Security Overview
MikMak strives to provide a frictionless experience for consumers and brands, including secure collection, handling, and storage of data for everyone who interacts with or accesses our solutions. Over 1,500 brands from around the world trust MikMak. Our solutions are built with brand and consumer privacy and security concerns in mind, helping us future-proof our business as changes and policies evolve.
Agreements & Terms
Privacy & Security
Our Commitment
We are committed to providing a secure service that protects the data of our brand partners and their consumers.
We are committed to maintaining robust security standards at all times. As the industry evolves, our security practices continue to advance, reflecting our commitment to building and maintaining industry-leading security principles and practices. We approach our security, much like the rest of our business, with a forward-thinking mindset to ensure uninterrupted access to our solutions and the security of brand partners and their consumers.
Security Overview
At MikMak, we take measures to secure our applications and data. Read below to learn more about how we approach security within the MikMak Platform.
The MikMak Platform is hosted on Amazon Web Services (AWS), renowned for its reliable and industry-leading cloud infrastructure. MikMak leverages a range of secure and high availability services within the AWS ecosystem. This ensures critical components of the MikMak Platform are deployed with redundancy and robust security measures to maintain security, reliability, and availability.
Frequently Asked Questions
Does MikMak collect Personally Identifiable Information (PII)?
No PII like names, account information, phone numbers, home addresses, and email addresses from consumers (end users of the commerce experience) is processed or stored as part of MikMak’s “where to buy” experience.
MikMak temporarily processes and collects consumer IP addresses to enhance the shopping experience by using approximate geolocation to display relevant retailers, analyze performance, and strengthen security. The IP address is anonymized, encrypted, and not stored in any persistent storage.
The session ID tracker on the host domain, depending on the service used, is automatically cleared at the end of the browser session and is never shared with the Customer.
If a consumer permits their browser to detect location, MikMak temporarily processes that information to display relevant retailers based on the shopper’s location. This information is not associated with a session ID and ClickID and not stored in MikMak’s persistent storage.
All of the above data is never shared with the Customer.
How does MikMak employ user consent/permission for shopper behavior tracking or sales tractions? And how does MikMak remain compliant with ever-changing and expanding regulations like PIPEDA (Canada), CPRA/CCPA (select US states), and GDPR (EU)?
MikMak uses an industry leading solution for managing user consent. It is loaded on all MikMak commerce for media experiences and is configured to adhere to global jurisdictions and compliance regulations. When integrating MikMak on to brand websites, the user consent/permission management is handled by the Customer's existing consent management provider.
Do you conduct vulnerability assessments and penetration tests?
MikMak routinely conducts vulnerability assessments and penetrations tests including, but not limited to:
- Regular manual code reviews, unit tests, and integrations tests (including OWASP Top 10) to detect potential security defects in code prior to release;
- Regular penetration tests, including open port scan, SQL injection, code injection, and XSRF/CSRF attacks; and
- Vulnerability scans at the application, network, and operation system layer.
Do you perform technical monitoring (patch management) of the solution? If so, how?
System vulnerabilities and patches are proactively managed, application vulnerabilities are continuously monitored and addressed, and open server ports are scanned regularly at minimum on a monthly basis.
Does MikMak have systems/policies in place to prevent DDOS Attacks?
Yes - MikMak applications are protected against DDOS attacks that would result in downtime.
What is the process for notifying the authorities and individuals in the case of a data breach?
MikMak shall notify the Customer without undue delay of any breach of PII. MikMak will provide commercially reasonable cooperation and assistance in identifying the cause of such an incident and will take commercially reasonable steps to remedy the cause to the extent that the remedy is within MikMak’s control.
Does MikMak have a current SOC2 report?
MikMak is currently working on a SOC2 assessment and report.
Does MikMak have plans to secure additional security certifications beyond a SOC2 report?
MikMak is currently working on ISO 27001 certification.
Any additional security certifications or information?
AWS, which MikMak is hosted on, has certifications for compliance with:
- ISO/IEC 27001:2013
- 27017:2015
- 27018:2019
- 27701:2019
- 22301:2019
- 9001:2015
- CSA STAR CCM v3.0.1.
Is the solution resilient? If so, how?
Backup and resilience are built on best practices and the use of highly reliable, fault-tolerant AWS cloud infrastructure, including networking, content delivery, databases, and computing services.
How do you ensure availability? Do you have an emergency plan?
Critical components of the MikMak Platform are deployed with redundancy and robust security measures to ensure high security, reliability, and availability. In the event of an emergency or a major AWS region-related outage MikMak has a Data Recovery Plan (DRP).
If you are an existing Customer, please reference the last section of this FAQ to obtain additional information related to DRP and Recovery Time Objective (RTO).
Does MikMak provide backup and disaster recovery (DR) services?
Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).
If you are an existing Customer please reference the last section of this FAQ to obtain additional information related to Recovery Point Objective (RPO) and other details related to backup and recovery.
Is AES 128-bit encryption or better being used for data at rest or in transit?
Yes, AES-256 or better is used as per industry standards.
If you are an existing Customer and need additional details, please reference the last section of this FAQ.
How do you ensure data encryption during storage and transport? Which standards?
All data in flight use Transport level (TLS). All business critical data is encrypted at rest.
Do you have an accessible API? If so, what kind? Please provide other relevant API information here too.
MikMak currently provides access to two APIs:
- Insights API - used for retrieving reporting data; and
- Commerce API - used to retrieve retailer availability for self-hosted experiences.
If you are an existing Customer and need additional details including the technical documentation, please reference the last section of this FAQ.
What is MikMak’s commitment to accessibility?
MikMak is committed to making our "where to buy" experiences templates accessible to a broad range of individuals, including those with visual and auditory impairments. We are continually working to ensure our templates are usable and accessible, and in doing so adhere to Web Content Accessibility Guidelines 2.1 Level AA (WCAG 2.1 AA). If you have any questions or concerns about the accessibility of the MikMak templates, please reach out to your MikMak Account Manager. Please note that if you customize any of the "where to buy" experiences templates (or request that we customize them for you), they may not meet WCAG 2.1 AA and MikMak is not responsible for ensuring their accessibility and usability.
