At Mediaocean we understand how critical it is to your business to keep your information secure by making sure that it remains:
- Confidential, and only divulged to people who are authorised to access your data
- Available to authorised people upon request
- Accurate and free from loss or corruption
Mediaocean’s security program is aligned with ISO27001 for Information Security and covers control areas, including:
- Logical and physical access
- Network security
- Change control over application software development and over operational infrastructure
- Processing integrity
- Availability, resilience and data retention
- Incident management and response
- Risk management
- Vendor / third-party security assessment and risk management
A summary of our security controls is available here.
In addition, we have prepared a System Description which describes Mediaocean's information security controls and procedures in greater depth. This document gives you and your auditors an understanding of our information security policies and procedures. It also includes a list of user control considerations (practices our clients need to consider and put in place in order to ensure that information security objectives can be achieved).
Does Mediaocean have access to data?
While client security administrators manage user access for their organization, a number of Mediaocean staff members are authorized to view client data. This includes members of our Customer Experience, Engineering, Account Management, and Operations teams who provide support services. A more limited number of authorized staff members (primarily systems and database administrators) have ‘update’ access to client data. Mediaocean has a strict data maintenance policy requiring authorizations for any update to client data.
What happens with client data?
The data fed into Mediaocean applications is transferred securely to production servers hosted at a data center or cloud hosting provider. For clients based in North America and Europe, these will be located in the United States; they are located within the Asia Pacific (APAC) region for clients in APAC / China. Mediaocean is fully responsible for the administration of these servers, and the data center’s / cloud hosting provider’s employees do not have access.
The data is copied from this production environment into a Customer Experience environment accessible by authorised staff as described above. The authorised staff have write access to the Customer Experience environment to troubleshoot any reported issue. Data residing in this environment will otherwise have the same protections as the production environment.
Certification and compliance
Mediaocean’s security controls are inspected by an independent auditor. Annual SOC1 (SSAE18 / ISAE3402) and SOC2 Type 2 reports provide independent assurance of the design and effectiveness of our security. If you require a copy of our latest SOC1 or SOC2 reports, please email firstname.lastname@example.org.
All Mediaocean’s hosted systems in North America and Europe are included in the scope of these audit reports, and our systems in APAC are scheduled to be included in our 2021 reports.
Our SOC2 report covers Security, Availability, Processing Integrity and Confidentiality.
Note: Mediaocean cannot share our data center or cloud hosting providers’ audit reports because the reports are owned by these providers and are subject to distribution restrictions. For more information about how Mediaocean collects and reviews these reports, please see Vendor Management.