Security Policy

Last Updated: December 1, 2019

1. Introduction

Keeping your data secure, confidential, and readily accessible are Mindbody’s greatest priorities. Our industry-leading security program is based on the concept of defense in depth: securing our organization, and users’ data, at every layer.

Our security program aligns with CIS CSC 20 and NIST Cybersecurity frameworks and our CORE solution is HITRUST CSF certified. Our payments platform is PCI DSS Level 1 service provider certified. While no system can guard against every potential threat, Mindbody’s defensive line is advanced and monitored 24/7, 365 days a year by highly trained professionals.

The focus of Mindbody’s security program is to prevent unauthorized access to user data. To this end, our team of dedicated security practitioners, working in partnership with peers across the company, take exhaustive steps to identify and mitigate risks, implement best practices, and continuously develop ways to improve.

Mindbody’s security team, led by the Chief Information Security Officer (“CISO”), is responsible for the implementation and management of our security program. The CISO is supported by members of the Cybersecurity Team, who focus on Security Architecture, Product Security, Security Engineering and Operations, Detection and Response, and IT Risk and Compliance.

2. This Agreement

This Security Policy should be read in conjunction with the Privacy Policy.

This Security Policy contains defined terms, which are defined elsewhere in the Agreement. Please refer to these defined terms in reviewing this Security Policy.

When you access, view or use any part of the Mindbody services, you are accepting the terms and conditions of this Agreement.

If you are agreeing to this Security Policy on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Agreement. If you do not have such authority, you must not enter into this Agreement and may not use any of our services or content.

Having considered the above preliminary matters and mutual agreements below, the Parties hereby agree as follows:

3. Secure by Design

Mindbody’s security team has built a robust, secure development lifecycle, which utilizes manual code reviews, static code analysis, and external/internal red team penetration testing. While we strive to catch all vulnerabilities in the design and testing phases, we realize that sometimes, mistakes happen. With this in mind, we have created a public bug reporting program to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.

4. Encryption

  1. A. Data in transit

  2. All data transmitted between Mindbody users and the Mindbody services is done so using strong encryption protocols. Mindbody supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols and AES256 encryption.

  3. B. Data at Rest

  4. Credit Card and PHI (SOAP notes field) data at rest in Mindbody’s production network is encrypted using industry standards for data encryption. All encryption keys are stored in a secure server on a segregated network with limited access. Mindbody has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Each Mindbody user’s data is hosted in our shared infrastructure and logically separated from other users’ data. We use a combination of storage technologies to ensure user data is protected from hardware failures and returns quickly when requested.

5. Network Protection

Network access to Mindbody’s production environment from open, public networks (the Internet) is restricted, with only a small number of production services accessible from the Internet. Only those network protocols essential for the delivery of Mindbody’s service to its users are open at our perimeter. Mindbody utilizes third-party Content Distribution Network (“CDN”) services for redundancy and performance of services. In addition to CDN, Distributed Denial of Service (“DDoS”) and bot protections are provided through third-party services. All secure servers are protected by firewalls, best-of-class router technology, TLS encryption, file integrity monitoring, and network intrusion detection that identifies malicious traffic and network attacks.

  1. A. Endpoint Security

  2. All workstations issued to Mindbody personnel are configured by Mindbody to comply with our standards for security. These standards require all workstations to be properly configured, updated, tracked, and monitored by Mindbody endpoint management solutions. Mindbody’s default workstation configuration encrypts data at rest, requires strong passwords, and locks when idle. Workstations run up-to-date monitoring software to report potential malware, unauthorized software, or other compromises.

  3. B. Access Control

  4. To minimize the risk of data exposure, Mindbody adheres to the principles of least privilege and role-based permissions when provisioning access. Mindbody employees and affiliates are only authorized to access data that they reasonably must handle to fulfill their current job responsibilities. All production access is reviewed internally and is part of compliance with PCI and HITRUST.

    To further reduce the risk of unauthorized access to data, Mindbody employs multi-factor authentication for all privileged access to systems with highly-classified data, including our production environment, which hosts our user data.

  5. C. System Monitoring, Logging, and Alerting

  6. Mindbody monitors servers, workstations, and networks to maintain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers hosting sensitive data in the Mindbody production network are logged, analyzed, and retained in accordance with PCI and HITRUST requirements.

    All networks are monitored using a Security Incident Event Management (“SIEM”) system that gathers logs from all network systems and creates alert triggers based on correlated events. In addition to internally managed SIEM, Mindbody utilizes third-party incident detection and response services for additional monitoring and analysis.

    Intrusion detection sensors throughout our internal network report events to the internal and external SIEM systems for logging and for the creation of alerts and reports.

  7. D. Vendor Management

  8. In order to provide you with our services, Mindbody may rely on other service organizations that provide their services to Mindbody (“Subservice Organizations”). Where those Subservice Organizations may impact the security of Mindbody’s production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require Subservice Organizations to adhere to confidentiality commitments we have made to users. Mindbody monitors the effective operation of the Subservice Organization’s safeguards by conducting reviews of all such controls before use.

  9. E. Security Compliance Audits and Assessments

  10. Mindbody is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Mindbody’s internal IT Risk and Compliance teams.

    Assessment and audit results are shared with senior management, and all findings are tracked to ensure prompt remediation.

  11. F. Penetration Testing

  12. In addition to our compliance audits and assessments, Mindbody engages both internal red teams and independent external entities to conduct application-level and infrastructure-level penetration tests at least annually. The results of these tests are shared with senior management and any potential issues are triaged, prioritized, and remediated promptly.

  13. G. Hosting Providers

  14. Our hosting and cloud service providers are PCI compliant and have completed the industry standard SOC 2 certifications. This includes controls and processes such as multi-factor authentication, role-based access controls (“RBAC”), redundant utilities, and strict change management processes.

    No computer system or information can ever be fully protected against every possible threat. Mindbody is committed to providing reasonable and appropriate security controls to protect our services, Websites, and information against foreseeable threats. If you have any questions about Mindbody security, you can contact us at [email protected].

6. Expectations

  1. A. User Expectations

  2. Mindbody maintains the security of Mindbody systems, however, you as a Mindbody user are responsible for implementing other security practices. We recommend that you:

    • Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, credit card readers, tablets, and mobile devices);
    • Install appropriate anti-virus and anti-malware protection;
    • Enable web browser auto-updates;
    • Implement a robust operating system and software patching process;
    • Implement secure user and password management processes, including periodic password changes, deleting user accounts promptly after staff departures;
    • Replace old peripherals and hardware with more modern and secure alternatives;
      • For example, replace systems with non-supported operating systems
      • For example, replace swipes with EMV devices
    • Use the Mindbody systems as designed;
    • Restrict access to consumer data if there is no business need for the team member to view;
    • Use at least TLS v1.2 when connecting to the internet; and
    • Notify Mindbody immediately of any suspected compromise or unusual account activity by sending an email to [email protected].

  3. B. Cardholder Data Handling Expectations

  4. Mindbody is certified as a Level 1 Service Provider under PCI DSS Version 3.2

    Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (“PCI DSS”), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply

    At a minimum, you must:

    • Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious;
    • Restrict permission to install software on those computers to users, business owner and/or trusted senior staff;
    • Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and applications (e.g., Microsoft Office, Adobe Reader, Java, Google Chrome), with all security updates and patches installed;
    • Ensure that every individual that logs into the services has a unique username and password that is known only by that individual;
    • Only store credit card account numbers in encrypted credit card fields designed for that purpose; and
    • Destroy any hard copy documents that have Cardholder Data written on them.

    For a more detailed list of the requirements and responsibilities as a Payment Processing Service user, refer to our Detailed PCI Responsibility Matrix.

    DISCLAIMER OF RESPONSIBILITY FOR CARDHOLDER DATA. If you use the optional Payment Processing Service to process payments, Mindbody is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by Mindbody’s system(s). You remain responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by Mindbody’s system(s).

7. Protection of Personal Health Information

Mindbody supports users who are subject to the requirements of the Health Insurance Portability and Accountability Act. Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (“PHI”). If you are subject to HIPAA and wish to use our services with PHI, it is your responsibility to request a Business Associate Agreement (“BAA”) with Mindbody. You are solely responsible for determining whether you are subject to HIPAA requirements. If you are subject to HIPAA and have not entered into a BAA, you must not use any of our digital properties in connection with PHI. You agree to indemnify, defend, and hold harmless Mindbody and its directors, employees, and affiliates against any claim relating to a failure by you to request a BAA with Mindbody.

8. API Credentials

Your API credentials are extremely sensitive. If you use our API, you must follow the policies below to ensure that you’re accessing user data in a safe and secure manner. Using your API credentials indicates that you agree to the terms of this Security Policy. If you or a member of your team violates this policy, you could permanently lose access to the Mindbody API.

You must:

  • Ensure your API credentials are stored securely at rest and in transit;
  • Share your credentials with your team only on a need-to-know basis;
  • Never store credentials in source control, private or public;
  • Never allow API credentials to be logged, even in development tools;
  • Make sure your team understands that the credentials grant access to sensitive and confidential production data;
  • Use Credentials only server to server; and
  • Never use credentials in a mobile application.

Mindbody reserves the right to delete any API credentials after 30 days of low activity (less than 100 calls).

9. Changes to the Security Policy

We may, in our sole discretion, make changes to this Security Policy from time to time. Any changes we make will become effective when we post a modified version of the Security Policy to Our Website, and we agree the changes will not be retroactive.

If you have any questions regarding this Security Policy you can contact us by email at, [email protected] or by postal mail at:

Jason Loomis
Chief Information Security Officer, VP Cybersecurity
4051 Broad Street Suite 220
San Luis Obispo, California 93401
(877) 755-4279