At Mediaocean we understand how critical it is to your business to keep your information secure by making sure that it remains:
- Confidential, and only divulged to people who are authorized to access your data
- Available to authorized people upon request
- Accurate and free from loss or corruption
Mediaocean’s security program is aligned with ISO27001 for Information Security and covers control areas, including:
- Logical and physical access
- Network security
- Change control over application software development and over operational infrastructure
- Processing integrity
- Availability, resilience and data retention
- Incident management and response
- Risk management
- Vendor / third-party security assessment and risk management
A summary of our security controls is available here.
In addition, we have prepared an Information Security Briefing which describes Mediaocean's information security controls and procedures in greater depth. This document gives you and your auditors an understanding of our information security policies and procedures. It also includes a list of user control considerations (practices our clients need to consider and put in place in order to ensure that information security objectives can be achieved).
Please note that our primary method for providing customers with assurance of our compliance with the security commitments we have made to them is via our SOC1 and SOC2 reports (see Certification and Compliance below). If you have additional questions on our security program, please contact your account representative.
Does Mediaocean have access to data?
While client security administrators manage user access for their organization, a number of Mediaocean staff members are authorized to view client data. This includes members of our Customer Experience, Engineering, Account Management, and Operations teams who provide support services. A more limited number of authorized staff members (primarily systems and database administrators) have ‘update’ access to client data. Mediaocean has a strict data maintenance policy requiring authorizations for any update to client data.
What happens with client data?
The data fed into Mediaocean applications is transferred securely to production servers hosted at a data center or cloud hosting provider. For clients based in North America and Europe, these will be located in the United States; they are located within the Asia Pacific (APAC) region for clients in APAC / China. Mediaocean is fully responsible for the administration of these servers, and the data center’s / cloud hosting provider’s employees do not have access.
The data is copied from this production environment into a Customer Experience environment accessible by authorized staff as described above. The authorized staff have write access to the Customer Experience environment to troubleshoot any reported issue. Data residing in this environment will otherwise have the same protections as the production environment.
Certification and compliance
Mediaocean’s security controls are inspected by an independent auditor. Annual SOC1 (SSAE18 / ISAE3402) and SOC2 Type 2 reports provide independent assurance of the design and effectiveness of our security. If you require a copy of our latest SOC1 or SOC2 reports, please email firstname.lastname@example.org.
Mediaocean’s Ad Infrastructure hosted systems in North America, Europe, APAC and China (with the exception of Symsys in the Netherlands) are included in the scope of these audit reports. Our SOC2 report covers Security, Availability, Processing Integrity, Confidentiality and Privacy.
Note: Mediaocean cannot share our data center or cloud hosting providers’ audit reports because the reports are owned by these providers and are subject to distribution restrictions. For more information about how Mediaocean collects and reviews these reports, please see Vendor Management.