Proactive Security Disclosure

Motive Approach 

All client data and IP should be treated with the utmost care. Motive.io partners with industry leaders to create solutions.

We strive to be a great partner for anyone who chooses to work with us and therefore every employee must take handling this information very seriously.

Information security management systems

To safeguard our client’s confidential information, we implement important security techniques.

Data Hosting 

  • All data hosted on AWS
  • AWS offers world class security 
  • Run on isolated AWS regions
  • Comprehensive test plan including security validation and payload inspection
  • Private cloud and on premises hosting is available

Secure coding practices through:

  • Version control and code review
  • Security training and awareness
  • Comprehensive test plan including security validation and payload inspection

Data protection through:

  • End to end encryption for personal data

Secure Systems:

  • End to end encryption for personal data
  • Regular in-house and third-party security audits of both mobile and web products

PRIVACY POLICY

Available from: https://www.motive.io/privacy-policy/

EULA 

Available from: https://www.motive.io/eula/

ARCHITECTURE

Motive services run in private EC2 instances behind best-in-class AWS load balancers. All internal traffic within a Motive cluster runs through private VPC connections. All service instances are configured in accordance with AWS best practices.

ENCRYPTION OF DATA POLICY

Never “roll your own” encryption. Select an implementation that is industry vetted and has been used in many production environments.

  • Motive.io requires that all sensitive data be encrypted when stored and in transit. This means that a modern secure connection (https) must be used through all web applications. Critical client data should never be sent to a client.
  • Motive.io will never “roll our own” encryption unless there is a very specific reason to do so and it has been discussed with whichever client requires that. A written agreement must be agreed upon before doing so.
  • Any libraries that are used for encryption must be documented and shown to be using industry best practices. They should be carefully vetted before use.

Data in Transit:

  • Data in transit is to be considered any data that is transferring between systems, locations, applications, or more generally, entities. We require that data must be encrypted when it is in transit.

Data at Rest:

  • All client data must be encrypted at rest. This includes both client data and Motive.io data.
  • All computers used by employees must have full disk encryption.
  • Any mobile device must also have full encryption enabled.

PASSWORDS & CREDENTIALS MANAGEMENT

All credentials that our clients share with us are stored and managed securely through centralized access rights and recording of access by employees.

HOSTING LOCATION

We host with our 3rd party provider Amazon Web Services (AWS) in the US and Canada. Other hosting locations and solutions are available for additional cost.

SERVER INFRASTRUCTURE AND SERVICE AVAILABILITY

Our server infrastructure has a:

  • 99.95% availability guarantee (calculated monthly) in our standard shared hosting plan
  •  99.99% (calculated yearly) as part of our private cloud hosting options

All data storage is backed up daily and backups are stored for 7 days.

SECURITY INCIDENT RESPONSE

We treat all security incidents with a high level of attention and in a similar manner to critical infrastructure and availability incidents for which our SLA dictates our mean time to action.

Our typical process to treat a security incident  follows:

Severity LevelDefinitionTarget Response TimeResolution Target
Level 1A critical issue with very high impact:– Any element of the Services is down for all users- Confidentiality or privacy is breached- Significant data loss- Issues that result in a scheduled training event being cancelled1 hourContinuous effort during business days
Level 2A major incident with significant impact:– Any element of the Services is down the majority of users- Services core functionality is significantly impacted4 hoursContinuous effort during business days
Level 3A minor incident with low impact: – A minor inconvenience and  workaround available-  Usable performance degradation1 business dayAdded to the product roadmap and addressed based on priorities

Incident Response Hours: 

  • Level 1: 24/7
  • Level 2 & 3: During Business Hours

SOC 2 COMPLIANCE

Our hosting provider AWS is SOC 2 compliant. Motive is SOC 2 Type II compliant.

Organization/Personnel

Motive has a dedicated security team to ensure the safety of all client data. All employees are trained on our security policies upon hiring. For employees that have access, annual policy reviews are completed. All data access is logged.