Effective: May 1, 2020
1. This Security Overview is incorporated into and made a part of My Menu’s Terms of Service as set forth at https://www.mydigimenu.com/privacy-policy to which Customer has agreed and accepted or a signed Master Sales Agreement or other similar written agreement between My Menu and Customer (“Agreement”). In this Security Overview for the My Menu Service, (Security Overview), references to “My Menu” will refer collectively to QSI ME DMCC, P.O Box 53675, Dubai, UAE and its Affiliates. The terms “Customer” will refer to you, the Customer and its Affiliates.
2. Purpose. My Menu is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for the My Menu Service (collectively the “Services”). This Security Overview describes the minimum security standards that My Menu maintains in order to protect Customer Data (as defined in the Agreement) from unauthorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve, My Menu continues to update its security program and strategy to help protect Customer Data. My Menu reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. Any capitalized term not defined in this Security Overview will have the meaning given in the Agreement or the Data Protection Addendum.
3. Services Covered. This Security Overview describes the architecture, administrative, technical and physical controls as well as third party security audit certifications that are applicable to the Services.
4. Security Organization & Program. My Menu maintains a risk-based assessment security program. The framework for My Menu’s security program includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Data. My Menu’s security program is intended to be appropriate to the nature of My Menu Service, size and complexity of My Menu’s business operations. My Menu has a separate dedicated team that manages My Menu’s security program. This team facilitates and supports independent audits and assessments by third parties.
5. Confidentiality. My Menu has controls in place to maintain the confidentiality of Customer Data that Customer makes available to the Services, in accordance with the Agreement. All My Menu employees and contract personnel are bound by My Menu’s internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations.
6. Security Certificates.
6.1 AWS Certifications.
Services use and leverage AWS data centers. My Menu uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable. Information about AWS audit certifications are available at AWS Security website https://aws.amazon.com/security and AWS Compliance website https://aws.amazon.com/compliance.
7. Architecture and Data Segregation.
My Menu Services. The cloud communication platform for the My Menu Services is hosted by Amazon Web Services (“AWS”). The current location of the AWS data center infrastructure used in providing My Menu Services is located in the United States. Further information about security provided by AWS is available from the AWS security webpage available at https://aws.amazon.com/security. In addition, the overview of AWS’s security process is available at https://aws.amazon.com/whitepapers/overview-of-security-processes. My Menu’s production environment within AWS, where Customer Data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC).
All network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. My Menu separates Customer Data using logical identifiers tagging all communications data with the associated Customer ID to clearly identify ownership. My Menu’s APIs are designed and built to designed and built to identify and allow access only to and from these tags and enforce access controls to ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer's communications cannot be accessed by another customer.
8. Physical Security. AWS data centers that host My Menu Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. More details about the physical security of AWS data centers used by My Menu for the My Menu Services, are available at https://aws.amazon.com/whitepapers/overview-of-security-processes.
9. Security by Design. My Menu Security Development Lifecycle (TSDL) standard defines the process by which My Menu creates secure products and the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). My Menu security engineers perform numerous security activities for the Services including:
internal security reviews before products are launched;
conduct threat models for the My Menu Services including documenting any detection of attacks.
10. Access Controls.
Provisioning Access. To minimize the risk of data exposure, My Menu follows the principles of least privilege through a team-based-access-control model when provisioning system access. My Menu personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password be connected to My Menu’s Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal trainings for such access including trainings on the relevant team’s systems. My Menu logs high risk actions and changes in the production environment.
11. Change Management. My Menu has a formal change management process to manage changes to software, applications and system software that will be deployed within the production environment. Change requests are documented using a formal, auditable, system of record. Prior to a high-risk change being made, an assessment is carried out to consider the impact and risk of a requested change, evidence acknowledging applicable testing for the change, approval of deployment into production by appropriate approvers(s) and roll back procedures. A change is reviewed and tested before being deployed to production.
12. Encryption in Transit. For the My Menu Services, My Menu’s cloud platform supports TLS 1.2 to encrypt network traffic transmitted between a Customer application and My Menu’s cloud infrastructure.
13. Security Incident Management. My Menu utilizes AWS platforms and third-party tools to detect, mitigate, and to help prevent Distributed Denial of Service attacks (DDoS) attacks.
14. Backups and Recovery. My Menu performs regular backups of My Menu account information other critical data using Amazon cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.