAA, including implementation of each of the implementation specifications which underlie the administrative, physical, and technical safeguards required under the Security Rule. In addition, Mixmax has implemented a comprehensive internal security policy and program to regularly review and assess the adequacy of controls we have in place.
Mixmax also certifies its adherence to the EU – US and Swiss – US Privacy Shield frameworks in order to provide an adequate basis for the transfer of personal data from the EU and Switzerland to our US-based servers.
For more information, you can request our Security Whitepaper.
Please send all issues to firstname.lastname@example.org.
We run a bug bounty program, all details can be found here: https://docs.google.com/document/d/1-66B7hPHmD7H4i19SaXDeTfnOtGCb4R9Wvw7SfkIrh4/edit#heading=h.asmdt7qum8hb