Security Policy

Motivforce is committed to maintaining the confidentiality, integrity, and security of personal information about our current customers, our prospective customers, and our customer’s customer. 

We are proud of our privacy practices and want you to know how we protect this information and use it to service your programs. We take security and privacy seriously, adhering to enterprise-level security standards that keep your program data protected.

Compliance

GDPR Readiness
General Data Protection Regulation

California Consumer Privacy Act
Privacy Protections

PCI Level III (In process)
Payment Card Industry Data Security Standard

Security Team

We have a globally distributed infrastructure and security team available 24/7. Our team is constantly monitoring security notifications from all 3rd party software libraries and if identified, we immediately apply any relevant security patches as soon as they are released. Our software engineers work together with the product teams to ensure that all of Motivforce’s code and infrastructure follows a secure development lifecycle process.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, established in  Visa, MasterCard, JCB, Discover, and American Express in 2004.

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. The scope of the PCI DSS includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Motivforce doesn’t store, process or transmit cardholder data. We rely on third party service providers to handle transactions and have implemented API for our payment processors so we never store, process or transmit cardholder's sensitive data such as passport, government identifications. card numbers.

Although PCI SSC does not have legal authority, any company performing credit or debit card transactions is expected to comply with the PCI DSS standard. PCI assessment is seen as the safest way to protect confidential data and information while helping businesses build long-term, trust-based relationships with their customers.

PCI DSS Self-Assessment Questionnaires (SAQs) are assessment forms designed to help merchants and service providers self-assess their PCI DSS compliance. Completing the PCI SAQ is one-way merchants can demonstrate their compliance with the buyer banks and, therefore, the five founders of the PCI SSC.

Infrastructure

All of Motivforce’s application and data infrastructure is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in.

Designed with redundancy, fault tolerance and disaster recovery at the forefront, our services are distributed across three separate availability zones (data centers). All our infrastructure is within our virtual private cloud (VPC) with production access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features.

For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.

Uptime and Data Availability

We strive for a 99.99% uptime across all our products and to support that, we host our monitoring and logging systems outside of AWS and employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.

All of our services are deployed in at least three availability zones to mitigate any single data center availability issues. In the event of such an emergency that would prevent AWS from delivering service to any of the availability zones (AZ) in a region, we do not have the ability to retrieve data until service in our AZs is restored.

In the unlikely event that data stored in the Motivforce database were to be lost or damaged, we would be able to restore from backup with a loss of data no more than 5 minutes. During this time we would not provide additional contingency plans to delivery data due to the very short nature of the recovery time.

Data and Data Center

Motivforce's programs are multi-tenant. Multi-tenant datastores in Amazon Web Services-controlled data centers, and is protected under a signed BAA with AWS in each of the geographical locations. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.

Data Transmission

Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company’s network.

Use of Confidential Data

A successful confidential data policy is dependent on the Motivforce knowing and adhering to the company’s standards involving the treatment of confidential data. The following applies to how Motivforce must interact with confidential data:

  • Must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated “confidential.”
  • Must only access confidential data to perform his/her job function.
  • Must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information.
  • Must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.
  • Must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor.
  • If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties’ use of confidential information. Refer to the company’s outsourcing policy for additional guidance.

Security Controls for Confidential Data

Confidential data requires additional security controls in order to ensure its integrity. Motivforce requires that the following guidelines are followed:

  • Strong Encryption: Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
  • Network Segmentation: Separating confidential data by network segmentation is strongly enforced (see Network Security Policy).
  • Authentication: Strong passwords must be used for access to confidential data.
  • Physical Security: Systems that contain confidential data should be reasonably secured.
  • Printing: When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
  • Faxing: When faxing confidential data, users must use the Motivforce cover sheet that informs the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
  • Emailing: Confidential data must not be emailed outside the company without the use of strong encryption.
  • Mailing: If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
  • Discussion: When confidential information is discussed it should be done in non public places, and where the discussion cannot be overheard.

Application

Through the use of automated and manual analysis, as well as constant security review of 3rd party libraries, we ensure to the best of our abilities that we are delivering products that are free from security defects and that data is processed strictly in compliance with our customer’s instructions. All Motivforce web application communications are PCI compliant and support TLS v1.2, and cannot be viewed by a third party. We enforce the same level of encryption used by banks and financial institutions.

Additionally, we support a number of security focused features to help keep your data safe

  • Data encryption - All customer data is encrypted at rest including: user email addresses, user passwords, API keys, including 3rd party keys stored by Apps.
  • Company-specific data is kept separate through logical separation at the data tier, based on application-level access permissions and roles.
  • Authentication - Motivforce supports both 2FA access (via SMS and authenticator app) for Motivforce credentials or SSO through our clients internal infrastructure.
  • API Security - In our API we support SAML authentication and a UI for revoking device tokens.

Engineering and Operational Practices

We design all services with high availability in mind. Our goal is to deliver 99.99% uptime across all our products. In order to achieve this goal, we follow a number of engineering best practices

  • Immutable infrastructure - We don’t make changes to live code or running servers in production. Where applicable, we treat both our software and our infrastructure configuration as code. Which means all changes go through a formal code review, automated testing and automated deployment process.
  • Continuous integration and delivery - We are using continuous integration and deployment automation and configuration management tools to build, test and deploy code multiple times a day.
  • Incident response - Our dedicated infrastructure and security team is on a rotating on-call schedule to respond to any security or availability incidents immediately.
  • Security audits - Regularly, an independent security firm execute a white-box penetration test audit across our system and code base. On request, the results of the latest audit can be provided to current or potential customers.
  • Annual PCI scanning - We run a PCI scan every year to maintain ongoing Level 3 PCI compliance, adhering to stringent industry standards for storing, processing and transmitting credit card information online. In addition to encrypting customer payment information. Any uncovered vulnerability is prioritized, resolved and deployed as soon as possible following discovery.
  • Permission and administrative controls - Motivforce enables permission levels to be set for any employees with access to Motivforce. We follow the principle of least privilege for any system with access to personal data and have automated tool-based control and logging of data access, entry, deletion, and modification.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.