Last updated: September 2022
At Mentorloop, we take privacy and security seriously. We publish this documentation to show our commitment to you, our customers, and our staff. We strive to provide answers here to all your information security questions. As InfoSec is an ever evolving field, these documents are continually updated and refined to enhance our security posture.
Governance, risk management, and compliance (GRC)
We are committed to best-practice privacy and security policies and procedures. We are building toward ISO 27001 compliance, and while we're a bit early for certification, this and other standards inform our information security management.
Mentorloop is a Cyber Essentials certified company.
Verified by external auditors, we require secure connections for all participants and encrypt all data at rest. We follow application security best practices. Mentorloop hosts all data with the leading cloud providers (Amazon and Google), all of which have secure, audited data centers. We host data in Australia and the United Kingdom, respective to your mentoring program location.
We take your data, the data of our customers, very seriously. In addition to our stringent info-security practices, we work with third-party security services and network scanning tools to reduce vulnerabilities and security threats to your data.
Mentorloop is also registered with the ICO, the UK's Data Protection Regulator.
Mentorloop is GDPR-compliant, with more detail available in this article: GDPR - How We've Handled It.
This document covers how Mentorloop identifies the activities critical to the stable operation of the organisation; develops a considered, planned and tested response to an incident that impairs the functioning of any of these critical business activities; develops a clearly documented process for recovering regular operation of critical business activities after an incident and more.
Contains: Critical business activities; Regular operation of the Mentorloop application; Incident response plan; Incident response team; Key contacts; Disaster recovery plan; Unavailability of office or facilities.
Our risk management process has been developed in accordance with the guidelines of ISO 31000:2018. The risk management process consists of the following steps: identify, analyse, control, monitor & review, report.
Mentorloop is compliant with the Australian Privacy Act (1988) including the Australian Privacy Principles (APPs).
Contains: Collection of personal information; Cookies and other analytics tools; How we use personal information; Disclosure of personal information to third parties; How we look after your personal information; Retention; International transfer of personal information; Amendments; Complaints.
This policy outlines behaviours expected of employees when dealing with company and customer data and provides a classification of the types of data with which they should be concerned. Access to data follows the principle of least-privilege.
Mentorloop staff are primarily located in Melbourne, AU with additional staff in the UK.
Mentorloop is a data controller and, because it operates in the EU as well as Australia, adheres to the guidelines set out in the General Data Protection Regulation (GDPR). This policy applies to all employees, contractors, volunteers, students, graduates and others on work experience, and anyone who has permanent or temporary access to Mentorloop systems, data, or hardware.
Contains: Employee requirements; Data privacy; Handling and transferring sensitive data; Workstations and equipment; Social media and internet access standards; Security incident reporting; Password policy; Security awareness checklist.
This policy covers infosec policies related to the Mentorloop application, including identity management, access controls, data center management, and monitoring and logging.
Contains: Data sovereignty and data center management, OS maintenance and patching, Audit logging and monitoring, Acquisition of information systems, Administrator access and identity management, Data segregation, Data classification, Backups and disaster recovery, Vetting of 3rd parties, Vetting of employees.
This document explains everything about how Mentorloop verifies, maintains system continuity, minimises impact, determines how an incident occurred, and how we prevent future occurrences and improve our security response.
Contains: Incident response and disclosure policy; Identifying security incidents; Investigating potential security incidents; Responding to an incident; System recovery; Follow up; Notifications.
Mentorloop cloud architecture
This document outlines the Mentorloop application architecture and its management. Application data centers are located in Sydney, AU and London, UK. A mentoring program can be in either data center, depending on the customer's primary location. All data in transit is sent over TLS 1.2 or above, and all application data is encrypted at rest. The application is protected by numerous layers, including a Web Application Firewall (WAF).
Please contact email@example.com to request this documentation.
Contains: Infrastructure management (application servers and database instances); Server maintenance and management; System access and identity management; Network design; Data storage, transfer, & encryption; Platform access control; Roles and permissions; Account provisioning and deprovisioning.
Web application penetration testing is performed annually by an authorized third party.
The Mentorloop application provides the following authentication methods: password, social sign-on with LinkedIn and Google, and single sign-on via SAML with Azure AD and Okta. Read more about Single sign-on with Mentorloop.
Mentorloop staff administrator access is secured with multi-factor authentication (MFA). Given the nature of information stored in the Mentorloop platform (not financial- or health-related), we do not consider MFA for mentoring program participants a necessary step - rather it would create barriers to mentoring. If MFA is required for program participants, it can be implemented as part of the SSO configuration for the program.
Mentorloop integrates with several apps to give your participants the best mentoring experience possible. We offer calendar integration, video conferencing and scheduling with Zoom and Microsoft Teams, and notifications via Slack.
We comply with the WCAG 2.1 standard, to A level currently, and we are now striving to achieve AA level compliance. Some aspects of our platform will already be compliant to AA, and even beyond to AAA.
Operating system and browser support and other IT considerations.
Mentorloop uses several third-party platforms to operate. To maintain GDPR-compliance and to manage risk, we maintain a 3rd party register of these platforms, including their own status with regard to compliance with relevant privacy legislation.
Please contact firstname.lastname@example.org to request this documentation.
Usage terms, policy, and guidelines
In order to maintain the secure and effective operation of the Mentorloop application, we require our participants to agree not to misuse it. Specifically, this document outlines what the customer agrees not to do when using Mentorloop.