Security Overview

MikMak strives to provide a frictionless experience for consumers and brands, including secure collection, handling, and storage of data for everyone who interacts with or accesses our solutions. As our industry evolves, MikMak has remained at the forefront of building solutions that meet, and exceed requirements from consumer privacy legislation and regulations like GDPR, CPRA, and CCM.

Our Commitment


We are committed to providing a secure service that protects the data of our brand partners and their consumers.

Our commitment to security is ongoing. As the industry evolves so too do our security practices and our commitment to building and maintaining industry-leading security principles and practices. We approach our security, much like the rest of our business, with a forward-thinking mindset to ensure access to our solutions is never disrupted and the security of brand partners and their consumers is always at the forefront.
 

Security Overview 


At MikMak, we take every possible measure to secure our applications and data. Read below to learn more about how we approach Security within the MikMak Platform.

MikMak solutions are hosted on Amazon Web Services (AWS), a widely recognized and industry-leading cloud infrastructure vendor. Specifically, MikMak uses AWS Amazon S3 and the AWS multi-datacenter high disponibility solution. This provides MikMak with 99.99999% durability, and critical infrastructure is replicated across different AWS availability zones and regions, to ensure MikMak is always operational and available.

In addition to advantages in availability, AWS also provides the security infrastructure utilized by MikMak Insights and MikMak Commerce solutions.

 


 

 

 

Frequently Asked Questions

Does MikMak collect Personally Identifiable Information?

MikMak temporarily collects IP addresses for the purpose of:

  • Personalizing the MikMak Commerce shopping experience to display relevant retailers based on a shopper’s geolocation
  • Analytics purposes - performance by geolocation
  • And security purposes

The IP Address is anonymized, encrypted, and not stored in any persistent storage. The session ID tracker on the host domain (depending on the service used) is automatically cleared when the browser session ends. This data is never shared with the client.

No other Personally Identifiable Information (PII) is collected or stored from consumers (user of the Commerce experience) as part of the “where to buy” journey.

How does MikMak employ user consent/permission for shopper behavior tracking or sales tractions? And how does MikMak remain compliant with ever-changing and expanding regulations like PIPEDA (Canada), CCPA/CCRA (select US states), and GDPR (EU)?

MikMak uses a 3rd party, Ketch, for managing user consent. It is loaded on all our commerce experiences in media and can be configured without engineering involvement to expand jurisdictions/compliance regulations.

  • Note: in CPRA-compliant states, we have Cookie Preferences language at our footer that reads "Your Privacy Choices", per that law but it otherwise reads "Cookie Preferences"
  • Note: For Commerce for Brand.com integrations, the user consent/permission management is handled by the brand, using whatever customer content management platform they use on their site.
Do you conduct vulnerability assessments and penetration tests?

MikMak routinely conducts vulnerability assessments and penetrations tests including, but not limited to:

  • MikMak products and solutions undergo regular manual code reviews, unit tests, and integrations tests (including OWASP Top 10) to detect potential security defects in code prior to release
  • Regular penetration tests - including open port scan, SQL injection, code injection, and XSRF/CSRF attacks
  • Vulnerability scans at the application, network, and operation system layer are performed by AWS Inspector and Snyk.
Do you perform technical monitoring (patch management) of the solution? If so, how?

System vulnerability and patches are managed by AWS System Manager. Application vulnerability is managed by AWS Inspector and Synk. Open server ports are scanned monthly.

Can clients request audits of MikMak’s security and handling of personal data?

Yes - through our ticketing and online support system available on the MikMak platform, clients can request an audit of MikMak’s procedures relating to the protection of Personal Data, but only as required by applicable data protection laws. The selection of the third-party auditor is subject to MikMak’s prior approval.

 

The client shall not disrupt MikMak’s business operations during the performance of this audit. Prior to the commencement of such an audit, the client and MikMak will mutually agree on the scope, timing, and duration of the audit, and the rate of reimbursement for the time spent by MikMak on such an audit.

 

The client shall promptly notify MikMak of any noncompliance discovered during an audit, and MikMak shall use commercially reasonable efforts to address any confirmed non-compliance.

Does MikMak have systems/policies in place to prevent DDOS Attacks?

Yes - All MikMak applications are protected against DDoS attacks that would result in downtime. We also enforce rate limiting on all of our services in order to avoid nefarious traffic that might otherwise interrupt our services.

What is the process for notifying the authorities and individuals in the case of a data breach?

MikMak shall notify the Client without undue delay of any breach of Personal Data. MikMak will provide commercially reasonable cooperation and assistance in identifying the cause of such an incident and will take commercially reasonable steps to remedy the cause to the extent that the remedy is within MikMak’s control.

Does MikMak have a current SOC2 report?

MikMak is currently working with a third-party auditor to assist with the SOC2 assessment and report. A SOC2 Report is expectedd to be available within the next 6 months [stated as of June 7, 2023]

 

The report will cover all five Trust Services Criteria including:

  • Security
  • Confidentiality
  • Integrity
  • Availability
  • Privacy
Does MikMak have plans to secure additional security certifications beyond a SOC2 report?

As part of its long-term security and compliance initiatives, MikMak will plan to achieve ISO 27001 certification

Any additional security certifications or information?

AWS, which MikMak is hosted on, has certifications for compliance with:

  • ISO/IEC 27001:2013
  • 27017:2015
  • 27018:2019
  • 27701:2019
  • 22301:2019
  • 9001:2015
  • CSA STAR CCM v3.0.1.
Is the solution resilient? If so, How?

Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).

How do you ensure availability? Do you have an emergency plan?

Critical infrastructure is replicated across different AWS availability zones and regions, to ensure MikMak is always operational and available. In the event of an emergency, we have a Data Recovery Plan (DRP) in case of a major outage of our primary AWS region (eu-west-1). Recovery Time Objective is between 30 min and 2h depending on the outage.

Does MikMak provide backup and disaster recovery (DR) services?

Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).

 

Recovery Point Objective (RPO) between 5 min and 24h depending on the system.

 

5 days full backup (Amazon S3 storage snapshot), long-term Amazon S3 backup storage for customer settings (database dump)

Is AES 128-bit encryption or better being used for data at rest or in transit?

Yes, AES-256 is used per Amazon AWS standards. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, the 256-bit Advanced Encryption Standard (AES-256).

How do you ensure data encryption during storage and transport? Which standards?

TLS encryption during transport, encryption at rest (Amazon EBS and S3 encryption AES-256)

Do you have an accessible API? If so, what kind? Please provide other relevant API information here too.

MikMak has an API built around JSON REST.

 

Technical documentation is available upon request - please ask your MikMak Account Manager

What percentage of your data does your API cover?

The MikMak API covers product referential search, product stock search, and reporting. Internal APIs (used by our own App/Dashboard/Back office) cover nearly 100% of our data and can be partially opened depending on need/use case. It is a mature API with CRUD API implemented at the resource level, using adequate methods and returning standard code and error. API can be versioned.

 

*Depending on need and use case can be opened at times

Is MikMak ADA and/or W3C Compliant?

At MikMak we strive to ensure that all of our applications are accessible. All MikMak experiences served to consumers meet the minimum requirements for ADA compliance and follow W3C guidelines and recommendations. We are constantly working on ways to improve accessibility across our products.

Have Any Additional Questions? 


If you have additional questions about the security systems and practices in place at MikMak please provide a list of questions to your MikMak Account Manager, and we’ll be happy to work with our teams internally to get your questions answered as quickly as possible.

500+ brands from around the world trust MikMak. Our solutions are built with brand, and consumer privacy and security concerns in mind, helping us future-proof our business as changes and policies evolve.