Privacy, Security and Compliance

Movable Ink provides a web-based application (the Studio Application) that enables clients to generate personalized creative email, web, and mobile application content with associated business logic for marketing campaigns at scale. The solution works with a client’s existing Email Service Provider (ESP) and does not send emails. Dynamic creative email content is automatically generated at the time of open. Movable Ink’s personalized content can also be included within clients’ websites and mobile applications. Additionally, Movable Ink’s Studio Application provides a dashboard for reporting and viewing marketing campaign analytics.

Movable Ink’s Da Vinci Service enables clients to automate and optimize email marketing campaigns using machine learning models. An internet facing web application is available to clients that allows users to configure their email marketing campaigns. This configuration, along with machine learning algorithms, controls the timing (when the email is sent), target (to whom it is sent), and content (what is included in the email) of an email marketing campaign. The solution works with a client’s ESP and does not send emails directly to consumers.

At Movable Ink, protecting customer data is a first-order priority. We continuously monitor the evolving regulatory and legislative landscape to inform our policies, data security, and product development. Customer data is managed, processed, and stored in accordance with applicable
global data protection requirements. Movable Ink follows a Privacy by Design approach characterized by implementing proactive rather than reactive data privacy measures.

Privacy Policy

Movable Ink has implemented policies, controls, and technical safeguards to meet the GDPR requirements for data processors. We process personal data strictly in accordance with client instructions and in alignment with the GDPR’s obligations for data processors, including support for Data Subject Requests (DSRs). Movable Ink also maintains appropriate transfer mechanisms and contractual protections to support the lawful processing of EU/EEA personal data outside of the EU/EEA.

Commitment to GDPR

Movable Ink follows data protection principles aligned with all applicable U.S. state privacy regulations and we maintain processes and technical capabilities to support consumer rights requests. These practices are part of Movable Ink’s broader commitment to responsible data governance.

Privacy Policy

Movable Ink is certified under the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework, enabling compliant transfers of personal data from Europe and the United Kingdom to the United States. Movable Ink also supports the European Commission’s Standard Contractual Clauses (SCCs) as an additional lawful mechanism for international data transfers.

Proof of Data Privacy Framework Certification

Movable Ink is committed to data management best practices such as processing and retaining only the data necessary to provide our services. Additionally, dedicated data owners ensure the confidentiality, integrity, and availability of client data throughout the entire data lifecycle. Movable Ink securely deletes all client data within 30 days following contract termination or upon a valid data subject/consumer rights request. Data deletion, including backups, is performed in alignment with NIST 800-88 standards and is non-recoverable. Movable Ink maintains a comprehensive Data Collection & Retention Policy with clearly defined retention periods based on business needs and regulatory requirements. Movable may also provide a copy of client data or facilitate data transfer within 30 days upon request by an authorized client representative.

Movable Ink ensures that all customer data is encrypted by default both at rest and in transit using industry-standard protocols. Data at rest is protected using AES-256 encryption, and data in transit is encrypted using TLS 1.2 or higher to safeguard confidentiality and integrity. Access to the Movable Ink platform is available only over HTTPS, ensuring all communication between client systems and the application are encrypted.

Movable Ink’s compliance programs enable our clients to verify that our privacy and security controls are well-designed, independently validated, and consistently applied across both Studio and Da Vinci. All certifications, audit reports, and third-party testing summaries referenced below are available through Movable Ink’s Trust Center.

Movable Ink Studio and Da Vinci undergo an annual SOC 2 Type II audit conducted by an accredited independent auditor. The report demonstrates that Movable Ink’s security, availability, and confidentiality controls are operating effectively over time.

Movable Ink is certified under ISO 27001 (Information Security Management Systems) and ISO 27701 (Privacy Information Management Systems), validating our end-to-end governance over security and privacy controls.

Movable Ink is certified under ISO 42001, the international standard for responsible AI management. This certification demonstrates a comprehensive governance framework for the secure, transparent, and accountable development and operation of AI-enabled features across our platform.

Movable Ink engages a qualified independent security firm to perform comprehensive application and network penetration testing on an annual basis.

Movable Ink’s dedicated Information Security & Compliance team is responsible for the Company’s information security and compliance programs, which address technical, operational, and organizational measures used to protect client data. These programs are designed to ensure strong data governance, privacy, and security across Movable Ink’s products and supporting systems.

Movable Ink maintains a third-party risk management program to assess the privacy, security, and compliance practices of the suppliers and partners that support its operations. Vendors are evaluated and assigned risk levels based on the nature of the services they provide, and appropriate controls are reviewed to help ensure they meet Movable Ink’s security and privacy requirements. Third-party relationships are periodically reassessed to confirm continued alignment with Movable Ink’s standards.

Movable Ink provides privacy, security, and compliance training to employees as part of onboarding and on a recurring basis. Training covers topics such as protecting personal information, recognizing security risks, AI risks, and understanding relevant legal and regulatory requirements. Additional role-based training is provided to employees whose responsibilities require deeper security or privacy expertise. Movable Ink also conducts ongoing security awareness activities to help reinforce secure behavior across the organization.

Movable Ink follows a least-privilege and role-based approach to access management. Access is strictly granted based on role and business need, with periodic reviews to help ensure that permissions remain appropriate over time. Segregation of duties is applied to critical functions to reduce the risk of unauthorized changes to production systems. For client organizations, the Movable Ink platform provides user-role management capabilities that enable organizations to assign and manage access rights throughout the user lifecycle.

Movable Ink maintains an inventory of the systems, applications, and data resources that support its products and operations. Assets are classified according to their type, sensitivity, and criticality to ensure appropriate protections are applied throughout their lifecycle.

Movable Ink ensures its systems and data have designated resource owners, including clearly documented and communicated roles and responsibilities as they pertain to system and data ownership. Resource owners are responsible for protecting the confidentiality, integrity, and availability of assigned resources as well as their appropriate use throughout the complete life cycle.

Movable Ink maintains standardized configuration requirements for systems and services to help ensure they are securely deployed and consistently maintained. Configurations are reviewed and updated as needed, and controls are in place to monitor for and prevent unauthorized changes or deviations from approved settings.

Movable Ink ensures that data is encrypted by default both at rest and in transit using industry-standard cryptographic protocols. Data at rest is protected using AES-256, and data in transit is encrypted using TLS 1.2 or higher. The Movable Ink Platform is available only over HTTPS, helping to ensure secure communication between client systems and the application.

Movable Ink’s platform is hosted in secure cloud environments and is designed using a multi-tier network architecture that separates public-facing services from internal application and data layers. Network access controls, including firewalls and segmentation, ensure that only authorized and necessary traffic can reach protected resources. Movable Ink employs security monitoring and threat detection capabilities to identify and respond to potential network threats. Production environments for both Studio and Da Vinci are configured to implicitly deny all traffic by default and allow only explicitly authorized connections needed to deliver the service.

Movable Ink leverages Amazon Web Services (AWS) and Google Cloud Platform (GCP) to host its infrastructure and store customer data. Both AWS and GCP maintain highly secure, globally distributed data centers designed to protect systems and information from physical and environmental threats. All data centers employ 24/7 monitoring, biometric access controls, surveillance systems, and strict access authorization procedures to ensure only vetted personnel can enter secured areas. Movable Ink relies on the independently audited physical and environmental controls provided by AWS and GCP as part of their SOC 2, ISO 27001, and other industry-standard certifications.‍

AWS Data Center Controls
GCP Data & Security Controls

Movable Ink employs industry-standard monitoring and logging capabilities across its infrastructure and applications to help detect, investigate, and respond to potential security events.

Movable Ink employs intrusion detection and prevention capabilities across its environments to help identify, alert on, and respond to potential security threats. Centralized logging, monitoring, and analysis tools are used to detect anomalous or suspicious activity, and alerts are investigated as part of Movable Ink’s broader security monitoring and incident response processes. Endpoint protection and data protection controls are also in place to help safeguard corporate systems and production environments.

Movable Ink uses security monitoring and threat detection capabilities to identify and respond to potential threats. These capabilities incorporate threat intelligence and contextual analysis to help detect emerging risk and inform timely remediation efforts. Validated security advisories and vulnerability disclosures are reviewed and considered as part of Movable Ink’s ongoing risk management processes.

Movable Ink maintains vulnerability and patch management processes designed to identify, assess, and remediate security issues in a timely manner. Regular vulnerability scanning is performed across relevant systems in accordance with established policies and industry best practices. Movable Ink also engages an independent, qualified security firm to conduct annual application and network penetration testing. Identified vulnerabilities are evaluated, prioritized, and remediated based on risk to help ensure the ongoing security and integrity of Movable Ink’s environments.

Movable Ink incorporates Privacy and Security by Design principles throughout its Systems/Software Development Lifecycle. The company follows secure coding best practices and maintains processes for reviewing, testing, and approving changes prior to deployment. Controls such as code analysis, change review, and quality assurance help ensure that updates are developed securely and released in a controlled and reliable manner

Movable Ink maintains an incident management program with defined processes for identifying, reporting, investigating, and responding to security incidents. The program outlines roles, responsibilities, and communication procedures to help ensure incidents are handled promptly and effectively. Lessons learned from incidents are incorporated into Movable Ink’s security program and processes to support continuous improvement.

Movable Ink maintains documented Business Continuity and Disaster Recovery plans that outline the procedures to follow in the event of a disruption to critical operations. These plans provide a framework for maintaining service availability, restoring functionality, and supporting resilience during unexpected events. Movable Ink’s production environments are designed with redundancy and high availability in mind, and critical systems are monitored to help ensure continuity of service. Business Continuity and Disaster Recovery plans are reviewed and tested on a regular basis to validate their effectiveness and support continual improvement.

Your feedback is very important to us. For additional information about Movable Ink’s security, privacy, and compliance practices, please visit our Trust Center at trust.movableink.com.

● General security inquiries: infosec@movableink.com

● Client Trust / due diligence questions: infosec-dd@movableink.com

● Report a security concern: security@movableink.com