Trust and Compliance
We are committed to maintaining your trust
When you interact with external organizations, you can introduce risk—and you need answers to assuage your concerns:
- On what cybersecurity framework have they based their risk management policies?
- With what regulations do they comply?
- What happens to the information we share with them—and why do they need it anyway?
You’re right to be concerned: You need to know you can trust the organizations you engage. We respect that.
Here, we share in plain English as much as we can about how we mitigate risk.
Keep scrolling to learn more about:
- The security frameworks, certifications and data protection regulations with which we comply
- The policies and practices we use to maintain the privacy of your personal information
- How our solutions can help your organization with compliance
We adhere to the NIST Cybersecurity Framework
The US federal government developed the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to tighten protection of the nation’s critical infrastructure. Not surprisingly, NIST CSF is mandatory for US federal government agencies.
That claim to fame sold us on its strength: We built our cybersecurity practices on the same framework that the US government relies on to protect the nation’s critical infrastructure.
We’re not alone. Many organizations use NIST CSF to guide policies and implement practices designed to better protect their networks and data. In fact, NIST CSF helps any organization committed to improving cybersecurity controls—regardless of size, degree of risk, or level of cybersecurity maturity.
NIST CSF helped us—and it can help you:
- Understand, manage, and express cybersecurity risk
- Identify and prioritize actions for reducing risk
- Align policies with the business and with technological approaches for managing risk
Independent auditors assess our security controls
Third-party risk management (TPRM) is essential to your company’s security, as it helps protect the company from the risks of its involvement with an outside vendor. To streamline your third-party management and reduce risk factors, Malwarebytes maintains the following certification by regularly engaging with independent external auditors to assess and report on our security controls, to objectively evaluate the effectiveness of controls that address operations and compliance. These reports are available to interested parties under a signed NDA only.
SOC 2 Type II
SOC 2 (System and Organization Controls)
SOC 2 is an industry-standard assessment developed and maintained by the American Institute of Certified Public Accountants (AICPA).
Malwarebytes has been audited by a third-party auditing firm (Schellman & Company) against Trust Services Criteria (TSC) for Security, Availability, and Confidentiality. This is an attestation to Malwarebytes’ commitment to maintaining a high level of security, availability, and confidentiality of products, infrastructure, controls, and customer data.
ISO 27001
The International Standard Organization (ISO) created comprehensive guidelines (ISO 27001). These standards are internationally recognized as a best practice framework for Information Security Management Systems (ISMS).
ISO 27001 certification affirms that Malwarebytes ISMS has been certified in compliance with standards by ISO Certification Bodies. This certification for Malwarebytes demonstrates that its people, processes, tools, and systems adhere to this framework via confidentiality, integrity, and availability.
Malwarebytes has undergone an independent audit by Schellman & Company, a recognized third-party auditing firm. Certificate Directory.
PCI DSS Certification
The primary objective of the Payment Card Industry Data Security Standard (PCI DSS) is to protect cardholder data. It applies to organizations storing, processing, or transmitting card information and/or sensitive authentication data. Malwarebytes engages with a Qualified Security Assessor (QSA) for its Attestation of Compliance (AoC), a document used to demonstrate that the appropriate Report on Compliance or Self-assessment Questionnaire has been completed and to attest to Malwarebytes’ compliance status with PCI DSS.