Information Security Program
MediaMath has implemented and will maintain at all times an information security program designed to secure Client Data against unauthorized or unlawful access, modification, disclosure, or loss. MediaMath implements commercially reasonable, industry-standard information security measures designed to ensure the confidentiality, integrity, and availability of Client Data, taking into account the nature of the applicable data, the nature of applicable risks identified and assessed by MediaMath, requirements for system performance, and Applicable Laws. MediaMath reserves the right to modify its information security program at any time without notice to address contemporary threats and incorporate, where applicable, relevant advances in security techniques and practices so long as such modifications do not result in any material degradation of the security of Client Data. At the present time, the information security program includes the following domains and practices:
Technical and Organizational Measures
|Governance of Information Security||Security Leadership. MediaMath has appointed one or more directors responsible for managing the information security program. MediaMath has an information security committee designed to ensure that appropriate internal stakeholders participate in the governance of information security.
Policies and Procedures. MediaMath has developed, maintains, and enforces policies and procedures applicable to information security. Policies are reviewed at least annually. MediaMath revises policies and procedures as necessary to address contemporary threats and incorporate, where applicable, relevant advances in security techniques and practices.
Security Roles and Responsibilities. MediaMath has dedicated information security personnel. Certain MediaMath personnel have defined security responsibilities that are appropriate to their respective roles and functions.
Risk Management Program. MediaMath performs a security risk assessment annually.
Third-Party Audit. MediaMath has SOC 2 Type II certification from an independent audit firm.
|Human Resource Security||Personnel Management. MediaMath personnel are employed with appropriate confidentiality obligations, non-disclosure obligations, and acceptable-use obligations where applicable. Where appropriate, MediaMath performs background checks on personnel in accordance with applicable laws and regional norms. MediaMath has policies and procedures designed to ensure that access restrictions or revocations are applied to terminated personnel.
Awareness and Training. MediaMath personnel are required to complete security training annually. MediaMath provides personnel with timely information about important or noteworthy threats. MediaMath provides personnel with reminders about security policies, procedures, and practices.
|Asset Management||Asset Inventory. MediaMath maintains an inventory of assets and asset owners applicable to Client Data. MediaMath has policies and procedures that apply to commissioning and decommissioning assets, distribution and return of assets, and media disposal.
|Identity and Access Management||Identity Management. MediaMath has policies and procedures for the registration and de-registration of user identities. MediaMath maintains a unique identifier for each user.
Account Provisioning. MediaMath has policies and procedures for the lifecycle management of user accounts. The policies and procedures facilitate appropriate oversight and approval, role-based authorization, the principle of least privilege, record-keeping, and regular review and audit. For each facility, network, and system, MediaMath identifies authorized personnel who may grant, amend, and revoke access and, for such roles, implements appropriate separation of duties.
Privileged Accounts. MediaMath limits privileged accounts to personnel who have a valid organizational or technical need for such accounts. MediaMath performs recertification of privileged accounts at least bi-annually.
Authentication. MediaMath uses industry-standard practices to identify and authenticate users who attempt to access MediaMath facilities, networks, and systems. MediaMath implements password complexity and length rules for MediaMath personnel. MediaMath implements multi-factor authentication (MFA) for certain corporate and production systems. MediaMath provides customers with the ability to implement SSO authentication for their respective user accounts in MediaMath’s TerminalOne (T1) application. MediaMath logs access events.
|Network and Communications Security||Network Design. Where applicable, MediaMath uses network segregation designed to ensure that production environments are isolated from development and corporate environments.
Network Security Measures. MediaMath implements perimeter security measures such as firewalls, Access Control List (ACL) methods, and functionally equivalent security measures. MediaMath requires that personnel use a Virtual Private Network (VPN) for access to certain corporate and production environments. In addition, MediaMath implements MFA for access to the production VPN. For certain infrastructure, MediaMath uses network intrusion detection or prevention technologies. MediaMath logs network connections and certain traffic.
Encryption. MediaMath supports Transport Layer Security (TLS) to encrypt non-public Client information in transit between MediaMath’s web servers and its clients’ browsers.
Monitoring. MediaMath has implemented a security information and event management (SIEM) tool to help provide real-time analysis of security alerts generated by systems (including network devices, servers, cloud infrastructure, and critical applications).
|Host Security and Vulnerability Management||Server Host Security. For certain infrastructure, MediaMath implements host-based intrusion detection measures on production servers.
Workstation Security. MediaMath has policies in place that define MediaMath-issued laptop configuration, acceptable use of MediaMath-issued laptops, and restrictions on the use of personal (non-MediaMath-issued) hardware to access MediaMath networks and applications. MediaMath-issued laptops have host-based anti-malware (anti-virus), full-disk encryption, and inactivity lockout measures.
Vulnerability Management. MediaMath conducts vulnerability scanning at least monthly. MediaMath uses outside sources (e.g. SANS, CERT, etc.) for information and guidance. MediaMath requires that all applicable personnel review and uphold the MediaMath Security Patch Management Standard. MediaMath patches production operating systems in a timely manner based on risk-based analyses that incorporate severity rating, the nature of the operating system and applications, the nature of any data, and other factors.
|Physical and Environmental Security||Data Centers and Corporate Offices. MediaMath’s data centers and corporate offices have physical and environmental security measures designed to limit or prevent unauthorized access to MediaMath equipment and data. Physical measures include, where applicable and appropriate, physical barrier controls, isolated delivery sites, visitor registration, visitor identification and logging, visitor escorting, electronic or biometric access controls, mantrap entry, segregated office areas, video surveillance, guards, server cages, alarm and alert procedures, and other measures. Environmental measures include, where applicable and appropriate, fire detection and suppression systems, redundant HVAC services, redundant power supplies, and other measures.
|Software and Operations Security||Codebase Security. MediaMath restricts access to its codebase to authorized personnel. MediaMath uses version control to facilitate audit of code changes.
Software Security Review. System changes (major changes) which introduce a new application or service or are fundamental changes to the architecture of an existing application undergo a security review.
Change Management. MediaMath has formalized change management processes, which require identification and recording of significant changes, assessment of risk and potential impacts of such changes, approval of proposed changes, communication of change details to relevant individuals and teams, appropriate testing to verify operational functionality, and rollback protocols. MediaMath change management processes implement separation of duties. Emergency procedures may depart from MediaMath’s standard change management processes.
Dynamic Application Testing. MediaMath conducts continuous scanning of our customer-facing application using a Dynamic Scanning platform which provides continual assessment and annual Business Logic Testing.
|Security Incident Management||Policy. MediaMath has a Security Incident Response Standard that covers roles and responsibilities, identification and reporting, investigation, and corrective activity.
Incident Response Procedures. MediaMath’s incident response procedures include but are not limited to ticketing, escalation to applicable individuals and teams, analysis, isolation of affected systems and data (where appropriate), remediation planning and execution, root cause analysis, and communication planning and execution. MediaMath will comply with applicable security incident laws, including data breach reporting regulations.
Client Notification. Where applicable and appropriate, MediaMath will notify clients promptly about verified unauthorized or unlawful access, modification, disclosure, or loss of Client Data.
|Business Continuity and Availability||Business Continuity Plans. MediaMath has Business Continuity Plans (BCPs) for various functions and a corporate Incident Management Plan to support coordination.
Availability. Where appropriate, MediaMath implements measures to ensure the availability of Client Data. These measures include redundant copies of data and replication of data and databases.
|Vendor Risk Management||Vendor Risk Management Program. MediaMath has a vendor risk management program designed to ensure that, where applicable, vendors implement or procure information security measures appropriate to the nature of each vendor’s product or service. MediaMath vendor risk management practices may include contractual obligations related to privacy and information security.
|Certifications||MediaMath has in place all security measures and practices which have allowed it to successfully complete a SOC 2 Type II audit and certification and to be in compliance with the EU-US and Swiss-US Privacy Shield frameworks.