Trust and Compliance

We are committed to maintaining your trust

When you interact with external organizations, you can introduce risk—and you need answers to assuage your concerns:

  • On what cybersecurity framework have they based their risk management policies?
  • With what regulations do they comply?
  • What happens to the information we share with them—and why do they need it anyway?

You’re right to be concerned: You need to know you can trust the organizations you engage. We respect that.

Here, we share in plain English as much as we can about how we mitigate risk.

Keep scrolling to learn more about:

  • The security frameworks, certifications and data protection regulations with which we comply
  • The policies and practices we use to maintain the privacy of your personal information
  • How our solutions can help your organization with compliance

We adhere to the NIST Cybersecurity Framework

The US federal government developed the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to tighten protection of the nation’s critical infrastructure. Not surprisingly, NIST CSF is mandatory for US federal government agencies.

NIST CSF helped us—and it can help you:

  • Understand, manage, and express cybersecurity risk
  • Identify and prioritize actions for reducing risk
  • Align policies with the business and with technological approaches for managing risk

Independent auditors assess our security controls

Third-party risk management (TPRM) is essential to your company’s security, as it helps protect the company from the risks of its involvement with an outside vendor. To streamline your third-party management and reduce risk factors, Malwarebytes maintains the following certification by regularly engaging with independent external auditors to assess and report on our security controls, to objectively evaluate the effectiveness of controls that address operations and compliance. These reports are available to interested parties under a signed NDA only.

SOC 2 Type II

SOC 2 (System and Organization Controls)

SOC 2 is an industry-standard assessment developed and maintained by the American Institute of Certified Public Accountants (AICPA).

Malwarebytes has been audited by a third-party auditing firm (Schellman & Company) against Trust Services Criteria (TSC) for Security, Availability, and Confidentiality. This is an attestation to Malwarebytes’ commitment to maintaining a high level of security, availability, and confidentiality of products, infrastructure, controls, and customer data.

ISO 27001

The International Standard Organization (ISO) created comprehensive guidelines (ISO 27001). These standards are internationally recognized as a best practice framework for Information Security Management Systems (ISMS).

ISO 27001 certification affirms that Malwarebytes ISMS has been certified in compliance with standards by ISO Certification Bodies. This certification for Malwarebytes demonstrates that its people, processes, tools, and systems adhere to this framework via confidentiality, integrity, and availability.

PCI DSS Certification

The primary objective of the Payment Card Industry Data Security Standard (PCI DSS) is to protect cardholder data. It applies to organizations storing, processing, or transmitting card information and/or sensitive authentication data. Malwarebytes engages with a Qualified Security Assessor (QSA) for its Attestation of Compliance (AoC), a document used to demonstrate that the appropriate Report on Compliance or Self-assessment Questionnaire has been completed and to attest to Malwarebytes’ compliance status with PCI DSS.