1) Security governance (ISMS)
MWI operates a risk-based Information Security Management System (ISMS) aligned with ISO/IEC 27001 and GDPR principles. The ISMS is governed by senior leadership, reviewed at least annually, and updated after significant changes.

2) Core control areas
Access control • Cryptography • Secure SDLC • Change management • Vulnerability & patch management • Logging & monitoring • Incident response • Business continuity & disaster recovery • Backups & restore • Supplier security • Data protection & privacy

3) Supplier / supply-chain security (TPRM)
MWI runs a third-party risk management program aligned to ISO 27036. Suppliers are risk-tiered and undergo security/privacy due diligence. Contracts include confidentiality, minimum controls, breach notification, and sub-processor approval.

4) Certifications
Our platform stack includes suppliers with ISO 27001 certification. Supplier certificates and supporting documents can be provided under NDA.
MWI is not currently ISO 27001 certified, but internal controls are aligned to ISO/IEC 27001 and GDPR. A certification roadmap is schedule for 2026.

5) Data retention
• Message content: not persisted after transmission. If temporarily buffered for delivery retries, TTL is ≤24 hours (typically minutes).
• Message metadata & delivery receipts: 12 months (configurable by agreement)
• Security logs: 12 months online + up to 12 months archival
• Billing/contract records: 10 years
Custom retention can be configured by agreement, including secure deletion/anonymization upon expiry.

6) Contact
For security questionnaires or due diligence: