I. Product Security
Messente Dashboard supports 2-factor authentication (2FA using Messente Verification API) when elected for customers who want to add an additional access control. Messente also supports strong cryptography (SHA-256 with RSA encryption) for communication over public networks, so that your Messente Dashboard password, API username/password, and contents of your communications may be protected.
Messente uses firewalls and logical access control to protect our servers from unauthorized system access, allowing only trusted operations personnel to manage our systems who are required to use necessary security measures when accessing and handling the data.
Messente supports strong cryptography for communication over public networks, so that your Messente Dashboard password, API username/password, and contents of your communications may be protected. Unencrypted protocols are supported on the customer side in response to customer demand, but we strongly encourage customers to use secure protocols such as HTTPS (TLS 1.2/1.3).
Messente’s servers are hosted by secure data centers in Europe, Germany, whose protection practice conforms to the Federal Data Protection Act (BDSG) as well as the German Teleservices Act (TMG). The Data Center and its information security management system (ISMS) have attained certification in accordance with DIN ISO/IEC 27001. We strive to only work with partners that are GDPR compliant and have agreements in place to ensure that they adhere to the set regulations for data protection.
Messente follows industry standard development practices including, but not limited to, automated tests and code reviews, deployment process, CI, etc. We pay a lot of attention to security as well and whenever there are vulnerabilities discovered in any of the tools or operating systems we are using. On a regular basis, we also upgrade all of the 3rd party libraries used in our software to ensure we are covered with the latest security patches.
Messente tracks user behavior within the platform that is essential (updating accounting details, crediting setup, login, logout, user invitations, etc). Some of the audit logs are persistent, and others get deleted in a week, depending on the nature of the logs.
Messente follows secure development standards and procedures, as well as ensures data security with our partners and through active vulnerability testing.
We follow industry-standard security practices throughout the development and customer care processes.
Messente has direct relationships with telecommunications carriers and service providers. Some of the "last mile" connections of our partners might be unencrypted due to the nature of the SMS underlying protocol. We choose secured communication with carriers when available. Messente also has rate limiting in place on API calls to prevent brute force attacks. Password complexity requirements are enforced on API username, password, and Messente Dashboard password. We strive to only work with partners that are GDPR compliant and have agreements in place to ensure that they adhere to the set regulations for data protection. This includes Data Processing Agreements that include minimum security provisions and auditing rights.
Messente has a disaster recovery and continuity plan designed to ensure the delivery of services at all times. Our uptime commitment is elaborated in the SLA.
Messente provides a documented incident response which includes procedures for detecting, containing, and mitigating security incidents (see annex).
Whenever there is a security incident, Messente determines the extent of the issue, which data was exposed, and which customers were also affected.
Cloud computing - Messente uses Hetzner Online GmbH which is based out of Germany and Finland. It’s used for internal logs, query logs, and details, API request details and logs, and hosting services. Physical security – secure location, security cameras, locked and secured server rooms, security guards on premises 24/7. System security – anonymization, access limitation to required personnel only, mandated VPN and 2FA, adherence to all of the latest good security practices. Signed DPA with the partner confirming compliance.
II. Compliance
Compliance entails service continuity and reliability. Uptime, real-time monitoring & alerting.
Data Privacy
- GDPR Compliance
Messente follows a “minimal processing methodology” in our work, where we limit the amount and duration of all data processing to the minimum needed to provide our services to customers. Customers are welcome to ask for custom retention periods and limits to further enhance their own compliance. Learn more: Data Handling Policy
- Operational Resilience
Business Continuity
Messente has drawn out the most essential aspects of our business and developed our own plan to deal with unexpected circumstances. We’ve used the “Analyse, Design, Implement, and Test” method to ensure we keep our business integrity intact and are able to provide services in a global world. This includes multiple varied location backups for all key functions, remote readiness, handover and retraining plans and more. - ensuring our people, processes, premises and providers are covered for redundancies. Learn more: Transfer Impact Assessment
Whenever Messente (or its sub-processors) processes personal data in countries other than the country in which Messente is established, Messente will ensure an adequate level of protection for personal data by means of organizational, technical, and contractual measures as is required by Data Protection Legislation and our Data Protection Agreements. We follow the GDPR data processing rules outside of the EEA and use the highest relevant standards where possible.
- Disaster Recovery
The purpose of our DR Plan is to inventory all of the IT infrastructure, capture all of the information relevant to the organization’s ability to recover its IT from a disaster and document the steps that the organization will follow in the event that a disaster occurs.
Messente's top priority will be to enact the steps outlined in this DR Plan to bring all of the organization’s groups and departments back to business as usual as quickly as possible. This includes:
- Preventing the loss of the organization’s resources, such as hardware, data and physical IT assets
- Minimizing downtime related to IT
- Keeping the business running in the event of a disaster
The DR Plan will also detail how this document will be maintained and tested.
SLA
- Continuous Monitoring
Messente’s Continuous Monitoring program has processes for leading incidents and designing proactive capabilities for the platform. Our aim is to ensure maximum continuity in delivering the services Messente provides and ensuring all issues are indicated and tackled as quickly as possible with minimal to no harm to the customers. Automation, failover, redundancies and backups secure a system of reliability.
- Alerting
status.messente.com - to keep our customers up to date on all issues, outages or operator downtimes, we update our status page regularly, enabling direct feedback to our customers on how the platform is performing and if any circumstances could prevent optimal service delivery.
We commit to an uptime of 99.8% to ensure our customer's needs are covered, and all critical communication is delivered in a timely manner.
- Risk Management
Vendor Assessment: to ensure our partner network meets the standards of our customers, we conduct an analysis of the partner's processes and sign bilateral agreements to set the standards for service delivery quality, the SLA-s, the data processing abilities and the needed safeguards to ensure compliance with our customers needs. We retain the right to audit any and all of our partners to ensure the standards set within our agreements are kept. We monitor and proactively test the quality of our partner's delivery and processing capabilities to ensure compliance.