Multiply · Trust Center

Security Controls

We take data security seriously - that's why we're showing you the receipts. No matter in which industry you operate, your data will be secured.

Tap a section to expand its controls. Each item opens independently.

  • Confidentiality commitments
    All personnel accept confidentiality obligations during onboarding and upon policy updates.
  • Security policies & ownership
    Policies reviewed at least annually with named owners and version control.
  • Background screening
    Role-appropriate checks for new hires in line with local laws.
  • SSO & MFA enforced
    Centralized identity with multi-factor authentication for privileged access.
  • Least-privilege provisioning
    Access by role; quarterly reviews remove stale permissions.
  • Joiner-Mover-Leaver
    Automated access changes on hire, role change, and offboarding.
  • Inventory of assets
    Tracked devices, systems, and data stores with ownership and classification.
  • Hardening & patching
    Baselines with timely security updates and auto-patch coverage.
  • Device encryption
    Full-disk encryption for company-managed laptops and mobiles.
  • Data classification & handling
    Defined categories with handling rules for storage, access, sharing.
  • Data retention & disposal
    Schedules applied; secure erasure on request and end-of-life.
  • Customer data separation
    Logical segregation and least-access principles across environments.
  • In transit
    TLS 1.2+ for external connections; HSTS where applicable.
  • At rest
    Managed keys; industry-standard ciphers for databases and backups.
  • Key management
    Periodic rotation; restricted access with audit logs.
  • EDR/antimalware
    Real-time protection and telemetry; alerts reviewed.
  • Screen lock & idle timeout
    Auto-lock enforced; disk encryption required.
  • USB & peripheral policy
    Restrictions on removable media; exceptions documented.
  • Segmentation & firewalling
    Least-access rules between tiers and services.
  • Secure remote access
    SSO + MFA for admin; no direct prod access without approval.
  • Traffic monitoring
    Ingress/egress logging with anomaly alerting.
  • Code review & CI checks
    Peer review; CI enforces tests and secret scanning.
  • Dependency management
    Automated vulnerability alerts and timely updates.
  • SDLC policy
    Documented stages from design to release with security gates.
  • Change tracking
    All production changes recorded with sign-off and rollback plans.
  • Emergency changes
    Defined process with post-implementation review.
  • Centralized logs
    Critical system logs aggregated with retention and access controls.
  • Alerting & response
    Thresholds notify on suspicious activity and failed auth attempts.
  • IR plan & runbooks
    Roles, severity levels, and communications templates.
  • Tabletop exercises
    Annual practice with lessons captured.
  • Customer notification
    Process to inform affected customers and authorities as required.
  • Backups & restore tests
    Regular backups verified via restore tests.
  • RTO/RPO targets
    Documented objectives and architecture to meet them.
  • Vendor due diligence
    Security assessments for new vendors; high-risk vendors reviewed annually.
  • DPAs & SCCs where needed
    Contractual privacy protections aligned to jurisdictional requirements.
  • Scanning & reporting
    Regular scans of applications and infrastructure with risk-based SLAs.
  • Remediation tracking
    Fixes tracked to closure with verification and change control.
  • Privacy Officer
    Highest authority by default; written delegation with published contact details.
  • Confidentiality incidents
    Incident register maintained; CAI & affected individuals notified if risk of serious injury.
  • PIAs & cross-border transfers
    PIAs for new systems and before communicating personal info outside Québec; contractual safeguards.
  • PIPEDA compliance
    Ten fair information principles; breaches with real risk of significant harm reported & recorded.
  • CASL anti-spam
    Valid consent, sender identified, one-click unsubscribe in all CEMs.