Security and Privacy Policy

SECURITY & PRIVACY DOCUMENTATION FOR MC3

(last updated May 6, 2023)

MC3’ Commitment to Security & Privacy

MC3 is committed to achieving and preserving the trust of our customers, by providing a comprehensive security and privacy program that carefully considers data protection matters across our suite of products and services, including data submitted by customers to our online service (“Customer Data”).

 Covered Services

This documentation describes the security-related and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to, the MC3 online services branded as the MC3  Service (hereinafter, the “Service” or “MC3 Service”). For the avoidance of doubt, except for the Customer Eligibility and Additional Customer Data Requirements sections, the Service and this documentation do not apply to Professional Services, Non-MC3 Applications, or Free Trial Services made available by MC3.

 Customer Eligibility

The MC3 CMMC/NIST 800-171 solutions are available only to: (1) U.S. Department of Defense entities (a bureau, office, agency, department, or other entity managed by the U.S. Department of Defense) or (2) non-Department of Defense entities that upload U.S. Department of Defense-controlled data to MC3’s Service in the form of Customer Data in fulfillment of a government contract.

 Additional Customer Data Requirements

As of the date this documentation was last updated, MC3 does not have a FedRAMP Authority to Operate for the MC3 Service. Customers may not submit Customer Data to the Service that is categorized as Department of Defense Impact Level 2 or higher. Customers may not submit Customer Data to the MC3 Service that is either (1) subject to International Traffic in Arms Regulations (ITAR) or (2) classified data. A customer will be responsible for all sanitization costs incurred by MC3 if the customer introduces data subject to ITAR or classified data into the MC3 Service, and such liability of customer shall be exempt from the limitation of liability set forth in the customer’s agreement.

 Architecture, Data Segregation, and Data Processing

The hosted Service is operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The MC3 architecture provides an effective logical data separation for different customers via customer-specific "Tenant Portals" and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, such as for testing and production. MC3 has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by MC3 and its sub processors.

 Retrieval of Customer Data

Upon request by a customer made prior to the effective date of termination of the customer’s agreement, MC3 will make available to the customer, at no cost, for thirty (30) days following the end of the agreement’s term, for download of Customer Data (other than personal confidential information such as, but not limited to, User passwords which may not be included except in hashed format) in an industry standard format. After such 30-day period, MC3 shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data by deletion of Customer’s unique instance of the Service. MC3 will not be required to remove copies of the Customer Data from its backup media and servers until such time as the backup copies are scheduled to be deleted in the normal course of business; provided further that in all cases MC3 will continue to protect the Customer Data in accordance with the customer’s agreement. Additionally, during the term of the agreement, Customer may extract Customer Data from the MC3 Service using MC3’s standard functionality.

Disclosure of Information

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties

Text Message Communication

By providing a telephone number and submitting this form you are consenting to be contacted by SMS text message. Message & data rates may apply. You can reply STOP to opt-out of further messaging.

In order to opt-in to periodically receive  SMS messages you can reply with START or SUBSCRIBE to any text message sent from us. If you require assistance you can reply with HELP or SUPPORT to any text message sent from us. If you wish to stop receiving text messages from us, reply with STOP, QUIT, CANCEL, OPT-OUT, or UNSUBSCRIBE.

 Security Controls

The hosted Service includes a variety of configurable security controls that allow MC3 customers to tailor the security of the Service for their own use. MC3 strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the optional multi-factor authentication features made available by MC3 or by another identity provider.

 Information Security Management Program (“ISMP”)

MC3 maintains a comprehensive information security management program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of MC3’s business; (b) the amount of resources available to MC3; (c) the type of information that MC3 will store and process; and (d) the need for security and protection from unauthorized disclosure of such Customer Data. The ISMP is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Service.

MC3’s ISMP is designed to:

• Protect the integrity, availability, and prevent the unauthorized disclosure by MC3 or its agents, of Customer Data in MC3’s possession or control;

• Protect against any anticipated threats or hazards to the integrity, and availability, and prevention of unauthorized disclosure of Customer Data by MC3 or its agents;

• Protect against unauthorized access, use, alteration, or destruction of Customer Data;

• Protect against accidental loss or destruction of, or damage to, Customer Data; and

• Safeguard information as set forth in any local, state or federal regulations by which MC3 may be regulated.

 1. Security Standards

MC3’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing may include:

a) Internal risk assessments;

b) NIST guidance; and

c) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors (“Audit Report”).

 2. Security Audit Report. 

MC3 provides its customers, upon their request, with a copy of MC3’s then-current Audit Report, including information as to whether the Security Audit revealed any material findings in the Service; and if so, the nature of each finding discovered.

 3. Assigned Security Responsibility. 

MC3 assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:

a) Designating a security official with overall responsibility; and

b) Defining security roles and responsibilities for individuals with security responsibilities.

 4. Relationship with Sub-processors. 

MC3 conducts reasonable due diligence and security assessments of subprocessors engaged by MC3 in the storing and/or processing of Customer Data (“Sub-processors”), and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security and privacy documentation.

 5. Background Check. 

MC3 performs background checks on any employees who are to perform material aspects of the Service or have access to Customer Data.

 6. Security Policy, Confidentiality. 

MC3 requires all personnel to acknowledge in writing, at the time of hire, that they will comply with the ISMP and protect all Customer Data at all times.

 7. Privacy & Security Awareness and Training. 

MC3 has annual, mandatory privacy awareness and training programs for all MC3 personnel that address their obligations related to the processing of personal data that is contained within Customer Data. MC3 has annual, mandatory security awareness and training programs for all MC3 personnel that address their implementation of and compliance with the ISMP.

 8. Disciplinary Policy and Process. 

MC3 maintains a disciplinary policy and process in the event MC3 personnel violate the ISMP.

 9. Access Controls. 

MC3 has in place policies, procedures, and logical controls that are designed:

a) To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;

b) To prevent personnel and others who should not have access from obtaining access; and

c) To remove access in a timely basis in the event of a change in job responsibilities or job status.

 MC3 institutes:

a. Controls to ensure that only those MC3 personnel with an actual need-to-know will have access to any Customer Data;

b. Controls to ensure that all MC3 personnel who are granted access to any Customer Data are based on least-privilege principles;

c. Controls to require that user identifiers (User IDs) shall be unique and readily identify MC3 person to whom it is assigned, and no shared or group User IDs shall be used for MC3 personnel access to any Customer Data;

d. Password and other strong authentication controls that are made available to MC3 customers, so that customers can configure the Service to be in compliance with NIST guidance addressing locking out, uniqueness, reset, expiration, termination after a period of inactivity, password reuse limitations, length, expiration, and the number of invalid login requests before locking out a user;

e. Periodic (no less than quarterly) access reviews to ensure that only those MC3 personnel with access to Customer Data still require it.

 10. Physical and Environmental Security. 

MC3 maintains controls that provide reasonable assurance that access to physical servers at the production data center is limited to properly-authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes. 

These controls include:

a) Logging and monitoring of unauthorized access attempts to the data center by the data center security personnel;

b) Camera surveillance systems at critical internal and external entry points to the data center;

c) Systems that monitor and control the air temperature and humidity at appropriate levels for the computing equipment; and

d) Uninterruptible Power Supply (UPS) modules and backup generators that provide back-up power in the event of an electrical failure.

 11. Data Encryption.

a) Encryption of Transmitted Data: MC3 uses Internet-industry-standard secure encryption methods designed to encrypt communications between its server(s) and the customer browser(s), and between its servers and customer’s server(s).

b) Encryption of At-Rest Data: MC3 uses Internet-industry standard secure encryption methods designed to protect stored Customer Data at rest. Such information is stored on server(s) that are not accessible from the Internet.

c) Encryption of Backups: All offsite backups are encrypted. MC3 uses disk storage that is encrypted at rest.

 12. Disaster Recovery. 

MC3 maintains policies and procedures for responding to an emergency or a force majeure event that could damage Customer Data or production systems that contain Customer Data. Such procedures include:

a) Data Backups: A policy for performing periodic backups of production file systems and databases to meet the Recovery Point Objective described below;

b) Disaster Recovery: A formal disaster recovery plan for the production environment designed to minimize disruption to the Service, which includes requirements for the disaster plan to be tested on a regular basis.

c) RPO / RTO: Recovery Point Objective is no more than 1 hour and Recovery Time Objective is no more than 24 hours;

d) Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.

 13. Secure Development Practices. 

MC3 adheres to the following development controls:

a) Development Policies: MC3 follows secure application development policies, procedures, and standards

that are aligned to industry-standard practices and security controls;

b) Training: MC3 provides employees responsible for secure application design, development, configuration, testing, and deployment appropriate (based on role) training by the security team regarding MC3’s secure application development practices.

 14. Malware Control. 

MC3 employs then-current industry-standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service.

 15. Data Integrity and Management. 

MC3 maintains policies that ensure the following:

a) Segregation of Data: The Service includes logical controls, including encryption, to segregate each customer’s Customer Data from that of other customers; and

b) Back Up/Archival: MC3 performs full backups of the database(s) containing Customer Data no less than once per day and archival storage on no less than a weekly basis on secure server(s) or on other commercially acceptable secure media.

 16. Vulnerability Management. 

MC3 maintains security measures to monitor the network and production systems, including error logs on servers, disks and security events for any potential problems. Such measures include:

a) Infrastructure Scans: MC3 performs quarterly vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis. MC3 installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;

b) Application Scans: MC3 performs quarterly (as well as after making any major feature change or architectural modification to the Service) application vulnerability scans. Vulnerabilities are remediated on a risk basis. MC3 installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible;

c) External Application Vulnerability Assessment: MC3 engages third parties to perform network vulnerability assessments and penetration testing on an annual basis (“Vulnerability Assessment”). Reports from MC3’s then-current Vulnerability Assessment, together with any applicable remediation plans, will be made available to customers on written request. Vulnerabilities are remediated on a risk basis. MC3 installs all medium, high, and critical security patches for all components in its production and development environment as soon as commercially possible.

 17. Change and Configuration Management. 

MC3 maintains policies and procedures for managing changes to production systems, applications, and databases. Such policies and procedures include:

a) A process for documenting, testing and approving the promotion of changes into production;

b) A security patching process that requires patching systems in a timely manner based on a risk analysis; and

c) A process for MC3 to perform security assessments of changes into production.

18. Secure Deletion. 

MC3 maintains policies and procedures regarding the deletion of Customer Data in compliance with applicable NIST guidance and data protection laws, taking into account available technology so that Customer Data cannot be practicably read or reconstructed. Customer Data is deleted using secure deletion methods including digital shredding of encryption keys and hardware destruction in accordance with NIST SP800-88 guidelines.

19. Intrusion Detection & Performance Assurance. 

MC3 monitors the Service generally for unauthorized intrusions using traffic and activity-based monitoring systems, and may analyze and share data, such as data collected by users’ web browsers (for example, device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) and authentication event data (collectively, “Threat Information”) for security purposes, including to detect compromised browsers and to help customers detect fraudulent authentications, and to ensure that the Service functions properly. For clarity, Threat Information: (1) is only shared if it is derived from evidenced unauthorized attempt(s) to access and/or use the Service; and (2) does not constitute Customer Data.

20. Incident Management. 

MC3 has in place a security incident response plan that includes procedures to be followed in the event of any unauthorized disclosure of Customer Data by MC3 or its agents of which MC3 becomes aware to the extent permitted by law (such unauthorized disclosure defined herein as a “Security Breach”). 

The procedures in MC3’s security incident response plan include:

a) Roles and responsibilities: formation of an internal incident response team with a response leader;

b) Investigation: assessing the risk the incident poses and determining who may be affected;

c) Communication: internal reporting as well as a notification process in the event of a Security Breach;

d) Recordkeeping: keeping a record of what was done and by whom to help in subsequent analyses; and

e) Audit: conducting and documenting a root cause analysis and remediation plan.

MC3 typically notifies customers of significant system incidents by email to the listed admin contact, and for availability incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and MC3’s response. 

21. Security Breach Management.

a) Notification: In the event of a Security Breach, MC3 notifies impacted customers of such Security Breach.

MC3 cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and MC3 provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.

b) Remediation: In the event of a Security Breach, MC3, at its own expense, (i) investigates the actual or suspected Security Breach, (ii) provides any affected customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediates the effects of the Security Breach in accordance with such remediation plan, and (iv) reasonably cooperates with any affected customer and any law enforcement or regulatory official investigating such Security Breach.

22. Logs. 

MC3 provides procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports. MC3 (i) backs-up logs on a daily basis, (ii) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (iii) retains such logs in compliance with MC3’s data retention policy. If there is suspicion of inappropriate access to the hosted Service, MC3 has the ability to provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.

23. Communications with Administrators. 

Separate from and as a complement to the Service, we may also communicate with MC3 administrator users (“Admins”), from time to time, including to send announcements and details about our products, services, or other relevant information that Admins’ organizations may find useful. Admins who do not want to receive such communications on behalf of their organizations may update their communications preferences by visiting our subscription center, which is available through their admin panel.