As M&A professionals, we understand the importance of data security and maintaining the confidentiality of information in an M&A context. This key factor is incorporated into the way we have designed and built our entire platform.
Midaxo is committed to maintaining a high level of information security, and its key priority is always protecting customers’ information and carefully maintaining the information security of Midaxo Platform. Our Security Whitepaper gives an overview of the Midaxo Platform security features.
The Midaxo information security management system (Midaxo ISMS) is based on the international ISO 27001 standard. The design of security controls is based on risk analysis. Risk management is periodically performed throughout the organization to ensure the mitigation of any emerging security risks. Midaxo ISMS defines the security processes, roles, and responsibilities for implementing information security management as an integral part of Midaxo’s business and operations. Midaxo ISMS, together with Midaxo’s information security policy, are periodically reviewed to ensure they are up to date.
Midaxo Platform is developed, operated, and maintained by motivated, competent personnel that are committed to maintaining a high level of information security. Continuous security education and training supports them to maintain security awareness in the organization. The technical implementation of Midaxo Platform has been designed to meet customers’ strict security requirements and industry best practices.
Technical security starts with comprehensive security architecture that defines a solid and secure foundation for Midaxo Platform. The architecture is based on well-proven and widely used secure products, methods, and protocols, and it has been defined to protect data both in transit and at rest and to ensure its confidentiality, integrity, and availability. Strict access control allows only authorized users to access the data.
Operation and maintenance of the Platform follows documented processes and plans. Continuous monitoring of information security and system performance ensures that all deviations and incidents can be responded to in a timely manner by trained and competent personnel in accordance with the incident response process.
Because of today’s ever-changing risks and security threats, Midaxo’s security team closely monitors security updates, alerts, and advisories from applicable system and software vendors as well as various security organizations and authorities. Based on risk analysis, the security team deploys applicable mitigation methods and security controls. Periodic security audits and technical tests performed by independent third-party information security companies ensure that information security fulfills all requirements and meets the highest standards.
MIDAXO PLATFORM ARCHITECTURE
Midaxo Platform runs on Amazon’s leading cloud platform, the Amazon Elastic Compute Cloud (AWS EC2) Web service.
Midaxo Platform is logically based on a three-tier client server architecture, in which the user interface (presentation tier), application processing (logic tier), and data storage (data tier) functions are separated.
The Midaxo Platform production environment contains three distinct servers:
- M&A application server: Provides the user interface and processes the M&A software
- M&A database server: Provides M&A data storage, separated from the application
- Log collection server: Collects log data from both aforementioned servers; the server automatically sends alerts regarding any detected violations.
CUSTOMER DATA SECURITY
Customer data stored in the Midaxo Platform is physically located in the Amazon EC2 Ireland datacenter for EU or Amazon EC2 Virginia datacenter for US. All data stored in the Midaxo Platform is considered confidential. Customers have ownership of their data. Midaxo's policy restricts Midaxo admin’s access to customer data to support purposes only when requested by the customer.
ISO 27001 CERTIFIED
The Midaxo information security management system (Midaxo ISMS) meets the international ISO/IEC 27001:2013 standard. As of April 2016, Midaxo was certified compliant by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) after successful completion of a formal compliance audit. ISO 27001 is an internationally recognized security management standard that specifies security management best practices and comprehensive security controls.
Midaxo passed the annual surveillance audit for 2018 as of March 26th.
The Midaxo Platform service has an Information Security Certificate issued by Nixu Ltd., the largest independent information security expert services company in the Nordics. The Information Security Certificate verifies that the Midaxo Platform architecture and software are designed, implemented, and maintained securely. Nixu Ltd. performs an annual security audit to maintain the Nixu Information Security Certificate. Besides Nixu Ltd., other independent third-party auditors regularly audit Midaxo Platform’s security.
In addition, customers have audited Midaxo Platform. Midaxo offers customers the opportunity to perform security audits and penetration testing of their own with a test instance with the same architecture as in Midaxo Platform.
STATEMENT OF HIPAA COMPLIANCY
The Health Insurance Portability and Accountability Act (HIPAA) of United States law mandates requirements for the use, disclosure, and safeguarding of individually identifiably health information. It applies to hospitals and other healthcare companies that have access to patients’ protected health information (PHI), and it also applies to their business associates that can access PHI.
The scope of HIPAA was extended by HITECH, the Health Information Technology for Economic and Clinical Health Act in the United States. The relevant HITECH requirements are included in the HIPAA Omnibus rule.
HIPAA requires that the covered entities and their business associates sign Business Associate Agreements (BAA). Once the BAA is signed between Midaxo as a business associate and a customer covered in HIPAA, the customer can store and process PHI in Midaxo applications and services that are covered in the BAA.
There is no official certification for the Omnibus HIPAA compliance. However, the Midaxo services covered under the BAA have been audited and are included in Midaxo ISO/IEC 27001 certification.
Midaxo fulfills the HIPAA and HITECH compliance requirements for business associates. In particular, Midaxo fulfills the general, administrative, physical, technical, and organizational requirements and has appropriate policies and procedures for business associates in compliance with Omnibus HIPAA, as stated in HIPAA §164.306 - §164.318.
It should be noted that, while Midaxo ensures the confidentiality, integrity, and availability of all customer data within our service, we also give broad usage rights for the administrative users of our customers for their own data. Even though Midaxo takes every precaution to appropriately protect the data, it is possible for our customers to manage the data within their own account in Midaxo in such a way that would jeopardize their compliance with HIPAA. To help our customers to maintain their HIPAA compliancy while using Midaxo, here are some procedures and precautions that should be considered:
- Permanent deletions. Midaxo gives a choice for the customer administrators to either archive or permanently delete data. We recommend for our HIPAA-covered customers not to use the permanent delete option.
- Sharing Data. Midaxo offers strong access controls and permission management. To maintain HIPAA compliancy, the customer administrators should only share data as appropriate, according to HIPAA requirements.
- Saving PHI data. Even though we are Omnibus HIPAA-compliant, we recommend to consider whether there really is a need to store PHI data to Midaxo.
- Audit log. We provide customer-specific audit logs for customer administrators, should you need to present system activity data while you are being audited.
CLOUD SECURITY ALLIANCE (CSA) STAR REGISTRY
We are participating in CSA STAR's security assurance program on the Self-assessment-level. CSA STAR provides a meta-matrix of cloud-specific security controls that are mapped to several standards, best practices and regulations. We feel that by making this information about our security practices public, we’re readily providing answers to such questions that you would likely ask us anyway, and we’re also promoting industry transparency in general. If we haven’t stated our compliance to your preferred standard or practice, there is a good chance that our filled Consensus Assessments Initiative Questionnaire (CAIQ) will contain answers to your key concerns about our security practices.
What is GDPR?
Starting May 25, 2018, the EU General Data Protection Regulation (GDPR) has replaced the Data Protection Directive 95/46/EC. The new law is expected to harmonize data privacy laws across Europe to protect personal data of all EU citizens. It aims to reshape the way organizations within the EU region – and outside – approach data privacy. The purpose of the GDPR is to protect all EU citizens from privacy and data breaches. More information about the new regulation can be found here.
GDPR and Midaxo
At Midaxo, customer data protection is our top priority. The technical implementation of Midaxo platform is designed to meet strict data security regulations. As data controller, Midaxo customers have complete ownership of the data. Midaxo platform enables data controllers by empowering the customer users to keep personal data secure, up-to-date and provide rights to their own personal data. Midaxo platform architecture is based on fundamental principles of ‘Privacy by Design’ and ‘Privacy by Default.’ In nutshell – be at ease, Midaxo platform is fully compliant with GDPR.
As an organization, Midaxo has evaluated new restrictions which the GDPR will impose along with subject matter experts in Europe. We have identified the areas within the company and have taken necessary steps to ensure compliance with the law. If you have any questions, please feel free to contact us.
For more information, read our article - GDPR Compliance: New Rules for M&A.
BACKUPS AND REDUNDANCY
The Midaxo Platform servers and all customer data are automatically backed up on a daily basis. Backups are stored at a separate off-site location in Frankfurt, Germany for EU and Ohio for US. All off-site files are encrypted with AES-256. The backup cycle is one year.
All customer data can be fully recovered in case of hardware failure or an outage of the Amazon service.
Read our Security Articles:
With questions, comments or doubts, please contact firstname.lastname@example.org.
Information we Collect using Cookies and How it’s Used
You are free to explore our website without providing any information about yourself. When you visit our website or register for our services, we request that you provide Personal Information about yourself, and we collect Navigational Information.
Personal Information refers to any information that you voluntarily submit to us and that identifies you personally, including contact information, such as your name, e-mail address, company name, address, phone number, and other information about yourself or your business. Personal Information can also include information about you that is available on the internet, such as from Facebook, LinkedIn, Twitter and Google, or publicly available information that we acquire from service providers.
Navigational Information refers to information about your computer and your visits to this website such as your IP address, geographical location, browser type, referral source, length of visit and pages viewed. We use this information to operate and improve our website. We may also use Navigational Information alone or in combination with Personal Information to provide you with personalized information about Midaxo.