Information Security Terms

Policies and Procedures. MediaMath has developed, maintains, and enforces policies and procedures applicable to information security. Policies are reviewed at least annually. MediaMath revises policies and procedures as necessary to address contemporary threats and incorporate, where applicable, relevant advances in security techniques and practices.

Security Roles and Responsibilities. MediaMath has dedicated information security personnel. Certain MediaMath personnel have defined security responsibilities that are appropriate to their respective roles and functions.

Risk Management Program. MediaMath performs a security risk assessment annually.

Third-Party Audit. MediaMath has SOC 2 Type II certification from an independent audit firm.

Awareness and Training. MediaMath personnel are required to complete security training annually. MediaMath provides personnel with timely information about important or noteworthy threats. MediaMath provides personnel with reminders about security policies, procedures, and practices.

Account Provisioning. MediaMath has policies and procedures for the lifecycle management of user accounts. The policies and procedures facilitate appropriate oversight and approval, role-based authorization, the principle of least privilege, record-keeping, and regular review and audit. For each facility, network, and system, MediaMath identifies authorized personnel who may grant, amend, and revoke access and, for such roles, implements appropriate separation of duties.

Privileged Accounts. MediaMath limits privileged accounts to personnel who have a valid organizational or technical need for such accounts. MediaMath performs recertification of privileged accounts at least bi-annually.

Authentication. MediaMath uses industry-standard practices to identify and authenticate users who attempt to access MediaMath facilities, networks, and systems. MediaMath implements password complexity and length rules for MediaMath personnel. MediaMath implements multi-factor authentication (MFA) for certain corporate and production systems. MediaMath provides customers with the ability to implement SSO authentication for their respective user accounts in MediaMath’s TerminalOne (T1) application. MediaMath logs access events.

Network Security Measures. MediaMath implements perimeter security measures such as firewalls, Access Control List (ACL) methods, and functionally equivalent security measures. MediaMath requires that personnel use a Virtual Private Network (VPN) for access to certain corporate and production environments. In addition, MediaMath implements MFA for access to the production VPN. For certain infrastructure, MediaMath uses network intrusion detection or prevention technologies. MediaMath logs network connections and certain traffic.

Encryption. MediaMath supports Transport Layer Security (TLS) to encrypt non-public Client information in transit between MediaMath’s web servers and its clients’ browsers.

Monitoring.  MediaMath has implemented a security information and event management (SIEM) tool to help provide real-time analysis of security alerts generated by systems (including network devices, servers, cloud infrastructure, and critical applications).

Workstation Security. MediaMath has policies in place that define MediaMath-issued laptop configuration, acceptable use of MediaMath-issued laptops, and restrictions on the use of personal (non-MediaMath-issued) hardware to access MediaMath networks and applications. MediaMath-issued laptops have host-based anti-malware (anti-virus), full-disk encryption, and inactivity lockout measures.

Vulnerability Management. MediaMath conducts vulnerability scanning at least  monthly. MediaMath uses outside sources (e.g. SANS, CERT, etc.) for information and guidance. MediaMath requires that all applicable personnel review and uphold the MediaMath Security Patch Management Standard. MediaMath patches production operating systems in a timely manner based on risk-based analyses that incorporate severity rating, the nature of the operating system and applications, the nature of any data, and other factors.

Software Security Review. System changes (major changes) which introduce a new application or service or are fundamental changes to the architecture of an existing application undergo a security review.

Change Management. MediaMath has formalized change management processes, which require identification and recording of significant changes, assessment of risk and potential impacts of such changes, approval of proposed changes, communication of change details to relevant individuals and teams, appropriate testing to verify operational functionality, and rollback protocols. MediaMath change management processes implement separation of duties. Emergency procedures may depart from MediaMath’s standard change management processes.

Dynamic Application Testing.  MediaMath conducts continuous scanning of our customer-facing application using a Dynamic Scanning platform which provides continual assessment and annual Business Logic Testing.

Incident Response Procedures. MediaMath’s incident response procedures include but are not limited to ticketing, escalation to applicable individuals and teams, analysis, isolation of affected systems and data (where appropriate), remediation planning and execution, root cause analysis, and communication planning and execution. MediaMath will comply with applicable security incident laws, including data breach reporting regulations.

Client Notification. Where applicable and appropriate, MediaMath will notify clients promptly about verified unauthorized or unlawful access, modification, disclosure, or loss of Client Data.

Availability. Where appropriate, MediaMath implements measures to ensure the availability of Client Data. These measures include redundant copies of data and replication of data and databases.