Security at MapTiler

MapTiler is committed to maintaining the highest standards of data security and privacy. We implement a multi-layered security framework designed to protect customer data, ensure system availability, and meet global compliance requirements for our technical partners and enterprise clients.

maptiler-iso-27001-certificated.webp

Governance and compliance

MapTiler operates a formal Information Security Management System (ISMS) certified to the ISO/IEC 27001:2022 standard. This certification covers our core development and cloud service operations, ensuring that our technical and organizational measures (TOMs) are validated by independent audits. While our operations are currently validated by ISO/IEC 27001:2022, MapTiler is actively pursuing SOC 2 Type II compliance to provide further third-party validation of our operational controls for our North American enterprise customers.

Our data processing activities are governed by the General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act (CCPA). We act as a Data Processor for our customers, processing personal data strictly in accordance with their instructions to provide mapping services and technical support.

Infrastructure and physical security

We prioritize data sovereignty by primarily storing and processing customer data within Switzerland and the European Economic Area (EEA). Switzerland is recognized by the European Commission as providing an adequate level of data protection. To accommodate specific regulatory requirements, enterprise customers have the option to pin their data to specific geographic regions.

Our physical infrastructure is hosted by industry leaders, specifically OVHcloud and Google Cloud Platform. These providers maintain enterprise-grade security (SOC 2 Type II, ISO 27001), including 24/7 on-site guards, biometric access, and redundant power systems.

Internal office security at MapTiler headquarters is maintained via app-based and physical key access. In alignment with NDAA requirements, MapTiler utilizes only NDAA-compliant video surveillance and hardware (e.g., Synology/Ubiquiti) to ensure a secure and trustworthy development environment. All building entries are recorded on surveillance cameras, and a strict escort policy is enforced for all visitors to ensure no unauthorized access to our work environment.

Data protection and encryption

MapTiler employs robust encryption protocols to safeguard information throughout its entire lifecycle. All data transmitted between customers, end-users, and our infrastructure is secured using industry-standard TLS 1.2 or 1.3. At rest, sensitive information, including authentication credentials, database records, and CRM data, is encrypted with AES-256 via our certified infrastructure providers.

We also use secure hashing via certified identity providers for authentication data, ensuring that plain-text passwords are never stored in our systems. Connection telemetry used for billing and security monitoring is similarly protected to prevent unauthorized disclosure or alteration.

Secure development and network defense

Security is integrated directly into the MapTiler Software Development Life Cycle (SDLC). Security verification is a mandatory step in our release process. We utilize industry-standard scanning tools to identify potential vulnerabilities in our code and container images prior to production. This is complemented by rigorous peer reviews and manual security assessments to ensure a high level of software integrity.

Our network defense strategy includes:

  • Global Edge Protection: We utilize Cloudflare for our Content Delivery Network (CDN) and edge networking to mitigate DDoS attacks and ensure low-latency service delivery.
  • Vulnerability Disclosure: We maintain a formal Vulnerability Disclosure Policy (VDP) and provide clear reporting instructions for security researchers via our public security.txt file.
  • System Logging: All administrative access and system events are logged, and these logs are protected from tampering to ensure a reliable audit trail.

Access control and identity management

We enforce the principle of least privilege, ensuring that access to production environments and customer data is strictly limited to authorized engineering and support personnel based on their specific roles. Internal identity management is centralized and requires Multi-Factor Authentication (MFA) for all employee accounts.

For our customers, we provide granular security features to protect their own resources:

  • Single Sign-On (SSO): Support for enterprise identity providers to streamline user management.
  • API Key Restrictions: The ability to restrict API keys to specific IP addresses or HTTP referrers (URLs) to prevent unauthorized usage.

In accordance with our internal security protocols, access rights for departing employees are revoked within 24 hours of their termination.

Reliability and incident response

MapTiler is built for mission-critical applications that require constant availability. We provide a 99.9% uptime Service Level Agreement (SLA) for our Unlimited and Custom plan customers to guarantee service reliability.

Our incident management framework ensures that we can respond rapidly to potential security events. In the event of a confirmed personal data breach, MapTiler commits to notifying the affected customer without undue delay and, where feasible, within 72 hours. We provide reasonable assistance to customers in mitigating the effects of any such breach and fulfilling their own regulatory notification obligations.

 

notification