Morpheus Security Principles
We see enterprise VR as a safe and healthy way to bring remote teams and employees together to create culture and community. Our security practices and principles are driven by our values as well as by General Data Protection Regulation (GDPR) and other requirements.
No retention. We do not retain records of participant movement activity, conversations or documents.
Encryption. We encrypt all user activity (movement, conversations, documents) end-to-end to prevent “man in the middle” attacks.
Personal Identifiable Information (PII) We encrypt all other user PII (users name, email, address or phone number) and use third party cloud services to isolate user information against bad actors.
We do not share your information. We only use user information such as a user’s name, email, address or phone number to directly interact with that user, such as to notify them of upcoming meetings and to send them a VR headset. We do not resell or otherwise use or share user information. Furthermore we don’t sell anonymized behavioral data.
Anonymized user data. We do use anonymized user activity data to improve our service itself, and we do provide real time analytics on engagement to participants themselves.
Formal data management practices. We have a data retention policy and a data destruction policy to comply with GDPR requirements and as well have employee security training and a period practice of reviewing our privacy and security policies to further protect our users. This also includes limiting access for third party contractors and requiring multi-factor-authentication for our own employees.
Proactive Transparency. In the case of there being any kind of breach we have a formal policy that participants will be immediately and continually informed so that we can work together to solve any issues.
Time boxed permissions. We control participant access to an experience in a granular, time-based, purpose-based manner.
Token based login. We use token based login systems to avoid having user passwords for interactive sessions.
Downtime and Distributed Denial of Service (DDOS) attacks. We use distributed cloud services to mitigate downtime and attacks.
Incident Monitoring. We monitor traffic on our networks for unusual behavior, as well as placing honey pots in our network to identify bad actors.
MFA. We use multi-factor authentication for our employees.
Third party audits. We have a third party auditing process for our source code with third party certification as an extra set of eyes to make sure there are no data leaks. We also do periodic third party audits for ISO 27001 compliance.
Accessibility. Inclusion is important to us and we work to make sure all members of a team can participate in culture building experiences therefore we offer both desktop and mobile experiences for users that are not able to utilize VR headsets (for any reason). It is also possible within a VR headset to participate with a single controller and a single button.
Physical Comfort. We have researched and developed a process for acclimating new users to be physically comfortable in VR. We guide people through this onboarding process starting and plan our experience length, time, and activities in relation to the ability and comfort levels of all participants.
Psychological Engagement. All of our avatars are the same height. We allow users to customize their appearance. We go out of our way to devise social mechanics that foster social engagement while not creating undue pressures and we specifically avoid addictive experiences such as are common in games.
Experience Certification. We work with experience facilitators to build positive and healthy social group experiences where all participants are fairly treated and are socially appropriate, and we have a diverse board of experience reviewers to certify our experiences.
Facilitator based. We train facilitators and many experiences are facilitated.
Professional experiences only. Our experiences are intended for working professional adults (age 18 above). On rare occasions, clients may request an event that they can invite family to attend, general best practices suggest that children below the age of 13 do not utilize VR headsets as such we do not allow children below the age of 13 to participate.