February 2023

This statement is issued to support MailGate, LLC and its affiliates’ (collectively, "MailGate”) Security Policy which defines the security framework at MailGate. It declares MailGate’s commitment to provide products and services that meet or exceed our external and internal customers' security requirements and to continually improve our efficiency and effectiveness in doing so.

Security at Mailgate is designed, operated, and controlled to continually assure that:

• MailGate’s infrastructures and assets are protected
• Customer data that are stored and processed as part of the SaaS and Cloud services we provide are protected
• Products and services that MailGate builds and sells are secured-by-design and tested to comply with industry level security best practices
• MailGate complies with data protection regulations, including EU GDPR

Mailgate Security Policies and Procedures

All security policies and procedures are documented as part of our Information Security Management System (ISMS) and Mailgate employees and contractors, acting on Mailgate’s behalf, are required to cooperate and support Mailgate’s pursuit of security and continual improvement and to adhere to the policies and procedures contained within the ISMS.

Secure Software Development Lifecycle (SSDLC)

Mailgate is in constant examination of security tools and methodologies. Our SSDLC methodologies and processes include best practices adopted from Build Security-In Maturity Model (BSIMM) and OWASP Open Source Software Assurance Maturity Model (OpenSAMM). Mailgate’s SSDLC defines the secure development procedures and security gates to be reached by each Mailgate product before being released to customers. Our secure development controls include:

• Security of communication protocols and OWASP best practices
• Threat Modeling
• Third party / open-source software composition analysis (SCA)
• Attack surface analysis
• Dynamic application security testing (DAST)
• Static application security testing (SAST)
• Manual pentesting

Developer Security Training

Mailgate R&D teams undergo continual training to reinforce security topics, using commercial training platforms and in-house developed classes and materials, including:

• Mandatory secure development training completed by all developers covering a wide spectrum of Application Security topics
• Supplemented by internal security education workshops
• Bi-Annual training to keep skills current
• Advanced Role-based Certifications and Training for developers
• Hands-on Programming Challenges, Assessments, and Tournaments

Penetration Tests

MailGate performs automatic security scans. Some customers conduct penetration testing externally and share the findings back with MailGate for review.

Data Protection

MailGate maintains GDPR compliance through a thorough set of policies and procedures which guide best practice behavior of our IT and consulting organizations, provides processes for risk assessment and risk management, and drives action plans to resolve issues in a timely manner.

Responsible Disclosure

If you’ve discovered a security vulnerability, we want to hear about it, please see our policy to disclose in a responsible manner.

To report a security finding, please email us at [email protected].

Mailgate requests that you don’t post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability. We’ll work with you to make sure we understand the scope of the issue and fully address any potential security issues.