Date last modified: November 30, 2017

Security Policy



PRELIMINARY MATTERS

Ensuring customer data is secure and readily available is a high priority at MINDBODY. We maintain our digital properties and all associated data with technical, administrative and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification and improper disclosure. When You enter sensitive information (such as a credit card number) in our digital properties, We encrypt the transmission of that information using industry-standard encryption methods. No computer system or information can, however, ever be fully protected against every possible hazard. MINDBODY is committed to providing reasonable and appropriate security controls to protect our Services, Associated Websites, and information against foreseeable hazards. If You have any questions about MINDBODY security, You can contact Us at privacy@mindbodyonline.com.


BACKGROUND

This Security Policy should be read in conjunction with the Privacy Policy and as applicable, the MINDBODY API Terms of Use, Terms of Service, and all Supplemental Terms because these documents constitute the agreement entered into between You and MINDBODY (the “Agreement”).

This Security Policy contains defined terms, which are defined in the Agreement. Please refer to these defined terms in reviewing this Security Policy.

By accessing, viewing or using all or any part of the MINDBODY digital properties by, for example, downloading any materials, or by completing any registration process via the associated websites, You are accepting the terms and conditions of the Agreement.

If You are agreeing to this Security Policy and Contract on behalf of a corporation or other legal entity, You represent that You have the authority to bind such entity and its affiliates to the Contract. If You do not have such authority, You must not enter into this Agreement and may not use any of Our Services or content.


EXPECTATIONS OF THE PARTIES

Having considered the above Preliminary Matters and mutual agreements below, the PARTIES hereby agree as follows:

  1. 1. User Expectations

    1. 1.1 Cardholder Data Recommended Practices

      1. 1.1.1 We Recommend You adopt PCI DSS.

        Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (PCI DSS), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend You follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply: https://www.pcisecuritystandards.org/.

      2. 1.1.2 Disclaimer of Responsibility for Cardholder Data.

        If You use the optional Integrated Merchant Account service to process payments, MINDBODY is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by MINDBODY’s server(s). You remain responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by MINDBODY’s server(s).

      3. 1.1.3 Cardholder Data Recommended Practices.

        At a minimum, You should implement the practices set forth below:

        You should do the following:

        1. Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious.
        2. Restrict permission to install software on those computers to Subscriber’s business owner and/or trusted senior staff.
        3. Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and web browsers (e.g., Internet Explorer, Safari or Firefox), with all security updates and patches installed.
        4. Ensure that every individual that logs into the Services has a unique username and password that is known only by that individual.
        5. Only store credit card account numbers in encrypted credit card fields designed for that purpose.
        6. Destroy any hard copy documents that have Cardholder Data written on them.

        You must not do the following:

        1. Share Your account or password;
        2. Record Cardholder Data in notes, contact logs, or other unencrypted text fields within MINDBODY.
    2. 1.2 Protection of Personal Health Information (PHI)

      MINDBODY supports customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). If You are subject to HIPAA and wish to use Our Services with PHI, it is Your responsibility to request a Business Associate Agreement (“BAA”) with MINDBODY. You are solely responsible for determining whether You are subject to HIPAA requirements. If You are subject to HIPAA and have not entered into a BAA, You must not use any of Our digital properties in connection with PHI. You agree to indemnify, defend, and hold harmless MINDBODY and its directors, employees, and affiliates against any claim relating to a failure by You to request a BAA with MINDBODY.

    3. 1.3 MINDBODY API Credentials Security Policy

      Your API credentials are extremely powerful, and using them is a serious responsibility. If You use MINDBODY API, You must follow the guidelines below to ensure that You’re accessing client data in a safe and secure way. Using Your API credentials indicates that You agree to the terms of this policy. If You or a member of Your team violates any of the items in this policy, You could permanently lose access to the MINDBODY API without warning.

      You should do the following:

      • Protect Your credentials.
      • Share Your credentials with Your team on a need-to-know basis.
      • Prevent SOAP-UI from putting full credentials in logs. Please note that it is Your responsibility to prevent this.
      • Make sure Your team understands that the credentials grant access to sensitive and confidential production data.

      You must not do the following:

      • Share Your API password. Under no circumstance will MINDBODY Staff request Your API password.
      • Store credentials on Your home computer, on a whiteboard, in Google Docs, on an unencrypted web server, or on public websites (e.g., Pastebin, GitHub, StackOverflow).

      MINDBODY reserves the right to delete any API credentials after 30 days of low activity (less than 100 calls).

  2. 2. MINDBODY Expectations

    1. 2.1 Cardholder Data

      1. 2.1.1 PCI-DSS.

        MINDBODY complies with the PCI DSS tier 1 standard. We are dedicated to the six (6) PCI DSS best security practices for credit card protection, which include, but are not limited to:

        • Maintaining a secure network
        • Protecting the Cardholder Data
        • Maintaining a Vulnerability Management Program
        • Implementing strong access control measures
        • Monitoring and testing production and development networks
        • Maintaining an Information Security Program and policies.
    2. 2.2 Data Security

      1. 2.2.1 Location and Backup.

        All Subscriber Data is located on secure servers, or backup directories that require access authentication.

      2. 2.2.2 Firewalls.

        All secure servers are protected by multiple, redundant firewalls and intrusion detection and prevention systems that are regularly monitored and tested (details of firewall configuration are not shared publicly for maximum security).

      3. 2.2.3 TLS Encryption.

        Transport Layer Security data encryption is employed to protect all data access across the Internet.

      4. 2.2.4 Qualified Security Assessor (QSA).

        Approved Scanning Vendor (ASV), delivers accurate vulnerability scanning and actionable reporting, that enables the MINDBODY Network Operations Center to quickly rank risks and gauge compliance against PCI-DSS Standards. Daily Vulnerability Assessments monitor the MINDBODY network perimeter against daily threats to help protect MINDBODY from hackers, data breaches, adware, spyware, pop-ups, browser exploits, and phishing attempts.

    3. 2.3 Data Center SSAE 18 Type II and Type III Compliance

      1. 2.3.1 SSAE 18 Type II and Type III Compliance.

        MINDBODY hosts Your Data at multiple secure and redundant data centers in geographically diverse locations. Each data center is secured and monitored 24x7x365 by a staff of highly trained data center facility experts. The primary data center features:

        • A Zone 4 earthquake-rated reinforced structure;
        • Multiple redundant, enterprise switching hardware at every stage;
        • A monitoring system providing real-time data on equipment operation, enabling instant identification of problems;
        • Multiple paralleled N+1 UPS modules configured in redundant systems allow for A/B power configuration;
        • 20 megawatts of expandable N+1 power backup utilizing generators;
        • A Very Early Smoke Detection Alarm (VESDA) early smoke detection with pre-action dry pipe fire suppression systems;
        • Multiple fiber route entrances to structures;
        • Access control systems leveraging a biometric scan and personal identification number (PIN), with separate locks for all MINDBODY server cabinets; and
        • The backup data center features the same facility specifications as the primary data center. The backup data center receives a backup of subscriber data at least once per 24-hour period.
    4. 2.4 Physical and Personnel Security

      1. 2.4.1 Physical Security Measures.

        Physical access to the primary data center and the backup data center is restricted by 24x7x365 on-site security and Network Operations Center staff. The facility is controlled by alarm systems with cameras on perimeter points of the building along with video and camera surveillance within the facility. Multi-level access authorization with man trap, biometric verification and security controlled access level assignments are used to verify a limited number of MINDBODY authorized personnel who have been granted access.

      2. 2.4.2 Personnel Security Measures.

        Background Checks and NDA Agreements. Our technical and management personnel with access to Subscriber Data are subjected to background checks prior to hiring, and must sign non-disclosure and data security agreements that protect both MINDBODY and Subscriber Data.

        Transfer Restrictions. Our personnel are not permitted to transfer Subscriber Data onto any hard drive, flash drive, mobile device, or other storage device, except those contained within either the primary data center or backup data center. Subscriber Data is not transferred to MINDBODY corporate workstations.

  3. 3. Changes to this Security Policy

    We may, in Our sole discretion, make changes to this Security Policy from time to time. Any changes We make will become effective when We post a modified version of the Security Policy to Our Website, and We agree the changes will not be retroactive. 

  4. 4. Contact Us

    If You have any questions regarding this Security Policy You can contact Us by email at, privacy@mindbodyonline.com or by postal mail at:

    Jason Loomis
    Chief Information Security Officer, VP Cybersecurity
    MINDBODY, Inc.
    4051 Broad Street Suite 220
    San Luis Obispo, California 93401
    (877) 755-4279