Keeping your data safe is a shared endeavour. Mention Me takes many technical and organisational measures to keep your customer confidential data safe as detailed in our DPA. But you also need to manage your account securely and use the tools we provide carefully.
The three areas of risk that we focus on are the client-customer data we store for the purposes of managing referral, the vouchers you upload that we issue to customers and the client-confidential performance data that we collect.
Mention Me's platform can be used to manage and administer your referral programmes. There are several different user roles, follow this guide for a breakdown of these.
You can have as many user accounts within Mention Me as you need.
When you onboard with Mention Me we'll help you set up one or more named Administrator accounts. These accounts can be used to provision the other accounts and we can help you set up accounts in bulk if required.
The Onboarding team will also ensure they set up 2FA for all your account..
What are my responsibilities for security?
- You should appoint Administrators who understand their responsibility to manage user permissions and who understand your own internal security policies around permissions and access control
- You should nominate at least one Administrator with these security duties
- You should regularly review the list of users who have access to your account
- You should immediately revoke access for any users who leave your organisation
- You should regularly review the permissions of all users and aim to set them to the least privilege required to perform their role
- You should review the business processes in place within your customer support and marketing team for the ability to add referrals, approve rewards and give out vouchers.
- You should avoid users sharing accounts - each user should be registered with an email address which uniquely identifies them
- You should educate your employees on the principles of basic internet security - such as choosing and protecting passwords, protecting themselves against phishing attacks and not sharing confidential data in insecure ways such as email.
What tools does Mention Me provide to help?
- You can easily review all your users from the Manage & Add Users section of the platform
- You can lock individual users' accounts or edit their permissions whenever you like with immediate effect
- You can optionally setup SSO (Single Sign On) via OAuth (using Google, Okta, Azure AD or Auth0) for your employees to access Mention Me directly without needing their own password at Mention Me. Other SSO authorisation providers can be integrated upon request.
- We force users to change their own passwords upon account creation to a password which is at least 10 characters long and suitably complex
- You can specify an IP range from which to restrict admin user access (so for example they can only access Mention Me from your office network)
- You can optionally enable an automatic 90-day password rotation for your employees
- We will automatically disable any user who has been inactive for 90 days
- We provide an audit tool for Administrators which lets you review at a glance specific behaviours of your admin users (for example who is adding users or change permissions, who is viewing voucher codes - which could be subject to fraud - and who is creating and approving referrals)
- We provide the ability to download a full audit log of sensitive user transactions performed by your users on an ad-hoc or scheduled basis if you require
- We provide a Secure File Transfer mechanism within the platform for the easy and controlled sharing of confidential data between us.