Security & AI Policies

Clients have placed their trust in Me-Grow, a product developed by Markelytics, for its robust research capabilities in conducting market studies. Me-Grow offers an extensive array of features facilitating everything from data collection to insightful reporting, bolstering customer support and ensuring seamless application functionality.
A paramount concern for Me-Grow is the security of client data, adhering to stringent privacy regulations and corporate policies. This document aims to outline Me-Grow's security measures and protocols.

PERSONAL INFORMATION:

Personal Information refers to any information that you submit to us voluntarily and identifies you personally via it. It can be your contact information, such as your name, e-mail address, phone number, company name, company address, and other Information about yourself or your company. Personal Information can also include any additional information you’ve found on our website. It can also include Information such as navigational information, which refers to the information about your computer, IP address, referral source, geographical locations, visits to various websites, length of the visit, and pages viewed. We do not collect any other sensitive information. All the personal Information collected is not used for any other purposes except for what it is intended for, which includes logging into our platform, sending important Information regarding our product access, and troubleshooting. We do not buy, sell, or use PIs for any other business purposes. Your personal information is completely safe per international data privacy and security standards.

SECURITY ORGANIZATION & PROGRAM

Data security is our foremost concern, overseen by a dedicated Security team managing Me-Grow's programs in alignment with the ISO 27001 Information Security Standard framework. The program covers the following attributes or control sets:

1. Human resource (People) Security
2. Product Security
3. Cloud and network infrastructure security
   a. Asset Management
   b. Access Management
   c. Operations Security
4. Continuous monitoring and vulnerability management
5. Business continuity security and incident response (disaster recovery)
6. Supplier relationships (third-party security)
7. Physical security

HUMAN RESOURCE (PEOPLE) SECURITY

All candidates must pass a thorough background verification process conducted by the Security team to ensure that the right people are onboarded to develop Me-Grow. Additionally, the Security team consistently provides information on emerging threats and conducts phishing awareness campaigns to keep everyone updated on security trends.

PRODUCT SECURITY

The Me-Grow Product Security program has instituted the following practices:

• Standardization of Application Security Levels and Guidelines:
Crafted by the Me-Grow Security Development team, standardized security practices ensure the development and safeguarding of products. These practices encompass activities essential for the Product team across various phases of product development, including requirements, design, implementation, and deployment.

• Designed for Security:

In pursuit of bolstering product security, the Me-Grow Security team conducts a myriad of ongoing activities, including: a. Assessing internal security prior to product launches b. Regularly conducting penetration tests by third-party contractors c. Running bug identification programs d. Continuously evaluating both internal and external security e. Regularly monitoring threat models

• Embedding Security in the DNA:

Implementation and oversight of technology-specific software security training guarantee that all developers at Me-Grow are well-versed and updated on the latest security trends.

• Change Management:

For its change management process, Me-Grow utilizes software like Jira to meticulously track, review, and authorize changes before transitioning the product to a staging environment and ultimately deploying it to production.

• Authorized Testing:

Routine penetration tests carried out by third parties and bug identification programs foster the disclosure of any vulnerabilities in Me-Grow.

• Account Security:

To securely store credential data, Me-Grow employs industry-leading methods by adding salt to the hashing process.

Cloud and network infrastructure security

In order to establish a secure foundation for both Me-Grow applications and its clientele, the cloud security program encompasses the following initiatives:


• Asset Management and Ownership:

Every cloud asset must be clearly assigned an owner, a security classification, and a designated purpose.

• Infrastructure Access Management:

To minimize direct access to infrastructure, networks, and production data resources, employees are required to access these resources through approval processes, robust multi-factor authentication, or by utilizing a bastion host.

• Defense-in-Depth (Operations Security):

Me-Grow's production environment operates within a logically isolated Virtual Private Cloud (VPC), housing all customer data and customer-facing applications. Segregation is maintained between production and non-production networks. Access within the production network is tightly controlled and limited only to authorized services via firewalls.

• Network Monitoring with Standardized Guidelines:

Me-Grow meticulously logs high-risk actions and alterations within the production network. Automation is leveraged to promptly identify and flag deviations from standardized guidelines.

• Communication Security:

To ensure the safeguarding of information across networks and their supporting information processing facilities, Me-Grow implements robust communication security measures.

Continuous monitoring and vulnerability management

Aligned with the "designed to be secure" principles, Me-Grow's Continuous Monitoring program incorporates the following practices:


• Continuous Monitoring Program:

Through ongoing monitoring and the cultivation of proactive and detective capabilities, Me-Grow stands ready to address vulnerabilities, incidents, and threats, taking appropriate measures to mitigate them.

• Security Log Retention:

Access to security logs is restricted to Me-Grow personnel, and these logs are retained for 180 days.

• Distributed Denial-of-Service (DDoS) Prevention:

Me-Grow leverages industry-leading platforms to detect, mitigate, and prevent DDoS attacks.

Business continuity security and incident response (disaster recovery)

Me-Grow consistently updates and revises its Business Continuity and Disaster Recovery plans. To ensure unparalleled resilience, Me-Grow employs a range of tools and mechanisms, including:


• Global Resilience:

AWS's presence across multiple geographic regions and availability zones enables Me-Grow to maintain global resilience in the face of various failure scenarios, such as natural disasters, system failures, or malfunctions.

• Encryption of Data Backups:

Me-Grow utilizes secure cloud storage to conduct routine backups of client account information and other critical data. All backup files undergo robust encryption measures and are redundantly stored across multiple availability zones.

• Distributed Denial-of-Service (DDoS) Prevention:

Me-Grow leverages industry-leading platforms to detect, mitigate, and prevent DDoS attacks.

Supplier relationships (third-party security)

In today's interconnected business landscape, maintaining insight into the software supply chain is crucial. Me-Grow has instituted the following initiatives to uphold third-party security:


• Vetting Process:

Me-Grow verifies potential third parties through security assessments during the onboarding phase.

• Ongoing Monitoring:

After establishing a supplier relationship, Me-Grow conducts periodic evaluations of security and business continuity aspects with existing third parties. This program encompasses:

   a. Assessing the type of access and data classification (if applicable)
   b. Implementing necessary controls to safeguard data
   c. Adhering to legal and regulatory requirements

• Offboarding:

Me-Grow ensures the return or deletion of data at the conclusion of a vendor relationship.

Physical security

As part of its dedication to safeguarding its premises, Me-Grow prioritizes physical security within its overall security strategy. This encompasses the following:


• Datacenter Security:

To protect all production systems and customer data, Me-Grow relies on AWS data centers, renowned for their adherence to best practices and compliance with a wide range of standards. For further details on AWS Data Center Physical Security, refer to the AWS Security Whitepaper. https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

• Office Location Security:

Me-Grow implements a thorough security program to oversee visitors, building entrances, CCTV surveillance, and overall office security. Every employee, contractor, and visitor must wear identification badges that clearly denote their roles.

• Offboarding:

Me-Grow ensures the return or deletion of data at the conclusion of a vendor relationship.

Security Compliance

With a commitment to mitigating risk and maintaining regulatory and security compliance requirements, Me-Grow includes the following:


• Regulatory Environment:

Me-Grow operates in accordance with relevant legal, industry, and regulatory requirements, and industry best practices.

• Top Tier Infrastructure Provider:

Our platform relies on Amazon Web Services (AWS) data centers for their unparalleled scalability, security, and reliability. AWS adheres to top-tier security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS.

AI POLICIES

MEG is an AI-powered assistant tailored to elevate your data analysis capabilities and unlock actionable insights. MEG excels in generating key themes, concise summaries, addressing community discussions, facilitating survey creation, and analyzing survey data with precision. Powered by pre-trained, secure AI models, MEG consistently delivers optimal results. While we are committed to maintaining the quality and reliability of insights, it's important to acknowledge that results may have limitations, inaccuracies, or inherent biases. It's essential to recognize that insights and results provided by MEG are not professionally vetted and should not serve as a standalone substitute for thorough research. Instead, MEG is designed to streamline and expedite the analysis process.
For comprehensive and reliable information, we encourage users to supplement MEG's insights with their own analysis or seek guidance from subject matter experts. Me-Grow assumes no liability for any outcomes resulting from the use of its features.

DATA GOVERNANCE POLICY FOR ME-GROW

Introduction:

At Me-Grow, we prioritize responsible data governance. Our policy focuses on fairness, interpretability, privacy, safety, and security in all aspects of data management.


Scope:

This policy applies to all Me-Grow employees, contractors, and third parties who access, interact with, or are influenced by our custom chatbot, customer data, and associated systems.


Fairness:
• Bias Monitoring: We employ tools and procedures to continually monitor and address biases in the responses and functionalities of our assistant.
• Inclusive Training: Our assistant is trained on data from diverse sources to ensure broad representation and inclusivity.
• Feedback Loop: Users and stakeholders have avenues to report observed biases, and necessary corrections are promptly implemented.

Interpretability:
• Transparent Mechanisms: Users are provided insights into the processes our assistant uses to generate specific outputs, fostering transparency and trust.
• Continuous Learning: Our assistant's algorithms are designed for ongoing learning, allowing for improvements in interpretability over time.
• Feedback for Improvements: Users can share feedback with us, which will be used to continuously refine the interpretability of our assistant.
• User Anonymization: We anonymize data to protect individual privacy, ensuring that no direct identifiers or personal information are accessible. Additionally, users have full control to review and edit texts/comments/messages in posts or discussions, excluding any containing sensitive or personal information. Sensitive profile information is systematically excluded from our processing activities.

Me-Grow integrates a combination of open-source technologies and premium AI-powered platforms. We prioritize using pre-trained models to eliminate the need for custom training data.

Our commitment extends to maintaining robust agreements with our sub-processors, ensuring their adherence to our stringent privacy and security standards.

AI models utilized within Me-Grow are either self-hosted or provided by sub-processors certified in SOC2, ISO 27001, and HITRUST, guaranteeing a high level of trust and security. For instance, texts, messages, and comments are processed entirely within Me-Grow's secure environment. We conduct comprehensive assessments of our sub-processors, with a focus on data protection and the privacy of Personally Identifiable Information (PII) and Protected Health Information (PHI). These evaluations ensure compliance with all relevant laws and regulations, underscoring our commitment to safeguarding our clients' data.

DATA INTEGRITY & CONFIDENTIALITY

Me-Grow employs commercially available, pre-trained AI models exclusively, ensuring that customer data is never used for training purposes. Our sub-processors are expressly prohibited from retaining any data for training or research purposes.

We have established agreements with our sub-processors to ensure that no data retention occurs for training models and that all AI services meet our clients' confidentiality, privacy, and security requirements, including compliance with HIPAA, GDPR, and CCPA regulations.

To secure data transfers, Me-Grow utilizes TLS 1.2 or higher protocols, encrypting all data in transit. Additionally, we deploy a sophisticated private network architecture within AWS to prevent unauthorized access.

Me-Grow offers clients the flexibility to opt out of using AI features on their sites. Data is only sent to AI models with the client's consent, maintained as a separate module from data collection.

Summary

Me-Grow (a product by Markelytics) is your go-to platform for comprehensive market research, offering a suite of tools including Me-Grow Survey, Me-Grow Community, Me-Grow Meeting, Me-Grow Panelhub, and Me-Grow Merchant, enabling businesses to swiftly obtain actionable insights.

Security is paramount across our platform. We implement stringent measures to protect physical, network, and application components, complemented by robust security practices and compliance standards. This instills confidence in clients transitioning their communications to the cloud.

Committed to responsible data governance, particularly with AI powered, we uphold principles of fairness, interpretability, privacy, safety, and security in data management. Our dedication to providing top-notch services is ongoing, recognizing that improvement is a continuous process.

For further inquiries or detailed assistance, please reach out to our team via the contact form on the Me-Grow website.

Note: This document undergoes periodic revisions and updates. Please refer to the latest versions by visiting our website.