Enterprise-grade security

Connect, communicate, and share with confidence, knowing that data transactions are protected with robust encryption and enterprise-grade compliance measures.

Mio never stores your messages or files

Mio is independently audited every year, SOC 2 Type II certified, and does not store any messages or files that are relayed from one platform to the other.
Service Organization Control (SOC) 2 Type II
Mio is SOC-2 Type II certified to keep customer data secure and confidential.
General Data Protection Regulation (GDPR)
Mio adheres to GDPR guidelines to protect our customers' personal data and privacy rights.
California Consumer Privacy Act (CCPA)
Mio has implemented controls from the CCPA framework to support our customers' rights over their personal data.

Download Mio’s security whitepaper

Mio securely integrates with your messaging platforms and never stores messages or files.
Download the PDF

What scopes are requested by the Mio application?

Mio securely integrates with your messaging platforms and never asks for more permissions than necessary.
Read the article

Frequently asked questions

Does Mio store my files and messages?
Mio does not persistently store user messages or files. Message metadata is retained by Mio for future reconciliation across platforms. However the underlying messages and files are not permanently retained.
What message metadata does Mio store and how long is it stored for?
We store the following metadata: message identifier (ID), time stamp, platform assigned user IDs and/or channel IDs and associated identifiers. These are stored for the duration of the service contract, or until Mio is asked to destroy it via a hard delete.
When my user uploads a file where does it go?
Does Mio encrypt all data?
Mio takes the security of customer data extremely seriously and uses appropriate encryption strategies at every stage of its journey over our systems.

When data is in transit between connected platforms, Mio will connect to the API using TLS 1.2 or later, typically over the HTTPS protocol. For data at rest, data will be encrypted with a minimum industry standard of AES-256 encryption. Mio classifies all customer data, and as a minimum all our persistent storage has file storage encryption enabled. For higher classified data, we will perform additional encryption at the field level using an HSM backed AWS KMS service.

End-to-end encryption between platforms via Mio is not currently possible because Mio must be granted access to a plain text version of the chat message in order to translate it to the target platform. Unless chat platforms themselves choose to adopt a universal messaging format, Mio will require temporary access to the raw underlying message to be able to translate and apply the correct markup for the target.

Messages processed by Mio are never stored in an unencrypted format. Inbound events are immediately encrypted and only decrypted on demand when a transformative action is required. Translation typically occurs in milliseconds and in memory, greatly limiting exposure and potential attack vectors. Once translation and delivery is complete, the original and translated payloads are destroyed.
Where is Mio hosted?
Mio is currently hosted exclusively in AWS us-east-1. We utilize multi-zone redundancy to maximize availability and uptime. All customer data is currently retained in the US.
If AWS fails in one region, does Mio move over to another?
Mio utilizes multi-zone redundancy to maximize availability and uptime.
Can I choose which region my data is stored in?
No, Mio is currently hosted in the US and we reserved the right to fail over to any AWS data center as part of our established business continuity plan.
What happens to messages when Mio is down or when platform APIs are down?
To maximize Mio’s message delivery reliability, we’ve implemented a number of flow controls for messages entering and leaving the Mio subsystems. All message events received by Mio are delivered to front end servers distributed over multiple availability zones. For resilience, event payloads are immediately encrypted and placed into a fault tolerant FIFO queue for processing by the Mio multi-zone, distributed back end system. Mio has distributed its infrastructure and processing logic in such a way that processing and data persistence is highly resilient to individual node or cluster outages.

Mio’s ability to deal with partner outages requires an inbound and outbound replay strategy. Partners such as Slack have an automatic redelivery mechanism where, should a Mio resource be unavailable, they will resend the event multiple times until successful or they will otherwise give up. Mio’s outbound reliability is defined by our own queue replay strategy. Should a target partner platform be unavailable, Mio will retain the encrypted event in a queue, and will automatically attempt redelivery based on a time based replay strategy. Permanent failures are reported internally and monitored for further investigation and escalation where necessary.
What are Mio's policies regarding data retention?
Mio retains customer data for the duration of their active account. The customer may request their data to be permanently deleted at any time (subject to Mio adhering to applicable state and federal laws).
What are Mio's policies regarding personally identifiable information (PII)?
Mio retains the following PII information for the purpose of normal operation of the service: First name, last name, and email address. Mio will also be provided an end user's current public IP address when accessing the m.io website.
Which app scopes does Mio need?
Where can I find more information about Mio's security practices?