Security and Compliance
Security and compliance are top priorities for Morta because they are fundamental to your experience with the product. Morta is committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access. Morta uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. Security is directed and by Morta's Chief Technology Officer and maintained by Morta's Engineering team.
1. Compliance and Certification
Cyber Essentials CertifiedIASME GDPR Certified
1.1. Cyber Security
We have received the UK government-backed Cyber Essentials certification (which can be found here) which demonstrates that we have ensured our systems are not vulerable to a number of cyber attacks. This certification makes us eligible to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services.
1.2. GDPR
Morta takes the General Data Protection Regulation (GDPR) very seriously - we have received the IASME Consortium GDPR certification (which can be found here). By certifying to the IASME Governance Standard, which includes the GDPR requirements, we have demonstrated that our organisation has a wider governance system for management of the controls protecting personal data.In an effort to exceed the requirements of GDPR and provide the same privacy benefits to all our users, Morta applies the standards of the regulation globally, instead of limiting its scope to Europe. All customer data (and all our marketing data) is treated in a way that conforms with GDPR.
If you are dealing with any European Union data through a vendor (like Morta), then you need a contractual agreement in place with each vendor so the EU knows you’re only doing business with companies that fully comply with the General Data Protection Regulation (GDPR). Morta’s Data Processing Addendum (DPA) is a form that you can fill out to make your organization automatically GDPR-compliant with Morta. Please email us to receive a copy.
1.3. HIPAA and HITECH
Morta data is hosted on Google Cloud Platform, which encrypts all data at rest by default, in compliance with the Privacy Rule within HIPAA Title II. Morta also exercises strong access control and technical and administrative safeguards in compliance with HIPAA’s Security Rule.
1.4. PCI DSS
Morta’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry. Morta does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.
2. Vulnerability Disclosure
If you would like to report a vulnerability or have any security concerns with Morta, please contact matt@morta.io. We take all disclosures very seriously. Once disclosures are receivied, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
3. Infrastructure and Network Security
3.1. Physical Access Control
Morta is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as:
According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”
Morta employees do not have physical access to Google data centers, servers, network equipment, or storage.
3.2. Logical Access Control
Morta is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorised Morta operations team members to have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
3.3. Third-Party Audit
Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
3.4. Intrusion Detection and Prevention
Unusual network patterns or suspicious behavior are among Morta’s most significant concerns for infrastructure hosting and management. Morta and Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.
Morta does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.
4. Business Continuity and Disaster Recovery
4.1. High Availability
Every part of the Morta service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
4.2. Business Continuity
Morta keeps hourly encrypted backups of data on Google Cloud Platform. While never expected, in the case of production data loss (i.e. primary data stores lost), we will restore organizational data from these backups.
4.3. Disaster Recovery
In the event of a region-wide outage, Morta will bring up a duplicate environment using Amazon Web Services (AWS) in Europe-London region.
5. Data Flow
5.1. Data Through System
Data is sent securely to Morta via TLS to an HTTPS endpoint. All data is AES-256bit encrypted, both in transit and at rest. Morta’s latest SSL Labs Report can be found here.
5.2. Data Out Of System
Once data is entered into Morta, it can then be accessed via Morta's user interface and REST APIs.
6. Data Security and Privacy
6.1. Data Encryption
All data in Morta servers is encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Morta data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.
Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
Morta exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
6.2. Data Removal
All customer data stored on Morta servers is eradicated upon a customer’s termination of service and deletion of account after a 24-hour waiting period to prevent accidental cancellation. Data can also be deleted upon request and via Morta’s REST API and UI.
7. Application Security
7.1. Two-Factor Authentication
We encourage users to authenticate themselves using Google or Microsoft. This means that existing organisational policies (2FA etc.) will continue to be adhered to within the Morta application.
7.2. REST API Authentication (API Key)
Morta’s REST API uses an auth token or API key for authentication. Authentication tokens are passed using the auth header and are used to authenticate a user account with the API.
8. Corporate Security
8.1. Malware Protection
At Morta, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. We use CyberSmart to ensure all employee devices are following best practice security advice.
8.2. Risk Management
Morta follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.
All Morta product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Morta’s operations team have secure shell (SSH) access to production servers.
We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared.
8.3. Contingency Planning
The Morta operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.
8.4. Security Policies
Morta maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Morta Enterprise customers upon request.
8.5. Disclosure Policy
Morta follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Morta notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.
Morta maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page. Any known incidents are reported there.