Security & Compliance
mxHero Committed to Your Trust
mxHero, Inc. is committed to establishing and maintaining a robust operational environment that meets and exceeds the security, availability, confidentiality, and privacy commitments made to our customers. mxHero maintains several security, risk, and compliance initiatives and has an ongoing commitment to continuously extend its security and privacy credentials.
mxHERO engages in ongoing audit's to maintain SOC2 compliance. Current audits for FY22 have been concluded with evaluation period slated for completion in July 2022.
An attestation of the certification process can be found here.
mxHERO services a majority of its clients (13,000+ domains, 1M+ active users) through its Amazon AWS service cluster. This cluster is managed by a select team of highly qualified personnel with decades of enterprise and telco operational experience.
mxHERO’s service is topologically equivalent to a network router. mxHERO is not designed to retain data. The service acts as a gateway where email is temporarily processed for integration with cloud storage systems. Like a router, mxHERO’s services possess very little internal storage, only a sufficient amount to process email in transit. Once processed, mxHERO deletes local temporary copies to allow the system to continue processing inbound messages. mxHERO’s systems are not designed to hold messages for longer than needed for the express purpose of processing. Processing normally takes less than 30 seconds to occur. As an additional precaution, all temporary storage used for processing utilizes encrypted file systems ensuring that data is encrypted at rest at all times.
mxHERO services are continuously monitored by internal and external monitoring agents. Continuous, automated monitoring and self-correction enables both high service level availability (above 99.9% per month) and proactive defensive measures ensuring maximum security 24x7. mxHERO employs multiple, overlapping monitoring systems to guarantee redundant oversight.
mxHERO's systems are continuously scanned by Acunetix. Acunetix Vulnerability Scanner automatically crawls and scans off-the-shelf and custom-built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 3000 other web vulnerabilities.
mxHERO utilizes StatusPage.io to provide its customers continuous and informative status indicators of service. Customers can access the on-demand status indicator by visiting http://status.mxhero.com/. Although rarely suffering incidents, StatusPage is part of mxHERO's belief that trust is built on maximum communication and transparency with its partners and customers.
Zabbix is an enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices. Zabbix is deployed across mxHERO's systems and provides an additional level of monitoring.
Datadog is a SaaS-based monitoring and analytics platform for IT infrastructure, operations and development teams. It brings together data from servers, databases, applications, tools and services to present a unified view of the applications that run at scale in the cloud. mxHERO leverages DataDog to provide continuous and advanced monitoring of all its systems.
Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications like mxHERO that run on AWS. mxHERO uses Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in AWS resources. mxHERO uses Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. mxHERO uses these insights to react and keep its applications running smoothly.
Detectify performs automated security tests on web application and databases and scans assets for vulnerabilities including OWASP Top 10, CORS, Amazon S3 Bucket and DNS misconfigurations. 200+ handpicked ethical hackers contribute security findings that are built into our scanner as automated tests. Submissions go beyond the known CVE libraries that are not a sufficient test bed for modern application security.
Intrusion Detection Systems
mxHERO uses Intrusion Detection Systems (IDS). An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is reported to an administrator and collected centrally.
Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrustTM Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available in late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
EU-US and Swiss-US Privacy Shield
The EU-US and Swiss-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU-US and Swiss-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles which were declared invalid by the European Court of Justice in October 2015. mxHERO has certified that it adheres to the EU-US Privacy Shield.
Better Business Bureau
The Council of Better Business Bureaus (CBBB) is the network hub for BBBs in the US and Canada. Like BBBs, CBBB is dedicated to fostering honest and responsive relationships between businesses and consumers -- instilling consumer confidence and advancing a trustworthy marketplace for all. mxHERO has registered and complied with the BBBs accreditation standards, which include a commitment to make a good faith effort to resolve any consumer complaints. BBB Accredited Businesses pay a fee for accreditation review/monitoring and for support of BBB services to the public.
The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996’s primary goal is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information as it moves through the healthcare system, and help the healthcare industry control administrative costs. mxHERO does not store electronic protected health information (ePHI), but has mapped its control framework to HIPAA security requirements to validate we are able to comply with HIPAA if the need arose. mxHERO signs Business Associate Agreements upon request.
The Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of student education records by giving parents or eligible students access to their child’s education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. mxHERO does not store education records, but does provide a platform used by educational institutions through which these types of records may be routed, which is considered “directory” information. Therefore, mxHERO maintains a comprehensive security and privacy program that supports FERPA’s objective.
Awards, Recognitions & Approvals
ASTORS Homeland Security Award
for Email Security
The Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program highlighting the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure decision makers have the information they need to stay ahead of the competition, and keep our Nation safe – one facility, street, and city at a time.
In partnership with Canon USA, mxHERO wins the prestigious ASTORS for the category
"Best Email Security Solution" - 2019, 2020 & 2021
Google Apps for Business
mxHERO has been an approved Google for Business and Education application provider since 2012. With more than 10 applications published to the Google Apps Marketplace over the years, mxHERO has consistently met Google's evolving security requirements for publication to its application portal.
The Microsoft Azure™ Marketplace is an online market for buying and selling finished Software as a Service (SaaS) applications and premium datasets. The Microsoft Azure Marketplace helps connect companies seeking innovative cloud-based solutions with partners who have developed solutions that are ready to use.
Box Elite Partner
Leading cloud storage company, Box, has created an Elite Tier program for select partner companies. This invite only program allows Box to partner closely with these companies in a way that will deliver a best in class experience for joint customers.
mxHERO is proud to have been selected Box Elite Partner of the Year 2016