At Marketo, security, integrity, and the availability of our customers' data is a top priority. We believe this is vital to their business operations and to our own success. Therefore, we use a multi-layered approach to protect and monitor this information.
Customer Data Protection
Marketo's products are accessed across the Internet from secure and encrypted connections (SSL 3.0/TLS 1.0) using high-grade 128 bit certificates.
- Backup tapes are securely transported offsite and are securely destroyed when retired
- Each customer data stored in separate databases
- Individual user sessions are protected by unique session tokens and re-verification of each transaction
Marketo tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities.
- Marketo's SaaS services are based on proven and secure Open Source solutions and custom applications
- Applications and servers are regularly patched to provide ongoing protection from exploits
- Third-party assessments conducted regularly:
- Application vulnerability threat assessments
- Network vulnerability threat assessments
- Selected penetration testing
- Every major SaaS software release tested by QA and security teams for full scope of OWASP security risks
Physical and Environmental Security
Our service is hosted in dedicated spaces at top-tier data centers. The datacenter provider maintains:
- Biometric scanning for controlled data center access
- Security camera monitoring at all data center locations
- 24x7 onsite staff provides additional protection against unauthorized entry
- Unmarked facilities to help maintain low profile
- Redundant HVAC (Heating Ventilation Air Conditioning) units which provide consistent temperature and humidity within the raised floor area
- Sensors to detect environmental hazards, including smoke detectors and floor water detectors
- Raised flooring to protect hardware and communications equipment from water damage
- Fire detection and suppression systems (dry-pipe, pre-action water-based)
- Redundant (N+1) UPS power subsystem with instantaneous failover
Network Access Controls
- Network access to and from Marketo DMZ is controlled by dedicated firewall devices
- Access to Marketo servers require use of VPN with multi-factor authentication and extensive access monitoring
- Distributed Denial of Service (DDoS) mitigation services are used to protect servers
- Information Security team (including datacenter security team) monitors internal and external security events and implements corrective actions
- Systems access logged and tracked for auditing purposes
- Application access logs are collected and analyzed according to internal security procedures
- Marketo has Safe Harbor certification
- Marketo is SSAE 16 certified1
- Marketo is member of MAAWG (Messaging Anti-Abuse Working Group)
- Access to customer data restricted to authorized personnel only, according to documented processes
- Access to SaaS servers is limited, logged and tracked for auditing purposes
- All employees in engineering, operations, and technical services (including datacenter staff) have extensive background check as a condition of employment.
- Security policies include:
- Customer Data Handling policy
- Secure document-destruction policies for all sensitive information
- Marketo has dedicated IT security personnel
- All employees (including datacenter employees) are trained on documented information security and privacy procedures
Service Availability Controls
- Availability of all critical service components provided by multi-layer clustering solutions
- All data are backed up to tape offsite at each data center, on a rotating schedule of incremental and full backups
- Dedicated routers and switches feature redundant power and connectivity to the Internet. This is provided by redundant fibre and Internet backbone connectivity providers.
- Datacenter disaster recovery and business continuity plans independently audited
1 SSAE 16 is an auditing standard by which a third-party auditor evaluates the controls in place for physical and logical security, privacy, incident response, and more.