This document describes Marketo’s application architecture, and the technical and organizational security measures implemented for our SaaS applications.
Access Control to Business Premises and Data Centers
Marketo’s data centers where personal data is hosted implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment. This is accomplished by:
- unmarked facilities;
- Security check-in process required for all visitors;
- 24 hour security service, including security alarms, video surveillance and security guards;
- all access to the data centers where personal data are hosted is logged, monitored, and tracked;
- a mandatory color-coded, photo ID badge system;
- two-factor authentication required to gain access to sensitive areas of the data center;
- biometric access devices;
- closed circuit video surveillance at all entrance points on the interior and exterior; and
- Restricted physical access to Marketo servers within the raised floor of the data center limited to Marketo authorized personnel only
Marketo does not store personal data in its offices. Marketo implements appropriate physical security measures at its offices, including but not limited to the following:
- 24 hour security service provided by property owner, including security alarms, video surveillance and security guards;
- securing data processing equipment;
- personal access controlled with photo ID badges; and
- electronic card-keys.
Access Control to Data Processing Systems
Marketo implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- providing network intrusion detections systems (IDS) and intrusion prevention systems (IPS) by enhanced firewall modules or separate IPS devices ;
- providing customers the option of data at-rest data encryption a software development process that follows the OWASP standards for building secure applications, including stringent code reviews, integration and regression testing, and full internal and external security testing for vulnerabilities;
- identification and password required to reopen closed user terminals or devices allowing access to customer data;
- automatic lock of the user ID after several erroneous passwords are entered, log file of events (monitoring of break-in-attempts);
- role-based access;
- policies restricting and limiting employee access rights to personal data, informing employees about their obligations and the consequences of any violations of such obligations, to ensure that employees will only access personal data and resources required to perform their job duties;
- all access to data content is logged, monitored, and tracked;
- access controls for Marketo SaaS application include granular permissions for various roles, design functions, campaign execution and lead database actions;
- employee access accounts are audited quarterly, and;
- all employees undergo background checks.
Marketo implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of firewall and encryption technologies to protect data in transit;
- logging and monitoring of all data transmissions;
- encryption of all remote sessions to Marketo SaaS applications using industry standard algorithms utilizing Hypertext Transfer Protocol Secure (HTTPS) using Secure Socket Layer (SSL) encryption, and;
- monitoring of the completeness and correctness of the transfer of data (end-to-end check).
Marketo ensures that personal data may only be processed in accordance with written instructions issued by its customer. Marketo implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
- authentication of the authorized personnel, including individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently), as well as two-factor authentication for restricted access to production environments;
- protective measures for data input, as well as for the reading, alteration and deletion of stored data;
- utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use and thereafter at least every 90 days;
- policy requiring all employees with access to personal data processed for Marketo customers to reset their passwords at a minimum once in a 180 day period;
- automatic work station session timeouts;
- deactivation of user authentication credentials (such as user IDs) in case the person is disqualified from accessing personal data or in case of non-use for a substantial period of time (at least six months), except for those authorized solely for technical management, and;
- access logging.
Personal data entry is managed by the customer through the Marketo application user interface, which includes security features such as:
- role-based access - based on both predefined roles and the ability for customer’s administrator to create additional roles;
- access segmentation - workspaces are used to restrict data access based on data values;
- device authorization – customer login to Marketo’s application from unrecognized network locations trigger a device authorization check via an additional token verification;
- single sign on capability;
- account access locked automatically after 10 unsuccessful attempts;
- customer-controlled whitelisting and blacklisting of specified IP addresses and networks;
- configurable password complexity parameters; and
- antivirus checks and blocking of potentially unsafe files performed on all uploaded files into the customer instance.
- regular security audits including SSAE 16 SOC 1 and SOC 2 audits, vulnerability testing, internal penetration testing for every new software release and at least annual third party penetration testing;
Marketo implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by:
- Marketo’s cloud application is built with an architecture and a set of functionalities that enable customer data resiliency. . Each device in the network, including firewall, switches and intrusion detection has a failover backup to ensure maximum uptime. Dedicated routers and switches feature redundant power and connectivity to the Internet. Internet redundancy is achieved using multiple physical connections with multiple peering point providers.
- All customer data is backed up on network storage subsystems across the infrastructure. For critical information in U.S. data centers, near-line backups are mirrored over secure links and stored in remote Marketo data centers within the same jurisdiction.
- Redundant lines of communication exist to telecommunication providers providing customers with failover communication paths in the event of data communications interruption.
- Data centers are equipped with sensors to detect environmental hazards, including smoke detectors, floor water detectors and fire detection and suppression systems. Data centers are also equipped with raised floors to protect equipment from water damage.
- Data centers are equipped with uninterruptible power supplies (UPS) to mitigate the risk of short-term utility power failures and fluctuations. The UPS power subsystem is at least n+1 redundant with instantaneous failover in the event of a primary UPS failure. The UPS systems are inspected and/or serviced at least annually by a third party contractor.
- Data centers are equipped with diesel generators to mitigate the risk of long-term utility power failures and fluctuations. Generators are tested at least every 120 days and serviced at least annually by a third party contractor to maintain appropriate operability in the event of an emergency.
- Any detected physical security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out.
Separation of processing for different purposes
Marketo implements suitable measures to ensure that data collected for different purposes can be processed separately. This is accomplished by:
- access to data is separated through logical application security for the appropriate users;
- each customer SaaS instance is stored on a separate database with Marketo's corporate instance separated from the customer environment.
- at the database level, data is stored in different data sets, logically separated per module or function they support; and
- interactive processes, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
Marketo system administrators:
Marketo implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:
- adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;
- audits of system administrators' activity to assess compliance with assigned tasks, the instructions received by importer and applicable laws; and
- keeping an updated list with system administrators' identification details (e.g., name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request.