MigiHub Documentation - Security & Reliability

Security & Reliability at MigiHub

Last Updated: September 1, 2025

MigiHub is a software‑as‑a‑service platform developed and owned by InnuCloud Experts Inc. We design, build, and operate MigiHub with a defense‑in‑depth approach to protect your data and keep the service available. This page summarizes our security controls, reliability practices, and the customer controls available in your tenant. See the SLA and Policies for contractual details.

Architecture & Data Protection

Tenant isolation and least‑privilege access across environments
Data minimization for scheduling, fulfillment, and billing
Encryption in transit via HTTPS/TLS and encryption at rest
Secrets management and restricted key access

Identity & Access Management

Single Sign‑On (SSO) support (e.g., Azure AD)
Role‑based access control (RBAC) with least‑privilege roles
Session management and password policy options
Administrative actions audited

Application Security (SSDLC)

Secure software development lifecycle
Input validation aligned with OWASP recommendations
Regular server‑side patching and configuration hardening
Change management with staged rollouts

Logging, Monitoring & Detection

Audit trails for sensitive actions and access
Centralized logging and alerting on anomalies
Rate‑limiting/WAF controls
Time‑synchronized logs retained per policy

Backups, Business Continuity & DR

Encrypted automated backups with scheduled retention
Periodic restore testing and documented recovery procedures
Target objectives: RPO [24 hours], RTO [24 hours]

Availability & Performance

Redundancy across critical components
Autoscaling and performance monitoring
Scheduled maintenance with advance notifications
Uptime target: [99.9%]

Vulnerability Management & Disclosure

We maintain continuous vulnerability scanning, prioritized remediation, and vendor patch tracking. Our responsible disclosure program welcomes reports of suspected vulnerabilities to [email protected] (non‑production proof‑of‑concepts only; no data exfiltration or service disruption). We will acknowledge, investigate, and update you on remediation progress.

Privacy & Compliance

GDPR: DPA with SCCs; Law 25 alignment in Québec; privacy rights support
HIPAA support via BAA for covered entities (PHI handling under Security Rule safeguards)
Data Privacy Framework (DPF) notice prepared; SCCs/UK IDTA/Swiss addendum used until U.S. listing
Internal controls aligned with CIS Controls v8 (IG2) for assessments

Sub‑processors & Vendor Risk

We maintain vetted sub‑processors under written DPAs/transfer safeguards with least‑privilege access and security obligations. Our sub‑processor list and change notifications are available to customers with an objection process per agreement.

Customer Controls

Configure SSO/MFA, RBAC, password policies, and (optional) IP allow‑lists
Set retention, export, and deletion preferences per policy
Use audit logs and reporting for oversight, and minimize sensitive data in free‑text fields/attachments
Train users on acceptable use and privacy/security practices

Incident Response & Notifications

We maintain 24×7 on‑call escalation with documented runbooks. If a security or privacy incident is confirmed, we will investigate, mitigate, and notify affected customers without undue delay, providing details to support regulatory notifications where applicable.