Trust at Medallia
The experience you provide your customers never stops, and neither do we. As the market leader in Customer Experience Management (CEM), we are trusted by the world’s most revered companies to handle their data. We know how critical data security is to our customers—many of whom operate in highly regulated industries like finance, healthcare, and telecom—and we maintain industry-leading practices to protect that data. Here’s an overview of how we have built security at Medallia.
We believe in taking a proactive stance on securing our systems and applications. We follow industry best practices, as well as our customers’ recommendations, to harden our systems. When it comes to our application, our developers follow industry best practices during the software development lifecycle, including OWASP Top 10 and relevant technology specific guidelines. We rigorously test our code prior to and after the deployment to production.
Data Center Security
A SaaS platform with enterprise-grade security features, and it’s not in the cloud? That’s right. We own and maintain the backend infrastructure where customer data is stored. We use data centers in various geographic locations for continuity and regulatory purposes, which are Tier III, SOC 2 and/or ISO 27001 certified. Our data centers have common security practices, including closed-circuit video monitoring and 24/7-manned guards, and require the use of biometric access controls to our locked cages.
Our customer’s data – and the security of that data – is of utmost importance to us, which is why we provide our customers with complete control over their data. We also provide completely configurable settings, including granular role-based access and IP whitelisting capability. Our application supports the use of SAML for Single Sign-On, and all communications between the customer, and our servers are encrypted using TLS. And, our security architecture ensures segregation of customer data.
We utilize both internal and external services to perform continuous scanning and monitoring of our network and application. We also conduct regular vulnerability scans, risk assessments and penetration tests.
We strive to be industry leaders in regulatory requirements and compliance – which is why we are the only CEM platform that is SOC 2 compliant and ISO 27001 certified. Our processes and controls are regularly audited by internal and external parties, including customers and independent assessors. We have also successfully undergone audits and are compliant with ISAE 3000 and HIPAA, and have attained certification under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield frameworks.
General Data Protection Regulation (GDPR) Compliance
Medallia is passionate about ensuring that our clients are able to comply with data privacy regulations, including the European Union’s GDPR, which goes into effect in May 2018. We provide our clients with enterprise-grade controls to manage, govern access and ensure security of personal data housed in Medallia Experience Cloud. As required by GDPR, Medallia allows our clients to correct, export, or permanently delete personal information associated with an individual survey taker or employee. Medallia also purges personal data from internal processing systems to minimize the data we retain per GDPR Article 5. Please visit our GDPR page to find out more how Medallia is setting the bar for CX data protection.
To report an incident, concern, or for general security questions, please email [email protected]