MindTouch frequently asked questions (FAQs) security, policies and architecture questions.
At MindTouch we view security, performance and reliability as critical requirements. We view these as differentiating features and we guarantee these security and uptime in your Service Level Agreement.
What is the overall MindTouch solution architecture?
Which programming languages are used to implement MindTouch (e.g., Java, C++, .NET, ABAP, database-specific stored procedures, or others)?
Please specify the supported operating system and database platforms.
MindTouch is a SAAS product that runs in the cloud using CentOS and MySQL.
Does MindTouch contain any Open Source components?
Yes, MindTouch contains the following Open Source components:
- Mono: MIT
- DReAM: Apache 2.0
- SgmlReader: MS-PL
- Autofac: MIT
- Log4net: Apache 2.0
- BeITMemcacheD: MIT
- CookComputing XmlRpcV2: MIT
- EnyimMemcacheD: Apache 2.0
- ICSharpCode.SharpZipLib: GPL with exception (see license)
- LibChmSharp2: LGPL 2.0
- Lucene.Net: Apache 2.0
- MySql ADO.Net Adapter: GPL 2.0
- Newtonsoft.Json: custom (see license)
- Novell eDirectory LDAP: unknown
Does MindTouch operate in a special hardware environment (e.g., shop floor systems, sensor networks)?
MindTouch utilizes Amazon Web Services for all hosted solutions.
Does MindTouch support Unicode?
Does MindTouch require access to or implement a user management component? If so, please provide more details.
MindTouch has basic built-in user and group management capabilities which can be enabled to allow social logins from Facebook, Twitter, Google, LinkedIn, and others. Additionally, MindTouch features an authentication bridge for LDAP, Active Directory, and Novell eDirectory. When integrated with one of these user management systems, all user and group management can be driven through these systems instead of the built-in functionality.
What 3rd-party UI frameworks does MindTouch utilize?
MindTouch utilizes the jQuery, Yahoo UI, and SmartClient libraries for the user interface.
Are all UI dialogs accessible to people with disabilities? Does MindTouch comply with accessibility standards (e.g., Section 508 in the US)?
MindTouch is section 508 compliant for accessing content (Community Member access). MindTouch is NOT section 508 compliant for authoring content (Pro-Member access).
Which browsers on which client operating systems are supported by MindTouch?
See our list of supported browsers.
Infrastructure & Platforms
What hosting providers does MindTouch use? What is the geographic coverage of each provider? What security standards are these partners certified with respect to?
MindTouch uses Amazon Web Services (AWS) in the US eastern region. The AWS security and compliance documentation can be found at: http://aws.amazon.com/security/
Does a customer need to know which data center(s) he or she is assigned to?
Provide an overview of the infrastructure components used, covering both hardware and software.
- Firewall - Amazon EC2 Firewall
- Load Balancer - HAProxy load balancer
- Amazon Linux AMI
- HAProxy - Provides load balancing capabilities and SSL termination
- Application Servers
- Amazon Linux AMI
- Apache webserver
- PHP 5.4
- Mono (.NET runtime) 2.10.2
- Amazon Relational Database Service
- MySQL 5.1
- Lucene Search Server
- Amazon Linux AMI
- Mono (.NET runtime) 2.10.2
- ElasticSearch Servers
- Amazon Linux AMI
- ElasticSearch 0.90.x
- Clustered configuration for High Availability
- CentOS 5.2
- Splunk 4.2
How many customers and users has your current infrastructure been sized to support? How would MindTouch scale this infrastructure to support a larger numbers of users? How many concurrent users can MindTouch support on this infrastructure?
MindTouch supports up to 50 million page views per month in its current configuration. Additional servers can be deployed to support up to 150 million page views.
What are the limiting factors with respect to scaling users (e.g., memory, CPU, disk I/O, network bandwidth, etc.)?
CPU is the most constraining factor for high throughput sites.
What software and standards is MindTouch interface based on? Does any software (including browser plug-ins) need to be installed or downloaded to customer premise in order to run your solution? What bandwidth per user is needed to access the solution?
- Users only need one of the supported browsers to use MindTouch. No additional software needs to be installed.
- Accessing MindTouch requires little bandwidth and can be done over a 3G or dial-up connection.
- Authoring in MindTouch requires a DSL/Cable connection for an optimal experience.
What connectivity does MindTouch recommend customers use: private network, virtual private network (VPN), or public internet?
Public internet is required. MindTouch can be accessed over a secure SSL connection if desired.
Does MindTouch utilize infrastructure or tools (e.g., Platform as a Service) from one or more Public Cloud operators (e.g., Amazon, Microsoft Azure, Google, Salesforce)?
MindTouch is built on Amazon Web Services using the following services:
Does MindTouch provide mobile access? Is this via browser access or via a true mobile client with local data storage, data replication, etc.? What devices and operating systems does MindTouch support?
MindTouch offers mobile access via a mobile browser in READ-ONLY mode.
What additional standards does MindTouch adhere to (e.g., SAS70, ISO 27001)?
MindTouch utilizes Amazon Web Services (AWS) for all MindTouch hosted instances. Amazon security standards can be found at http://aws.amazon.com/security/.
Amazon AWS adheres to the following security standards:
- SAS70 II
- SOC 1/SSAE 16/ISAE 3402
- FISMA Moderate
- PCI DSS Level 1
- ISO 27001
- International Traffic In Arms Compliance
- FIPS 140-2
What approach has MindTouch adopted to backup and archiving?
MindTouch has continuous backup of all database transactions for the last 72 hours. After that, a daily backup is maintained for the last 30 days.
Provide an overview of the MindTouch approach to scheduled maintenance.
MindTouch conducts a nightly backup at 1am PST.
What approach has MindTouch adopted to the implementation of software patches and upgrades to your solution? What is the MindTouch release/upgrade cycle?
MindTouch is updated weekly for clients without site customizations and quarterly for sites with customizations.
What approach has MindTouch adopted to the upgrade of infrastructure components (e.g., database, application server, etc.)?
Application servers are built from scratch for each weekly release and then hot-swapped. Database servers are maintained by Amazon and only updated once to twice a year during a 30-minute maintenance window.
What support for Disaster Recovery does MindTouch provide?
All snapshots are kept in Amazon S3, which has 99.999999999% durability. In case of a disaster, the entire MindTouch deployment can be recreated in less than a day.
Does MindTouch retain my site after cancellation?
Yes, MindTouch will retain your site for 90 days after cancellation. After 90 days your site will be deleted permanently and cannot be restored.
What approach has MindTouch adopted for accessing functions or data in customer systems?
MindTouch has a robust architecture that is well suited for complex application integrations. Partner applications can leverage the MindTouch REST API to remotely manage 100% of the MindTouch content. Additionally, MindTouch ships with a powerful scripting language called DekiScript that can read and pull data from external sources. DekiScript can be used to introduce logic, customize interfaces, generate dynamic content, pull data from external sources, and more.
What form of APIs does MindTouch offer (e.g., REST, SOAP, etc.), and how can these APIs be used to customize and extend your offering? How does MindTouch ensure the integrity of these changes after an upgrade?
MindTouch has a REST API exposing all of the available functionality. The API cannot be customized; instead, MindTouch includes an automation language (DekiScript) that is used for extending individual applications. New releases of MindTouch preserve backwards compatibility for the API and DekiScript.
What facilities does MindTouch provide for upload of customer data, including master data, integration with existing customer systems, integration with third party systems, etc.? What prebuilt integrations does MindTouch support?
MindTouch supports HTML, .CHM and .MTARC import formats. MindTouch integrates with LDAP, Salesforce, and Zendesk.
How is the lifecycle of customer specific integrations managed?
The MindTouch Client Services Team defines implementation requirements and scope. All customizations are done in a way that enables forward compatibility by adhering to internal design guidelines. MindTouch QA works with Client Services to ensure the integration is done successfully. After completion, Customer Support monitors the integration on a quarterly basis.
Does MindTouch support integration with On Demand offerings from other service providers? If so, please explain how you support this scenario.
MindTouch is only integrated with other SaaS, cloud, or On Demand applications.
What mechanisms does MindTouch use to ensure appropriate security of customer data?
Data uploads and downloads can be done over an SSL connection at client's request. Once uploaded, only authorized servers can access the data directly. All other clients must go through an application server for access authorization.
How does MindTouch ensure that data for a specific customer is not accessed by any other customer?
All data is stored in separate databases.
What user authentication methods does MindTouch support? Does MindTouch support SSO?
MindTouch supports SSO via SAML, Active Directory/ADFS, LDAP, and via custom SSO. There are two types of custom configurations:
- Same domain. Authentication issued by partner application
- Cross domain, SSO with redirect. Authentication issued by MindTouch
How are users and administrators authenticated?
Users and administrators are authorized by username/password, or via a SSO solution (such as SAML/ADFS/LDAP). The SSO provider may be configured to use 2-factor authentication, tokens, etc. to meet additional authentication requirements.
What are the procedures for initial set up and ongoing maintenance of users and their revocation / password reset?
Users can be imported or created dynamically as part of an SSO login process. Users can be revoked/banned from within the control panel. Admins can reset a password for a user, or a user can request a password reset (to their configured email address).
Can MindTouch employees access my site?
The MindTouch Privacy and Security Acknowledgement document must be on file for any member of the MindTouch team to access a commercial deployment. MindTouch will not access any client sites without a current version of this document on file.
How is transmission encryption provided?
Transport security for web traffic is over HTTPS using strong ciphers. All management traffic occurs over SSH using RSA public-key cryptography. Only our internal Operations Team can view and decrypt data.
What types of intruder detection and other security vulnerability monitoring procedures are in place?
We have internal logging for access and error logs and the operations team audits these logs on a frequent basis. Logfiles are maintained indefinitely for forensic purposes.
What types of virus protection procedures are in place at the data center?
Our current malware mitigation strategy is to deploy from the latest stock Amazon Linux AMI image with all security patches applied. Servers are replaced every 7 days with the latest image.
What are the policies and procedures for maintaining security and middleware patches? How often do you apply patches?
We apply security patches every week on the latest Amazon Linux AMI. The servers are tested by our QA team each week.
What type of access logs are kept and for how long?
We have internal logging for access and error logs and the operations team audits these logs on a frequent basis. Logfiles are maintained indefinitely for forensic purposes. Logs include web server logs, application server logs, security logs and system logs. Given an approximate date or timeframe, we can audit the logs during that region (or, make a specific investigation and forensic analysis based on other parameters).
Is there a dispute resolution process if a transaction is questioned?
Any change to a customer's site is stored in the site history and can be reverted by an administrator.
Is there a system inactivity timeout period (to logout inactive users)?
Yes, this timeout is configurable.
Does the site use any ActiveX components?
No ActiveX components are used.
What are your change control procedures for how new features and bugfixes are made?
We develop software in 2-week development sprints, with continuous integration testing, and a week of QA before each release. All changes must be reviewed before being accepted.
How does MindTouch separate the various authorization levels needed for high-risk and low-risk transactions?
Actions are separated into various permission sets (READ/UPDATE/DELETE/CHANGEPERMISSIONS), etc. Different roles have access to various capabilities. For example, a community member may only have Read access to a page, and an author may have Update access. An editor may have Delete access, and admins may have complete access (including changing access levels for other users).
Explain the MindTouch approach to multi-tenancy.
MindTouch application servers can simultaneously host any number of customer sites, each with their own specific customization and integration configurations.
Explain the on-boarding process for a new customer. What services are provided as part of the standard charges and what are T&M?
MindTouch customers are assigned a dedicated associate in addition to the available support resources. Customers who engage in a services engagement are assigned a dedicated project manager throughout the duration of the engagement.
How long does it take to on-board a new customer?
Standard user application training is typically completed in a 12-hour training session.
Technical training, integration, and strategy sessions typically require a 24 to 40 hour commitment depending on SME availability.
Does MindTouch use templates and/or best practices to set up a new production system? How long does it typically take a new customer to make the necessary configuration changes to deliver a production system?
All MindTouch instances are provisioned and configured by MindTouch staff. A standard configuration takes minutes to setup. Additional custom configurations (e.g., LDAP, custom skin deployment, content import) may take 4 to 40 hours.
What capabilities or services does MindTouch provide to enable customers to manage users (e.g., adding and deleting users, role administration, etc.)? Is customer training required and is it an additional cost? What self-service capabilities for end users does MindTouch support?
The MindTouch control panel empowers administrators to manage all users, groups, bans, CSS, deleted content, editor specification, system configuration, and more. Additional training costs may incur for extended training sessions. The control panel and all of its capabilities are self-service.
Does MindTouch offer integrated account provisioning/authentication? If so, please list the authentication systems you support (e.g., SSO, LDAP, Active Directory, Custom).
MindTouch supports the following authentication systems:
- Active Directory / ADFS
- SAML 2.0
- Custom SSO via our API
What is the typical MindTouch customer profile in terms of industry segment, region, etc.? What is the typical customer size in terms of numbers of users?
Typical customer profile: Technology companies in the US
Typical customer size: Approximately 5,000 users (viewers and authors)
Does MindTouch offer services for decommissioning an existing customer? Does MindTouch physically remove a customer or are they merely made dormant?
MindTouch sites of decommissioned customers are kept for 90 days. After 90 days, all data relating to the customer is deleted permanently and irrevocably.
Billing and Metering
Explain the MindTouch pricing, metering, and reporting (including billing). If you offer more than one model, which is the preferred?
- Licensing, support, and hosting is billed annually with net 30 payment terms
- Allocated page views vary based on licensing
- Client services engagements are billed 65% upfront and 35% upon completion
Additional resource consumption (page views) can be purchased for 50% of annual cost of license, support, and hosting.
How does MindTouch ensure legal and SLA compliance? What kind of SLA reporting does MindTouch provide the customer? Does this include business SLAs or technical SLAs?
MindTouch has both a support and a technical SLA. SLA details can be found at:
What systems management and other software is used by MindTouch or your hosting partner to manage your solution?
We use Puppet for system management and configuration. All changes to be applied to our servers are defined in Puppet and applied to each server on a 30 minute interval.
What SLAs does MindTouch provide? How does MindTouch manage SLAs in terms of monitoring and reporting?
MindTouch SLA details can be found at:
What performance guarantees does MindTouch provide for individual customers?
MindTouch guarantees a 99.8% uptime.
What is the MindTouch default solution for trouble ticketing and incident management?
MindTouch uses SalesForce for all trouble ticketing and incident management.
If MindTouch is hosted by a 3rd party, how do you interact with them with respect to incident management?
We have a support contract with Amazon: http://aws.amazon.com/premiumsupport/
Support tickets are submitted via their support portal.
What are the processes and methodologies for product patching and updating?
MindTouch adheres to an agile release cycle and conducts development iterations on a two week cycle. Development cycles include the following steps:
- Quality assurance
Code releases take place each week on Thursday upon passing quality assurance. If the release day is an observed holiday, the release will be delayed one week. MindTouch maintains all development activity in a version-control system.
Additionally, MindTouch maintains all issue, feature, and task tracking in a version-controlled issue tracking application. Release notes, burn down reports, development effectiveness, quality assurance, and testing reports can be generated from our issue tracking application.
Deployments that require client services may span across multiple iterations. Customers who require less frequent updates can be placed on a quarterly update cycle.
Does MindTouch copy LDAP data or just check LDAP on each login?
On each login, MindTouch does an LDAP bind using the credentials specified by the user logging in.
What type of data is copied during the LDAP authentication? Is the data secure?
The only piece of LDAP data that we copy and store is the LDAP is the username (user_external_name in the MindTouch users table).
Is user login completed using the User/Password attribute retrieval or by LDAP Bind?
MindTouch does an LDAP bind using the credentials specified at login time.
Does MindTouch support LDAPS?
Yes, MindTouch does support LDAPS.
Does MindTouch provide a global 24 x 7 support model? What languages do you support?
Yes, MindTouch emergency support is available. MindTouch support is available in English.