Security Overview

MikMak temporarily collects IP addresses for the purpose of:

• Personalizing the MikMak Commerce shopping experience to display relevant retailers based on a shopper’s geolocation
• Analytics purposes - performance by geolocation
• And security purposes

The IP Address is anonymized, encrypted, and not stored in any persistent storage. The session ID tracker on the host domain (depending on the service used) is automatically cleared when the browser session ends. This data is never shared with the client.

No other Personally Identifiable Information (PII) is collected or stored from consumers (user of the Commerce experience) as part of the “where to buy” journey.

MikMak uses a 3rd party, Ketch, for managing user consent. It is loaded on all our commerce experiences in media and can be configured without engineering involvement to expand jurisdictions/compliance regulations.

• Note: in CPRA-compliant states, we have Cookie Preferences language at our footer that reads "Your Privacy Choices", per that law but it otherwise reads "Cookie Preferences"
• Note: For Commerce for Brand.com integrations, the user consent/permission management is handled by the brand, using whatever customer content management platform they use on their site.

MikMak routinely conducts vulnerability assessments and penetrations tests including, but not limited to:

• MikMak products and solutions undergo regular manual code reviews, unit tests, and integrations tests (including OWASP Top 10) to detect potential security defects in code prior to release
• Regular penetration tests - including open port scan, SQL injection, code injection, and XSRF/CSRF attacks
• Vulnerability scans at the application, network, and operation system layer are performed by AWS Inspector and Snyk.

System vulnerability and patches are managed by AWS System Manager. Application vulnerability is managed by AWS Inspector and Synk. Open server ports are scanned monthly.

Yes - through our ticketing and online support system available on the MikMak platform, clients can request an audit of MikMak’s procedures relating to the protection of Personal Data, but only as required by applicable data protection laws. The selection of the third-party auditor is subject to MikMak’s prior approval.

The client shall not disrupt MikMak’s business operations during the performance of this audit. Prior to the commencement of such an audit, the client and MikMak will mutually agree on the scope, timing, and duration of the audit, and the rate of reimbursement for the time spent by MikMak on such an audit.

The client shall promptly notify MikMak of any noncompliance discovered during an audit, and MikMak shall use commercially reasonable efforts to address any confirmed non-compliance.

Yes - All MikMak applications are protected against DDoS attacks that would result in downtime. We also enforce rate limiting on all of our services in order to avoid nefarious traffic that might otherwise interrupt our services.

MikMak shall notify the Client without undue delay of any breach of Personal Data. MikMak will provide commercially reasonable cooperation and assistance in identifying the cause of such an incident and will take commercially reasonable steps to remedy the cause to the extent that the remedy is within MikMak’s control.

MikMak is currently working with a third-party auditor to assist with the SOC2 assessment and report. A SOC2 Report is expectedd to be available within the next 6 months [stated as of June 7, 2023]

The report will cover all five Trust Services Criteria including:

• Security
• Confidentiality
• Integrity
• Availability
• Privacy

As part of its long-term security and compliance initiatives, MikMak will plan to achieve ISO 27001 certification

AWS, which MikMak is hosted on, has certifications for compliance with:

• ISO/IEC 27001:2013
• 27017:2015
• 27018:2019
• 27701:2019
• 22301:2019
• 9001:2015
• CSA STAR CCM v3.0.1.

Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).

Critical infrastructure is replicated across different AWS availability zones and regions, to ensure MikMak is always operational and available. In the event of an emergency, we have a Data Recovery Plan (DRP) in case of a major outage of our primary AWS region (eu-west-1). Recovery Time Objective is between 30 min and 2h depending on the outage.

Backup and resilience greatly rely on highly reliable and fault-tolerance AWS cloud infrastructure (including network, content delivery network, database, and computing).

Recovery Point Objective (RPO) between 5 min and 24h depending on the system.

5 days full backup (Amazon S3 storage snapshot), long-term Amazon S3 backup storage for customer settings (database dump)

Yes, AES-256 is used per Amazon AWS standards. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, the 256-bit Advanced Encryption Standard (AES-256).

TLS encryption during transport, encryption at rest (Amazon EBS and S3 encryption AES-256)

MikMak has an API built around JSON REST.

Technical documentation is available upon request - please ask your MikMak Account Manager

The MikMak API covers product referential search, product stock search, and reporting. Internal APIs (used by our own App/Dashboard/Back office) cover nearly 100% of our data and can be partially opened depending on need/use case. It is a mature API with CRUD API implemented at the resource level, using adequate methods and returning standard code and error. API can be versioned.

*Depending on need and use case can be opened at times

At MikMak we strive to ensure that all of our applications are accessible. All MikMak experiences served to consumers meet the minimum requirements for ADA compliance and follow W3C guidelines and recommendations. We are constantly working on ways to improve accessibility across our products.