At MuleSoft, we are committed to maintaining privacy and security on the data you share with us. Like many of our customers and partners, MuleSoft has been preparing for the GDPR regulations that are changing the global data privacy landscape. Our privacy and security teams have been working with customers and internal teams to prepare for the GDPR, which goes into effect on May 25, 2018.
Enhancing our Security and Privacy Programs
Meeting the GDPR requirements can be an overwhelming task to undertake for any company. GDPR has many interpretations and varied implementation and we will continue to get more clarity on best practice approaches on GDPR. Our approach was to identify the areas where Personal Data enters our ecosystem and provide you with some of the areas we have enhanced as part of our Security and Privacy Programs.
Areas where Personal Data may be collected, transmitted, processed, or stored:
- Enrolling and use of MuleSoft’s Anypoint Platform product and services.
- Consenting to and interacting with MuleSoft’s sales and marketing teams.
- Registering and completing MuleSoft’s training products and services.
- Applying and engaging with MuleSoft’s recruiting and human resources teams.
Enhancements to our Privacy Program for GDPR:
- Performed data mappings and process overview around Personal Data.
- Identified key subcontractors and providers.
- Negotiated DPAs with applicable subcontractors and providers.
- Worked with our engineering teams to institute data protection by design and streamline key processes (consent).
- Implemented measures to conduct effective procedures to fulfill data subject requests.
- Updated our policies, notices, consents, and procedures to reflect data protection enhancements and data subject requests.
- Evaluated data transfers outside the EU and documented our EU-US/Swiss-US Privacy Shield certification.
- Revised our breach reporting to meet reporting and impact assessment obligations.
- Appointed a designated Data Protection Officer for advising and monitoring our data protection.
- Established a Privacy Council to provide accountability, governance, and monitoring of MuleSoft’s data protection.
Commitment to Security and Privacy
At MuleSoft, security and privacy are a priority and are core to our products and services we provide. We manage security through a defense-in-depth method as part of our Information Security Management System (ISMS).
MuleSoft has been preparing for GDPR by leveraging our ISMS, which comprises of security controls and safeguards to protect customer data and, ultimately, Personal Data. Our ISMS has been certified against ISO 27001:2013, the globally accepted security standard. Additionally, we are currently in process of aligning our ISMS with ISO 27018:2014, the globally accepted standard to protect Personally Identifiable Information (PII) for cloud environments.
As part of our Security and Compliance Programs, MuleSoft undergoes yearly SOC 1 and SOC 2 audits that provide independent evaluation and assurance that our controls and safeguards are operating effectively throughout the year. With this solid security foundation, MuleSoft is well-positioned to meet the technical and organizational safeguards required by GDPR.
Data Protection Agreements (DPA)
MuleSoft has been working to ensure its practices and standard contracts are prepared to support GDPR. We currently offer a DPA for our customers that aligns with GDPR requirements. This DPA contains contractual provisions in order to assist our customers in their compliance with the GDPR. You may download the pre-signed DPA and complete the form for execution.
MuleSoft not only protects Personal Data, but we are requiring our vendors in our supply chain to also uphold the same security and privacy standards.
Additional Questions
We know how important data security and privacy are for everyone in our ecosystem. Questions are welcome at privacy@mulesoft.com.