Intuit Mailchimp takes data security and privacy very seriously, and we recognize that our security measures and practices are important to you. While we cannot expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we can provide general information to give you confidence in how we secure the data you entrust to us.
Data Center Security & Server Locations
- Mailchimp delivers billions of emails a month for millions of users. Mailchimp's owned and operated servers are located in world class data centers in the United States. In addition, we leverage third-party vendors who process personal data and provide services to Mailchimp. We may transfer data to those third parties as outlined in our Privacy Statement and Data Processing Addendum (DPA), and in accordance with data protection laws.
- Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about.
- We have DDOS mitigation in place at all of our data centers.
- We have a documented "in case of nuclear attack on a data center" infrastructure continuity plan.
Protection from Data Loss, Corruption
- User accounts are segregated from each other through multiple layers of logic which prevent corruption and overlap
- Mailchimp’s technology infrastructure includes network devices such as firewalls, and IDS/IPS tools which are strategically placed to control and monitor network traffic for data loss and corruption
- Account data is mirrored and regularly backed up off site.
Application Level Security
- Mailchimp account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.
- All login pages (from our website and mobile website) pass data via TLS 1.2 or higher.
- The entire Mailchimp application is encrypted with TLS 1.2 or higher.
- Login pages and logins via the Mailchimp API have brute force protection.
- We provide the ability to enable email or SMS notifications about key activity.
- We provide the ability to enable two-factor (2FA) authentication to your Mailchimp account.
- We perform regular external and internal security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills.
- We can confirm that any findings are addressed and repaired. The findings of our pen-testing results are kept strictly confidential and are not shared externally- even under NDA. We can confirm that any findings are addressed and repaired.
- The findings of our pen-testing results are kept strictly confidential and are not shared externally- even under NDA. We can confirm that any findings are addressed and repaired.
Internal IT Security
- Mailchimp offices are secured by keycard access and biometrics, and they are monitored with infrared cameras throughout.
- Mailchimp facilities have at least one staffed guard station/receptionist area on premise.
- Our office network is heavily segmented and centrally monitored.
- We have a dedicated internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes OSCP and CISSP certified members.
Employee Security & Safeguards
- We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
- Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
- All new hires and contingent workers are required to sign Non-Disclosure and Confidentiality Agreements. Additionally they are required to attend and certify completion of training on Intuit's Code of Conduct and information security policies including acceptable use.
- In order to protect our company from a variety of different losses, Mailchimp has established a comprehensive insurance program. Coverage includes, but is not exclusive to: coverage for cyber incidents, data privacy incidents (including regulatory expenses), general error and omission liability coverage, excess cyber liability coverage, property and business interruption coverage, as well as international commercial general liability coverage.
Mailchimp Compliance Certifications
Mailchimp's credit card processing vendor uses security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives, including the Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC).
Our SOC 2 reports cover controls around security, availability, and process integrity of customer data.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touchpoint audits (surveillance audits).
Mailchimp also maintains a VPAT, or Voluntary Product Accessibility Template (VPAT®). This is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility.
To access and download our certifications please visit the Intuit Compliance portal here.
Safeguarding Your Account & Protecting Ourselves Against You
Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Mailchimp account, that's not good for either of us.
- We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
- In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
- We monitor accounts and campaign activity for signs of abuse.
- Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
- We provide the ability to enable email or SMS notifications about key activity.
- We provide the ability to enable two-factor (2FA) authentication to your Mailchimp account.
- We provide the ability to establish tiered-levels of access within accounts.
Investing in Your Privacy
- Our privacy team partners with teams across the organization to make sure our products and features comply with applicable data protection and anti-spam laws.
- We regularly review and update the legal policies that impact our relationship with you.
- We’re committed to compliance with applicable data protection laws and providing our customers with the tools to help them with their own compliance requirements.
- We retain a law firm in the EU & UK to consult on privacy and data protection laws.
- We undergo annual verification with a U.S. based third party-outside compliance reviewer under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Intuit and Mailchimp rely on the EU-U.S. DPF to transfer data and will rely on the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF once approved by the appropriate authorities. We are subject to the investigatory and enforcement powers of the Federal Trade Commission. You can find more information about Intuit’s and Mailchimp’s Data Privacy Framework certification here.
- We are members of groups such as ESPC, M3AAWG, ISC2, ISACA, ISSA, SANS and more.
- Our privacy organization leadership are active members of the International Association of Privacy Professionals (IAPP) and collectively hold the certifications of CIPP/US, CIPP/G, CIPP/E, CIPM and CIPT.
- Information about compliance with GDPR can be found here.
Responsible disclosure program
Mailchimp is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Intuit. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving Mailchimp services.
Responsible disclosure guidelines
Security Researchers will disclose potential weaknesses in compliance with the following guidelines:
Do
- Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
- Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We're focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
- Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
- Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.
Don't
- Don’t cause harm to Mailchimp, Intuit, its customers, shareholders, partners or employees.
- Don’t engage in any act that may cause an outage or stop any of Mailchimp’s services.
- Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
- Don’t store, share, compromise or destroy any Mailchimp data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Mailchimp.
- Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
Out-of-scope vulnerabilities
The following types of vulnerabilities are out of scope for this program:
- Phishing
- Social engineering
- Physical security assessments
- Any form of denial of service (DoS) attack
Submission Guidelines
All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.
By following these guidelines and responsibly disclosing any security weaknesses directly to Intuit, we agree not to pursue legal action against you. Mailchimp reserves its legal rights in the event of noncompliance with program guidelines.
Mailchimp will review and promptly acknowledge any submitted issue within three business days of submission through its web form, found here: Responsible Disclosure Form