Security Overview
MikMak strives to provide a frictionless experience for consumers and brands, including secure collection, handling, and storage of data for everyone who interacts with or accesses our solutions. As our industry evolves, MikMak has remained at the forefront of building solutions that meet, and exceed requirements from consumer privacy legislation and regulations like GDPR, CPRA, and CCM.
Agreements & Terms
Privacy & Security
Our Commitment
We are committed to providing a secure service that protects the data of our brand partners and their consumers.
Security Overview
At MikMak, we take every possible measure to secure our applications and data. Read below to learn more about how we approach Security within the MikMak Platform.
MikMak solutions are hosted on Amazon Web Services (AWS), a widely recognized and industry-leading cloud infrastructure vendor. Specifically, MikMak uses AWS Amazon S3 and the AWS multi-datacenter high disponibility solution. This provides MikMak with 99.99999% durability, and critical infrastructure is replicated across different AWS availability zones and regions, to ensure MikMak is always operational and available.
In addition to advantages in availability, AWS also provides the security infrastructure utilized by MikMak Insights and MikMak Commerce solutions.
Frequently Asked Questions
Does MikMak process Personally Identifiable Information (PII)?
No PII like names, account information, phone numbers, home addresses, and email addresses from end users is processed or stored as part of MikMak’s “where to buy” experience.
MikMak temporarily processes end user IP addresses for the purpose of:
-
Personalizing the MikMak shopping experience to display relevant retailers based on a shopper’s approximate geolocation
-
Analytics purposes - performance by geolocation
-
Security purposes
The IP address is anonymized, encrypted, and not stored in any persistent storage.
MikMak also processes a session ID on the host domain (depending on the service used) and a random ClickID that is generated for each unique click on the shopping experience by a user (which may be associated with anonymized sales data for participating retailers) for analytics. The session ID is automatically cleared when the browser session ends.
If a user permits their browser to detect location, MikMak temporarily processes that information to display relevant retailers based on the shopper’s location. This information is not associated with a session ID and ClickID and not stored in MikMak’s persistent storage.
All of the above data is never shared with the Customer.
How does MikMak employ user consent/permission for shopper behavior tracking or sales tractions? And how does MikMak remain compliant with ever-changing and expanding regulations like PIPEDA (Canada), CCPA/CCRA (select US states), and GDPR (EU)?
MikMak uses a 3rd party, Ketch, for managing user consent. It is loaded on all our commerce experiences in media and can be configured without engineering involvement to expand jurisdictions/compliance regulations.
- Note: in CPRA-compliant states, we have Cookie Preferences language at our footer that reads "Your Privacy Choices", per that law but it otherwise reads "Cookie Preferences"
- Note: For Commerce for Brand.com integrations, the user consent/permission management is handled by the brand, using whatever customer content management platform they use on their site.
Do you conduct vulnerability assessments and penetration tests?
MikMak routinely conducts vulnerability assessments and penetrations tests including, but not limited to:
- MikMak products and solutions undergo regular manual code reviews, unit tests, and integrations tests (including OWASP Top 10) to detect potential security defects in code prior to release
- Regular penetration tests - including open port scan, SQL injection, code injection, and XSRF/CSRF attacks
- Vulnerability scans at the application, network, and operation system layer are performed by AWS Inspector and Snyk.
Do you perform technical monitoring (patch management) of the solution? If so, how?
System vulnerability and patches are managed by AWS System Manager. Application vulnerability is managed by AWS Inspector and Synk. Open server ports are scanned monthly.
Can clients request audits of MikMak’s security and handling of personal data?
Yes - through our ticketing and online support system available on the MikMak platform, clients can request an audit of MikMak’s procedures relating to the protection of Personal Data, but only as required by applicable data protection laws. The selection of the third-party auditor is subject to MikMak’s prior approval.
The client shall not disrupt MikMak’s business operations during the performance of this audit. Prior to the commencement of such an audit, the client and MikMak will mutually agree on the scope, timing, and duration of the audit, and the rate of reimbursement for the time spent by MikMak on such an audit.
The client shall promptly notify MikMak of any noncompliance discovered during an audit, and MikMak shall use commercially reasonable efforts to address any confirmed non-compliance.
Does MikMak have systems/policies in place to prevent DDOS Attacks?
Yes - All MikMak applications are protected against DDoS attacks that would result in downtime. We also enforce rate limiting on all of our services in order to avoid nefarious traffic that might otherwise interrupt our services.
What is the process for notifying the authorities and individuals in the case of a data breach?
MikMak shall notify the Client without undue delay of any breach of Personal Data. MikMak will provide commercially reasonable cooperation and assistance in identifying the cause of such an incident and will take commercially reasonable steps to remedy the cause to the extent that the remedy is within MikMak’s control.
Any additional security certifications or information?
AWS, which MikMak is hosted on, has certifications for compliance with:
- ISO/IEC 27001:2013
- 27017:2015
- 27018:2019
- 27701:2019
- 22301:2019
- 9001:2015
- CSA STAR CCM v3.0.1.
Is the solution resilient? If so, How?
Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).
How do you ensure availability? Do you have an emergency plan?
Critical infrastructure is replicated across different AWS availability zones and regions, to ensure MikMak is always operational and available. In the event of an emergency, we have a Data Recovery Plan (DRP) in case of a major outage of our primary AWS region (eu-west-1). Recovery Time Objective is between 30 min and 2h depending on the outage.
Does MikMak provide backup and disaster recovery (DR) services?
Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).
Recovery Point Objective (RPO) between 5 min and 24h depending on the system.
5 days full backup (Amazon S3 storage snapshot), long-term Amazon S3 backup storage for customer settings (database dump)
Is AES 128-bit encryption or better being used for data at rest or in transit?
Yes, AES-256 is used per Amazon AWS standards. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, the 256-bit Advanced Encryption Standard (AES-256).
How do you ensure data encryption during storage and transport? Which standards?
TLS encryption during transport, encryption at rest (Amazon EBS and S3 encryption AES-256)
Do you have an accessible API? If so, what kind? Please provide other relevant API information here too.
MikMak has an API built around JSON REST.
Technical documentation is available upon request - please ask your MikMak Account Manager
What percentage of your data does your API cover?
The MikMak API covers product referential search, product stock search, and reporting. Internal APIs (used by our own App/Dashboard/Back office) cover nearly 100% of our data and can be partially opened depending on need/use case. It is a mature API with CRUD API implemented at the resource level, using adequate methods and returning standard code and error. API can be versioned.
*Depending on need and use case can be opened at times
Is MikMak ADA and/or W3C Compliant?
At MikMak we strive to ensure that all of our applications are accessible. All MikMak experiences served to consumers meet the minimum requirements for ADA compliance and follow W3C guidelines and recommendations. We are constantly working on ways to improve accessibility across our products.