Information Security Program

Infrastructure Security

We secure our infrastructure, both in the cloud and at data centers, to prevent malicious access of our network, servers, and applications. This includes controls for physical and virtual access, monitoring, and user authentication.

Data Center Security

To secure our data centers, we:

Manage servers at the MeridianLink co-location data center and in the cloud. 
Utilize a disaster recovery co-location data center. 
Ensure our data centers have appropriate physical security including: 
- Power 
- Climate and temperature controls
- Fire detection and suppression 
- Motion sensors, alarms, and video cameras

Network & Endpoint Security

To secure our network and endpoints, we:

Maintain a Web Application Firewall (WAF) in front of network endpoints. 
Maintain a firewall default-deny policy.
Require all changes to firewall configuration to go through a change approval process. 
Require all system logs to be forwarded to the SIEM.  Logs are monitored 24x7x365.
Require servers and applications to adhere to MeridianLink configuration hardening standards including:

Disabling default passwords
Disabling unnecessary ports and services
Changing default accounts

Vulnerability Management

To manage vulnerabilities, we:

Perform vulnerability scanning monthly. 
Remediate scan results based on our vulnerability management program. 
Deploy patches at least monthly. 
Deploy critical patches on an emergency basis. 
Engage a third-party security company to perform an annual web application penetration test.

Data Security

We protect client data with best-in-class processes, including data segregation between environments and products, data encryption at rest and in transit, and secure data access methods.

Encryption

To secure MeridianLink and client data, we:

Encrypt all PII data at rest using AES 256-bit encryption.
Encrypt all PII data in backups at rest using AES 256-bit encryption.
Encrypt all data in transit using TLS 1.2.
Require encryption keys to be stored securely.

Employee Access Control

To restrict employee access to data, we:

Require MeridianLink employee access to be role-based, applying the principle of least privilege. 
Require MeridianLink employees to use privileged accounts distinct from their day-to-day accounts and multi-factor authentication.

Application Security

We design our applications with security at the forefront. This involves security working directly with our product teams during the design phase, security testing during development, and penetration testing after development.

Applications

To secure our applications, we:

Maintain and update secure code standards annually. 
Train MeridianLink developers based on the OWASP Top Ten annually. 
Utilize SAST and DAST testing on all code prior to release. 
Perform a third-party penetration test annually and for major changes.

Product Security

We design our products with multiple security features to best protect our clients and their business. This includes password settings, two-factor authentication, client-managed access controls, and audit logging. 

Authentication

To enable secure customer access to our products, we:

Require user account passwords to be salted and hashed. 
Give customers the option to enable multi-factor authentication.
Require customers to configure authentication standards for their application including:
- Password length 
- Password complexity 
- Password history 
- Password expiry

Access Control

To restrict access to our products, we:

Have role-based access configurable by MeridianLink customers.
Empower an account to act as system administrator by the customer.

Operational Security

We ensure our employees are prepared to deal with common security threats. This includes annual security awareness training and secure development. We have policies in place to ensure the security of the MeridianLink organization. 

Personnel Security

To ensure operational security, we:

Require employees to undergo background checks before employment.
Require employees to comply with confidentiality agreements and follow MeridianLink’s Acceptable User Policy.

Security Training

To ensure employee preparedness, we:

Require employees to undergo annual security awareness training. 
Require developers to take additional secure development training. 
Test all employees on a regular basis with phishing simulations.

Vendor / Third-Party Risk Management

To manage risks from vendors and third parties, we:  

Require all third parties to undergo security assessment at engagement and annually thereafter. 
Require third parties to meet MeridianLink security guidelines.

Business Continuity & Disaster Recovery

We ensure our systems continue running in case of interruption with a business continuity and disaster recovery program. Testing is performed annually to ensure we can meet guarantees to clients. Robust data backup and recovery systems are deployed to ensure resiliency and protection of client data.

Resiliency 

To ensure resiliency, we:

Require all critical systems to have full and incremental backups taken as necessary. 
Require backup data to be replicated to the disaster recovery data center. 
Require all backups to have PII data encrypted using AES 256-bit encryption. 
Perform an annual DR test and update the DR plan annually.

Incident Management & Response

We maintain an incident response plan to ensure timely and effective response to security events. Logs are monitored 24/7 by a SOC and escalated as appropriate based on triage.

Incident Response 

To ensure an effective response to all incidents, we:

Require application, system, and security logs to be forwarded to a SIEM. 
Configure SIEMs to alert the MeridianLink information security team. 
Require security events to be handled by an incident response team. 
Require customers to be notified in the event of a security breach. 
Require suspected security incidents to be handled by the MeridianLink security team.

MeridianLink Information Security Program