Security Policy
Security is part of our DNA, along with transparency. We're transparent with our security program so our users can be informed and feel safe using MINE2's cyber deception platform.
MINE2 is ISO 27001 Certified
Since 2023, MINE2 has successfully maintained ISO 27001 certification for our Information Security Management System. Annual audits confirm that MINE2's information security practices, policies, procedures, and operations meet the ISO 27001 international standard. We are audited by qualified independent certification bodies, ensuring our security controls meet the highest international standards.
Table of Contents
Overview
Security is fundamental to MINE2's cyber deception platform. As a company that helps organizations detect threats through digital landmines and honeytokens, we understand that trust is earned through demonstrable security practices and transparent communication about our security posture.
This document provides a comprehensive overview of the security practices, policies, and procedures implemented at MINE2 to protect our platform, our customers' data, and the integrity of our cyber deception technology.
MINE2 Security Program Overview
Comprehensive Security Framework
MINE2's security program includes administrative, technical and physical safeguards designed to protect the confidentiality, integrity and availability of customer data. Our program is appropriate for the nature, size and complexity of our cyber deception platform operations.
ISO 27001 Compliance
MINE2 follows the ISO 27001 Information Security Management System (ISMS) standard and undergoes annual reviews with qualified and impartial independent external auditors. Our security controls are continuously monitored and improved.
Security Policy Management
Our security team develops, maintains, reviews and approves MINE2 security policies. All policies and operating procedures related to security, confidentiality, integrity and availability are accessible to personnel via our documentation management platform. Security policies are reviewed, updated, and approved annually.
Human Resources Security
Background Verification
All MINE2 contractors and employees undergo comprehensive background checks prior to engagement in accordance with local laws and industry best practices. Employment contracts require protection of personal data and confidential information during and after employment.
Security Training
All personnel complete mandatory security awareness and privacy training annually. MINE2 conducts regular security education sessions to maintain a secure workplace culture and ensure awareness of emerging threats.
Access Termination
During offboarding, access to MINE2 systems and networks is disabled immediately upon notification of personnel termination. We maintain a disciplinary process for policy violations.
Asset Management & Endpoint Security
Endpoint Protection
MINE2 uses advanced endpoint detection and response (EDR) technology on all endpoints to monitor for viruses, malware, and advanced persistent threats. Real-time scanning and automated virus definition updates ensure comprehensive protection.
Device Management
All endpoints feature full-disk encryption and are monitored using industry-recognized tools that alert administrators of policy deviations. Security compliance is continuously validated across all devices.
Asset Inventory
MINE2 maintains comprehensive inventories of corporate hardware, software, and cloud infrastructure assets. Information is classified according to our Data Management Policy for appropriate protection levels.
Access Control & Authentication
Principle of Least Privilege
Access to assets and sensitive information is granted on a need-to-know basis according to role requirements. Users receive only the minimum access level required to perform their job functions effectively.
Multi-Factor Authentication
We enforce single-sign on (SSO) and multi-factor authentication (MFA) across all systems. Third-party access to production systems is strictly prohibited without explicit authorization.
Access Monitoring
All production environment access is monitored and logged for security purposes. Access permissions are regularly audited and baselined to meet security and compliance requirements.
Physical Security
Office Security
MINE2 offices serve as collaboration spaces with no production services hosted on-premises. Office access is managed through secure badging systems that log all entry attempts and deny unauthorized access.
Cloud Infrastructure Security
MINE2 production infrastructure is hosted in AWS data centers with comprehensive physical and environmental security controls including backup power, access control, HVAC systems, and fire suppression equipment.
Compliance Validation
AWS data center controls are annually validated for ISO 27001 physical security standard compliance. Learn more about AWS data center controls and compliance programs through their official documentation.
Data Security & Encryption
Encryption Standards
MINE2 uses industry-standard encryption to protect customer data at rest and in transit using TLS1.3, AES-256-GCM or superior encryption standards. All connections are authenticated and encrypted using current industry standards.
Data Lifecycle Management
Customer data is securely removed at the end of service relationships according to contractual agreements and regulatory requirements. Data retention policies ensure appropriate lifecycle management.
Digital Landmine Data Protection
Our core digital landmine technology employs additional encryption layers and isolation techniques to protect honeytokens and deception assets from unauthorized access or analysis.
Logging & Monitoring
Continuous Monitoring
MINE2 continuously monitors application, infrastructure, network, data storage, and system performance using advanced SIEM systems that pull real-time security information from all critical components.
Security Event Management
Our SIEM is configured to send automated alerts to the security team and is monitored continuously. Logs contain comprehensive details on date, time, source, and event types with 365-day retention.
Threat Response
Security information is regularly reviewed and potential risks are remediated appropriately. Our monitoring includes both our internal systems and customer digital landmine deployments.
Network Security
Perimeter Defense
MINE2 utilizes AWS network perimeter defense solutions, internal IDS, and advanced firewalls to monitor, detect, and prevent malicious network activity. Our security team responds to anomalous activity immediately.
Network Segmentation
Our architecture consists of entirely separate environments, each with dedicated VPCs and isolated subnets. Default-deny policies ensure only necessary communications are permitted through security groups.
Change Management
Network rule changes follow strict change management processes requiring approval from designated approvers. Rules are reviewed annually to ensure minimal necessary access.
Secure Software Development Lifecycle
Planning & Design
Threat modeling is performed for all new features using STRIDE methodology. Security requirements are documented alongside functional requirements, with data classification and privacy impact assessments conducted. Secure architecture is developed and approved before actual development begins.
Code Development
All code is stored in private Git repositories with MFA and role-based access. We follow language-specific secure coding guidelines with no hardcoded credentials or secrets (managed in Vault). Input validation and output encoding prevent injection attacks.
Code Review & Static Analysis
Mandatory peer code reviews are required for all commits. Automated static analysis using SonarQube and Semgrep ensures code quality. Critical, High, and Medium security issues must be resolved before merging.
Dependency Management
Only approved third-party libraries are used, with weekly vulnerability scanning. Dependencies are updated in development environments first to prevent supply chain attack risks.
Build & Binary Security
Secure Build Process
Builds are performed in controlled CI/CD pipelines (Jenkins/GitHub Actions) with MFA requirements. All builds follow strict security protocols and automated testing procedures.
Binary Hardening
Code signing with MINE2's code signing certificate (EV where required), compiler security flags enabled (ASLR, DEP, stack protection), obfuscation for sensitive logic, and strong controls to prevent buffer overflow attacks.
Integrity Verification
SHA integrity checks are performed on binary execution in customer environments. All artifacts are signed and checksum hashes are published for verification.
Web Application Security
Transport & Protocol Security
HTTPS enforced with TLS 1.2+ and strong ciphers. HTTP security headers are properly configured (CSP, HSTS, X-Content-Type-Options, etc.) with CSRF protection enabled.
Authentication & Authorization
Authentication via secure SSO/OAuth2/OpenID Connect with MFA. Role-based access control is enforced in the backend with access checks made on multiple layers for all users.
Monitoring & Detection
Active logging and anomaly detection are enabled across all web applications with real-time security monitoring and alerting.
Security Testing & Validation
Automated Testing
Automated unit and integration tests with comprehensive security test coverage. All code changes undergo rigorous automated security validation.
Dynamic Security Testing
Dynamic Application Security Testing (DAST) for web components and fuzz testing for binaries ensure comprehensive coverage of potential security vulnerabilities.
Penetration Testing
Professional penetration testing is conducted before major releases, with regular third-party security assessments of all production and Internet-facing systems.
Release & Deployment Security
Secure Deployment
CI/CD deployment requires multi-party approval with all artifacts signed and verified. Infrastructure-as-Code (IaC) with security scanning using Terraform and tfsec.
Production Security
Application logs are stored securely and monitored for anomalies. Security alerts are integrated into SIEM systems (Splunk, ELK, Sentinel) for real-time threat detection.
Incident Response
Comprehensive incident response plan with 24/7 contact procedures and post-incident reviews for continuous improvement.
Third Party Security
Vendor Management Program
MINE2's security team maintains a comprehensive vendor management program establishing requirements for third-party and external vendor engagements, assessing technical, physical, and administrative controls.
Security Assessments
We evaluate security controls and assurance reports for vendors annually to ensure they meet MINE2 and customer expectations. Vendor assessments include compliance verification.
Subprocessor Management
For a complete list of MINE2's subprocessors and their security qualifications, please visit our dedicated subprocessor documentation page.
Incident Response & Notification
Incident Response Plan
MINE2 maintains a comprehensive incident response plan including processes to assess, escalate, and respond to security incidents impacting MINE2, customers, or data. The plan is reviewed and updated annually.
Customer Notification
Customers affected by security incidents are notified within 24 hours of MINE2 becoming aware of the incident. Notifications include impact assessment and remediation steps.
Digital Landmine Incident Handling
Incidents involving digital landmine triggers or deception technology are handled with specialized procedures to maintain the integrity of active deception campaigns.
Risk Management
Risk Assessment
MINE2's security risk assessment policy and process enable identification and remediation of potential infrastructure threats. Risk ratings are assigned to all identified risks with managed remediation.
Executive Oversight
Executive management is continuously informed of organizational risk posture. Regular risk assessments inform strategic security decisions and resource allocation.
Cyber Deception Risk Management
Special consideration is given to risks associated with our cyber deception technology, including potential for false positives and maintaining deception effectiveness.
Vulnerability Management
MINE2 monitors for vulnerabilities across our technology stack and assets continuously. Monthly internal and external vulnerability scans use industry-recognized tools. We maintain a private bug bounty program and conduct annual external penetration tests. All findings are evaluated, documented, and remediated promptly.
Change Management
Our change management procedures require planning, testing, managerial approval, and stakeholder communication. Emergency changes are documented and reviewed with rollback processes for unsuccessful deployments. Changes are tested in dedicated environments separate from production.
Business Continuity Plan
MINE2 relies on AWS redundancy and hot-standby features with compute and storage resources spread across multiple data centers for seamless failover. Mission-critical data is backed up daily to remote locations with 14-day retention. Annual restoration tests ensure disaster recovery readiness.
Digital Landmine Technology Security
Our core cyber deception technology employs specialized security measures including encrypted honeytokens, isolated deception environments, and secure communication channels. Digital landmines are designed to be undetectable while maintaining high fidelity threat detection capabilities.
Compliance & Certifications
MINE2 maintains ISO 27001 certification for our Information Security Management System. We undergo regular audits by independent certification bodies and maintain compliance with relevant cybersecurity frameworks including OWASP Top 10, NIST Secure Software Development Framework (SSDF), MITRE ATT&CK framework, and GDPR requirements.
Security Standards & Frameworks
Our security program follows industry-leading standards including OWASP Top 10 for web application security, NIST Secure Software Development Framework (SSDF), and MITRE ATT&CK framework for threat modeling. We maintain compliance with ISO 27001, GDPR, and other relevant regulatory requirements.
Continuous Security Improvement
Post-incident reviews are conducted for all security incidents to drive continuous improvement. Regular security training is provided to developers, and our security processes undergo annual review and updates to maintain effectiveness against evolving threats.
Vulnerability Disclosure
MINE2 hosts a private Bug Bounty Program with industry-leading security platforms. If you're an independent security expert or researcher and believe you've discovered a security-related issue on our platform, we appreciate responsible disclosure and thank you for your expertise.
Responsible Disclosure Process
- Contact our security team at security@mine2.io
- Provide detailed information about the vulnerability
- Allow reasonable time for investigation and remediation
- Avoid accessing or modifying customer data
MINE2 does not currently invite members of the wider public to its private Bug Bounty Program, but we welcome responsible disclosure from security researchers.
Security Contact Information
If you have questions or feedback about our security practices, or need to report a security concern, please reach out to our security team:
Security Team
Response time: Within 24 hours
General Inquiries
For general questions about MINE2
Questions About Our Security Program?
We're committed to transparency and maintaining the highest security standards. Contact us anytime with questions about our security practices.