Security and Compliance Policy

Purpose of the Document

This document provides an overview of the security and compliance measures implemented by Mumble to ensure the protection of the digital platforms and services we develop, deploy, and maintain for our clients. Our goal is to deliver a secure, resilient, and compliant environment that mitigates cybersecurity risks and ensures robust data management practices.

Intended Audience

This document is intended for:

• Clients and partners utilizing Mumble's services.

• IT and compliance officers requiring information on data security measures.

• Vendors and collaborators who must adhere to our security standards.

Core Security Principles

Mumble follows a proactive security approach based on the following principles:

• Privacy by Design: Data protection is embedded at every stage of development.

• Zero Trust Architecture: Access and privileges are restricted to the minimum necessary.

• Defense in Depth: Multiple layers of protection are implemented to mitigate security risks.

• Continuous Monitoring: Our infrastructure is continuously analyzed and monitored to detect and address potential threats.

• Compliance and Regulatory Alignment: We adhere to industry-leading security and data protection standards to ensure regulatory compliance.

This document will be periodically updated to reflect emerging threats and the latest security best practices adopted by Mumble.

Regulatory Compliance

Mumble is fully compliant with relevant security and data protection regulations, including GDPR and NIS2. While we do not hold formal ISO 27001 certification, our operational practices align with its key principles, ensuring adherence to stringent security, risk management, and data protection measures. These frameworks serve as the foundation for our security practices, ensuring adherence to best practices in data protection, risk management, and operational resilience.

Infrastructure Security

Cloud Infrastructure

Mumble's entire network operates on AWS, with each project allocated to a separate AWS account. This ensures clear billing separation and robust isolation of environments, enhancing security and operational efficiency. Mumble's infrastructure is entirely based on AWS and Cloudflare, ensuring high availability, scalability, and security. Unless specifically requested otherwise, we primarily utilize AWS eu-south-1 (Milan) and eu-central-1 (Frankfurt) regions to ensure data residency within Europe and compliance with applicable regulations.

Cloudflare Security Services

Mumble enforces Cloudflare as a strict security requirement for all shared infrastructures. Its adoption is recommended for dedicated infrastructures but ultimately left to the client’s decision. In rare cases where domain control is not possible for nameserver modifications, Cloudflare is not used—although this is highly discouraged. In such cases, we implement alternative security layers based on the defined architecture to ensure robust protection.

Whenever Cloudflare is in use, it provides:

• DDoS Protection: Automated mitigation of large-scale attacks.

• Web Application Firewall (WAF): Filtering of malicious traffic and blocking vulnerabilities.

• Global Content Delivery Network (CDN): Enhanced website performance and availability.

• Bot Management: Identification and mitigation of automated threats.

Data Retention and Privacy Compliance

Mumble's data retention policy is always established in agreement with the client, based on the specific project requirements. Regardless of the individual project specifications, our retention policies fully comply with GDPR regulations. Clients and their final users retain full rights to access and request deletion of their data, either through automated mechanisms where applicable or by direct request. Similarly, data anonymization and pseudonymization are applied as GDPR requires, ensuring compliance with data protection and privacy standards.

Data Backup and Retention

Regular backups are performed daily and retained for a minimum of one week, ensuring data availability and disaster recovery readiness. To maximize resilience and reliability, backups are typically stored redundantly across multiple layers:

• Multi-layered Redundancy: Backups are stored locally on the server, copied to Amazon S3, and reinforced with automated EBS snapshots for additional protection.

• RDS Backups: Fully managed by AWS, with automatic snapshots and point-in-time recovery options to ensure database integrity.

• Code Repositories: All source code is version-controlled and securely stored on GitLab or GitHub, ensuring redundancy, version history, and streamlined collaboration.

Storing code in Git-based repositories offers multiple benefits:

• Version Control: Every change is tracked, making it easy to revert to previous versions if needed.

• Collaboration & CI/CD Integration: Facilitates seamless team collaboration and integrates with automated testing and deployment pipelines.

• Security & Access Control: Enforced authentication, role-based permissions, and audit logging ensure code integrity and controlled access.

• Geo-Redundancy: Cloud-based repositories ensure that the code remains available and recoverable, even in case of local infrastructure failures.

By implementing these best practices, we ensure that both data and code remain secure, redundant, and easily restorable in case of incidents.

Access Control and Firewall Rules

Office Network Security

Mumble’s internal office network is completely isolated and not accessible from the outside. No ports are open to external traffic, ensuring a fully locked-down environment. Access to internal resources is strictly controlled, and outbound connections follow security policies to minimize exposure to external threats.

Additionally, we maintain an isolated backup VPN, which is only used in rare cases when the office network is unavailable or when remote access is necessary. This VPN remains completely segregated from daily operations to ensure maximum security.

Cloud Infrastructure Security

For cloud-based infrastructures, Mumble enforces a least privilege access policy across all components, ensuring that each service, user, and system only has the minimum permissions necessary. This is achieved through:

• Security Groups: Strictly controlling inbound and outbound traffic at the instance level, allowing only essential communication.

• Private Subnets: Critical infrastructure components (e.g., databases, and backend services) are usually placed in private subnets without direct internet access.

• Firewall Rules & Network ACLs: Additional layers of protection to restrict unauthorized traffic and enforce segmentation between different environments.

• IP Whitelisting: External access to infrastructure is strictly limited to Mumble’s IP addresses, ensuring that only authorized personnel can connect.

By applying these security measures, Mumble ensures that both its internal office network and cloud infrastructures remain highly secure, minimizing the attack surface while maintaining operational efficiency.

Security Monitoring and Code Analysis

Incident Response and Monitoring

Mumble employs real-time incident detection and alerting systems that notify the team through multiple channels, including Slack, SMS, phone calls, and email. This ensures immediate awareness and response to any security incident. Our Service Level Agreements (SLAs) guarantee high availability and rapid intervention, with an indicative uptime of 99.99%, ensuring uninterrupted service for our clients.

Real-Time Application and Infrastructure Monitoring

Mumble leverages a combination of advanced security and monitoring tools, including:

• AWS CloudWatch: Real-time monitoring of AWS resources, logs, and metrics.

• Sentry & Crashlytics: Tracking errors and crashes across applications.

• Cloudflare Analytics & Security Insights: Monitoring traffic, security threats, and performance.

• Nessus: Regular internal and external vulnerability assessments to detect security risks. Mumble employs a suite of monitoring tools to ensure continuous visibility, rapid incident response, and system stability:

• AWS CloudWatch: Real-time monitoring of AWS resources, application logs, and performance metrics to detect and mitigate potential issues.

• Sentry & Crashlytics: Application-level monitoring for error tracking, crash reporting, and performance optimization in both backend and frontend applications.

• Cloudflare Analytics & Security Insights: Providing deep visibility into web traffic, security threats, and network performance trends.

These tools collectively enable proactive issue resolution, minimizing downtime and ensuring system resilience.

Wiz for Cloud Security Posture Management

Mumble utilizes Wiz.io to continuously monitor our cloud environment, ensuring compliance, security posture management, and vulnerability detection. Wiz provides:

• Real-time security insights: Identifying misconfigurations, vulnerabilities, and risks across cloud resources.

• Automated compliance checks: Validating security against industry best practices and regulatory standards.

• Threat detection and prioritization: Highlighting the most critical risks to enable quick remediation.

AWS CodeGuru for Code Quality and Security

To enhance the security and efficiency of our software development lifecycle, Mumble integrates AWS CodeGuru into our CI/CD pipeline. AWS CodeGuru assists with:

• Automated code reviews: Identifying security vulnerabilities, inefficient code, and potential performance issues.

• Runtime application profiling: Providing insights to optimize performance and resource usage.

• Machine learning-powered recommendations: Offering guidance on security best practices and bug fixes.

AWS Certifications and Expertise

Our team holds AWS certifications, including AWS Solutions Architect Professional, demonstrating our expertise in designing and managing secure, high-performing, and resilient cloud infrastructures.

Application Security and Secure Development

Penetration Testing and Vulnerability Assessments

Mumble conducts periodic penetration testing on critical infrastructure resources. Security assessments are performed on both internal and external assets, with findings addressed based on priority. Mumble conducts periodic penetration testing on critical infrastructure resources to identify and remediate potential security vulnerabilities. These tests ensure that our security measures remain effective against emerging threats.

Encryption and Secure Communication

Mumble enforces TLS encryption (HTTPS) by default, ensuring secure data transmission across all services. No services are deployed without encryption. All data transmissions are encrypted using TLS (HTTPS) by default, ensuring the confidentiality and integrity of data in transit. Secure protocols are enforced across all services and are non-optional.

Security Training and Awareness

Mumble is committed to continuous security training and awareness initiatives for its team members. Our programs focus on both defensive and offensive security principles to ensure comprehensive understanding and application of security best practices.

Cybersecurity Training and Offensive Security

• Regular training sessions on cybersecurity, including secure coding, network security, and vulnerability management.

• Advanced courses focusing on offensive security techniques, equipping our technical team with a deeper understanding of potential attack vectors and prevention strategies.

• Internal security drills and hands-on exercises to enhance real-world preparedness.

Phishing Awareness and Security Testing

• Continuous phishing awareness campaigns to train employees in identifying and mitigating phishing threats.

• Simulated phishing attacks to evaluate team response and improve awareness.

• Frequent security updates and best practice reminders through Slack and internal communication channels.

Device Security & Management

• All company Mac devices are managed via Mosyle MDM, ensuring endpoint protection policies and automated compliance checks.

• Windows devices are protected through security software and monitored for compliance with internal security policies.

Secure Software Development Lifecycle (SDLC)

Mumble follows a comprehensive Secure SDLC framework, which includes:

• Static and Dynamic Security Testing: Automated security scans during development.

• Threat Modeling: Identifying potential risks before code implementation.

• Code Peer Reviews & Security Audits: Ensuring security best practices are followed.

• Security Awareness Training: Continuous team education through structured courses and phishing awareness programs.

• Device Security & Management: All company Mac devices are managed via Mosyle MDM, enforcing endpoint protection policies. Mumble follows a Secure Software Development Lifecycle (SDLC) to ensure that security is embedded at every stage of development:

• Threat Modeling & Risk Assessment: Identifying potential security threats early in the development process.

• Automated Security Testing: Integrating static and dynamic analysis tools to detect vulnerabilities in code before deployment.

• Code Reviews & Peer Audits: Conducting manual and automated security reviews to enforce best practices.

• Continuous Integration & Deployment (CI/CD) Security: Implementing security scans and compliance checks within the deployment pipeline.

• Incident Response Readiness: Ensuring rapid detection and mitigation of security incidents through well-defined response protocols.

By implementing these security practices, Mumble maintains a robust and proactive approach to software security, ensuring that applications remain resilient against evolving threats.

Frequently Asked Questions (FAQ)

How does Mumble ensure compliance with GDPR?

Mumble strictly adheres to GDPR regulations, ensuring that data retention, access, and deletion policies are aligned with client requirements. Clients can request access or deletion of their data through automated mechanisms or by directly contacting Mumble at [email protected].

What security measures are in place for hosted applications?

All hosted applications benefit from Cloudflare protection, strict firewall rules, TLS encryption (HTTPS) enforced by default, and continuous security monitoring.

How does Mumble handle incident response?

We employ real-time monitoring tools that notify our team through Slack, SMS, phone calls, and email in case of security incidents. Our DevOps team, led by the CTO, ensures timely response and mitigation within our 99.99% SLA commitment.

Who is responsible for security at Mumble?

Mumble's security is managed by the DevOps team, with oversight and leadership from the CTO.

How can I request security support or report an issue?

For security-related inquiries or to report an issue, please contact [email protected] or call +39 059 551256.