Security & Privacy Datasheet

Transcription

1 Security & Privacy Datasheet April Page1

2 Security and Privacy for Products Introduction takes information security and privacy of personal data very seriously. We fully support and abide by the data privacy principals established in the EU Directive on Data Protection as well as other applicable local privacy laws and regulations and will be fully compliant with the EU General Data Protection Regulation by the May effective date. Our security controls and mechanisms are based on the ISO global security management standard and we conduct external security audits and independent security testing on a regular basis. This datasheet provides a summary of the security measures implemented throughout the organization to provide full transparency and a peace of mind for customers that their personal data and information are in good hands. Privacy Audits and Compliance was previously part of the US-EU and US-Swiss Safe Harbor privacy frameworks. In October 2015, when the US-EU Safe Harbor framework was invalidated by the European Court of Justice (CJEU), chose to comply with the requirements to the EC Standard Contractual Clauses (sometimes called EC Model Clauses ) and to enter into signed EC Model Clauses with its customers upon request. Subsequently in July of 2016 when the US and EU adopted the new Privacy Shield framework as a replacement to the invalidated Safe Harbor,, after careful consideration, decided to continue its compliance with the EC Model Clauses instead. The EC Model Clauses contain specific security and privacy terms acknowledged by EU authorities and provide the legal basis to allow to process EU personal data in the US as part of our services to our EU customer base. Although, hosts its EU customers communities and content primarily in the EU, some EU data does makes its way into the US for support purposes, for spam filtering, video storage, log file analysis, and other similar ancillary services. A listing of data locations and s subprocessors can be found at also participates in the TRUSTe Privacy Program which is designed to help business implement strong privacy management practices consistent with a wide range of global regulations and industry standards. Verify s TRUSTe Privacy Seal here: 2

3 Security and Privacy for Products Security Testing, Audits and Compliance At, we believe in raising the bar when it comes to security audits and compliance. We conduct various internal and external assessments on a regular basis including: - Annual ISO security assessment and certification, - Annual independent SSAE 16 SOC 2 audits, - Annual Independent application penetration testing, - Regular internal security audits, - Regular static code analysis, - Regular web application security testing, and - Monthly vulnerability scanning. Annual SSAE 16 SOC 2 Audits The SSAE 16 auditing standard is the successor to the SAS 70 auditing standard and updates the US service organization reporting standard in line with the international service organization reporting standard ISAE conducts annual SSAE 16 SOC 2 audits using independent external auditors and has conducted this rigorous assessment for the past seven (7) consecutive years. Customers and prospects under NDA can obtain a full copy of the latest SOC 2 Type 2 report by contacting security [at] lithium [dot] com. ISO Certification is ISO 27001:2013 certified, which is a global standard based on information security controls and management best practices. This venerable certification provides an assurance that has achieved full maturity in information security management practices according to the specifications of a world class security management standard. Certifying to the ISO 27001standard 3

4 Security and Privacy for Products involves a rigorous three-stage assessment conducted by independent auditors. Subsequent annual onsite audits are required to maintain the certification. Access s ISO certification status at Security Penetration Testing In addition to the industry compliance assessments referenced above, conducts annual internal security audits, annual independent security penetration testing, security code reviews, security vulnerability scanning, and continuous automated and manual web application security penetration testing. welcomes responsible security testing by our customers. Numerous customers perform independent security audits and testing of their implementations at least annually. Since operates a shared multi-tenant SaaS environment, we limit all security testing to our staging or non-production environments. Security Testing and Reporting Policy is available on our website at Hosting in Europe is committed to its European customers and has made significant investments in the region. Our European customers are hosted in the Netherlands using an industry-leading collocation provider Equinix and our Amazon AWS hosting region in Amsterdam (EU West). Both providers Equinix and AWS operate mission-critical Tier 3+ facility and conduct separate annual SSAE 16 SOC 2 and ISO assessments using independent auditors. While Equinix provides the collocation space, physical security and access to telecommunications resources, owns and manages the entire services infrastructure. In AWS we use strong AES encryption to store customer data and have signed EC Model Clauses with AWS. Physical Security communities are hosted in independently audited and certified secure datacenters. The security measures permeate throughout the facility including but not limited to CCTV monitoring system, digital video recorders, man traps, biometric identification, mandatory visitor check-ins, a 24x7x365 front desk, and security guards around the clock. Datacenters are also equipped with fire, water, and heat detection and protection systems as well redundant UPS and diesel generators for uninterrupted high availability operation of mission critical systems. All systems undergo regular maintenance and are tested by the vendors every ninety days for proper operation and safety. 4

5 Security and Privacy for Products Access Control Access to the Equinix colocation space is restricted to authorized staff and trusted local European vendors for remote-hands system management only and reviewed on a regular basis. Multiple forms of authentication are required to access the facility such as a valid picture ID, a secret PIN code, and biometric identification (hand or palm geometry scan). Physical access to AWS facilities is restricted to authorized AWS personnel only. Logical access to the live customer environment can only be established via a secure encrypted session and is restricted to authorized staff only. All administrative access is continuously logged and audited on a regular basis. Personal Data Collection, Storage and Protection products are designed to promote collaboration and social engagement which requires some personal information to be collected to allow for a safe, responsible, yet friendly environment for end users. The collection of any personal information on our communities reflect first and foremost the core principles of privacy such as choice, notice, proper disclosure, responsible collection and usage of personal data, accountability, and security. There are only three pieces of required information to register and login to a community, including a username, a password, and a working address. There may be other pieces of information such as a first name, a last name, location data, or a custom avatar that users may share and disclose at their personal option and choice. For our Reach and Response product we mainly require the end users social media handles such as a Twitter handle or a Facebook account to be able to interact with them from our platform. For the Messaging product, we may require users to enter their Facebook or Twitter username and password for authentication purposes, but does not store this information. For more information about our privacy practices please visit our Privacy Policy at All personal user information collected during the registration process, with some exceptions (such as the avatar) is securely stored on servers using, at a minimum strong AES 128-bit encryption. User passwords are stored using a strong cryptographic one-way SHA 512-bit hash with unique salts. The one-way nature of the SHA 512-bit hash and unique salt ensures that no one including will ever know of the actual user password other than the user herself. Additional Security Controls Proactive Monitoring monitors all its customer implementations and critical infrastructure on a 24x7x365 basis. An alert system is tied to each of the site s health statistics as well as all major parts of the hosting infrastructure. All major services such as DNS, firewalls, servers, and Internet connectivity are actively monitored. Alerts are also set up to monitor security-related events and detect security violations from the Intrusion Detection System. Security auditing is enabled on host systems and logs 5

6 Security and Privacy for Products are sent to a secure log collection system for retention and safe keeping. In addition to proactive alerts, security logs are monitored regularly and audited on a monthly basis. Application Security has deployed a secure software development lifecycle process (Secure SDLC) to ensure that security is tightly integrated within our products. We conduct regular security design reviews and conduct security QA testing before each release cycle. A rigorous set of manual and automated security tests are conducted for each release cycle, typically several times a month, in addition to security code reviews and web application penetration testing before releasing it to the customers. The application also has several layers of security to address common web application security flaws and attacks, some of which include: An extensive input and output validation layer checks and validates for proper and expected input and output to protect against cross-site scripting and script injection attacks. All userprovided content, such as the URI, query string parameters, form submissions, cookies, etc. are validated through this framework before the underlying application layers are allowed to handle the request. All non-validated input is either escaped or rejected as necessary. The application has a robust permissions system which allows granular control over user, role, and group level access. In communities, permissions and roles can be applied at the global community level, on categories, boards, and individual users. In Reach and Response, agents, supervisors, and admins roles are defined. The fine granularity of the permissions ensures that users can be granted the specific access they need without having to grant them excessive rights. All unauthorized access attempts are logged in the audit logs. For communities, user generated content (UGC) is also checked and validated using an intelligent HTML parser. Administrators can specify which HTML tags are allowed including tag attributes and sub-tags. This intelligent parsing protects against many forms of attacks such as cross-site scripting and script injection. By providing such extensive HTML parsing capability we can allow users to safely use HTML tags for rich and lively content creation without forcing them to learn a custom or proprietary markup language. Sensitive features and form submissions are protected with secure and time sensitive CSRF tickets to protect against cross-site request forgery attacks. The ticketing system is completely transparent to the user and helps protect against cross-site request forgery attacks that can originate from external content outside of s control. Logging is enabled to record key information about the system and user requests such as the request timestamp, URL or action, agent or browser type, and source IP address. In case of a security breach, can review these logs to identify exactly how and when the breach took place as well as any actions and damage that the intruder may have inflicted. In addition to the Secure SDLC process and the web application security mechanisms described above, conducts annual independent security penetration testing. We also conduct our own internal web application security penetration testing and security code reviews on a regular basis to test against common web application security vulnerabilities such as the OWASP Top 10 list. 6

7 Security and Privacy for Products Infrastructure Security is ISO certified, which signifies that our security controls and mechanisms are modeled after a globally accepted standard based on security best practices such as: Redundant multi-tier firewalls allow relevant ports only such as port 80 (HTTP) and port 443 (HTTPS); Front-end application and web servers are isolated from utility services such as DNS and SMTP; Database servers are in a separate segment from the front-end servers; No direct access from the Internet is allowed to the database servers; Intrusion Detection Systems are deployed to monitor unauthorized access or detect malicious traffic; Regular security vulnerability scanning on a monthly basis minimum. System-level security conforms to the same high standard of security best practices such as: Only necessary services and software are installed; Servers are regularly updated with the latest security patches; All management traffic to the servers is encrypted; Administrative access to servers is restricted to authorized staff and must occur over a secure encrypted session. All administrative access is logged and monitored; Security auditing is turned on and logs are sent to a secure log collection system. Database encryption All customer production databases that might contain personal information are considered sensitive. Access to sensitive data is restricted and protected using a broad set of security controls including, but not limited to, access control and encryption at rest (covered in ISO and SOC 2 annual audits). Currently, the following data is stored encrypted at rest (minimum AES 128-bit): communities: user profile table and specifically user addresses and password hashes. Starting in release 17.5 we also have the capability to encrypt messages. Social Intelligence: same as above Social Response: Encrypted AWS volumes (AES 256-bit) 7

8 Security and Privacy for Products Denial-of-Service (DDoS) Attack Defense s platform is highly scalable, and we can quickly scale vertically and horizontally to handle sudden traffic spikes. Most attempts to DDoS our application are easily defeated since we can handle very large amounts of traffic without any major performance issues. We also have continuous monitoring of all production sites and any deviation from baseline latency or pageviews/requests are quickly investigated. However, in small cases when large capacity and scale are not enough, we have strong measures in place to combat this type of issue, for instance: At the application layer we have resource pools to monitor access to resources and apply throttling dynamically per IP and per session when certain thresholds are hit. We can also tweak these pools on-demand as well. We also use a CDN provider which provides caching on most static assets and reduce latency and load on the app. We also have network-level DDoS protection features on our core network devices. Last but not least, we also use a reputable DDoS attack mitigation service provider for combating large scale DDoS attacks. All of these measures are typically used in combination to handle any kind of attack scenario. Vulnerability Management Apart from security hardening and installing security patches during the controlled build process, has adopted a standards-based approach to vulnerability lifecycle management following these four key steps: Acquire, Assess, Manage, and Report. Acquire - during the Acquire phase, we collect relevant security information via subscriptions to various security outlets such as US-CERT, SANS, BugTraq, as well as direct mailing lists and notification from vendors such as Microsoft. There might be other events and processes that feed in to the Acquire phase such as security incidents, security alerts, and security scan reports. Assess during the Assess phase, the acquired vulnerability information is assessed for relevance and criticality based on a pre-established criteria. Critical and High-risk severity items are classified as P1 and mitigation is rolled out on an urgent basis. Other categories are prioritized based on the likelihood and impact of a given vulnerability. Manage during the Manage phase, we acquire the patch and deploy it using appropriate tools to the target systems. The patches are tested in the QA environment before they are rolled out to the production environment. Standard patches are installed during normal maintenance windows on a published schedule. Report during the Report phase, the systems are assessed using manual and automated tools to report on the status of security patches. Any missing patches and updates are processed using the vulnerability management lifecycle process. 8

9 Security and Privacy for Products Incident Response s incident response process conforms to ISO security best practices. It involves the following phases: Detection, Validation, Response, and Recovery. Detection the Detection phase involves monitoring of systems, security alerts, security log reviews, vulnerability scanning, and penetration testing to detect information security incidents. Validation the Validation phase involves analysis and prioritization of detected security incidents. Response the Response phase includes proportionate response based on the prioritization. This phase may include one or more steps such as containment, evidence collection, and eradication. Recovery the last step in the process involves recovery and lessons learned. The incident response process is thoroughly documented and exercised at least once a year. also has provisions for customer notifications in case of a breach involving customer or personal data. Data Handling, Redundancy, Backup, and Disaster Recovery The hosting infrastructure at is designed with multiple redundancies for maximum uptime. Secure datacenters have UPS and generator backup systems for power and diverse entry points for key utilities and communication facilities. Multiple high-speed Internet Service Providers for fast Internet connectivity using BGP for redundancy and automatic failover. Critical systems are set up in a redundant manner to eliminate single points of failure. This includes redundant servers, load balancers, firewalls, switches, and routers. Servers are deployed with redundant power supplies, redundant network cards, and redundant disk storage. At the database layer, data replication is set up from master database servers to slave database servers in real-time. We also take regular snapshots throughout the day. Regular backups are made daily and weekly and stored offsite in a secure location for safety. The backups are encrypted using AES 256-bit encryption. Backup restore testing is conducted on an annual basis. s Disaster Recovery Plan is updated at least annually and tested on an annual basis. There is no default retention on live customer data. As long as they are a customer we will keep all of their data intact subject to reasonable processing requests made by the customer. Security logs are retained for one (1) year. Once the contract is over we turn the information over to the customer in an XML format via our secure SFTP servers. The information on the SFTP servers remain intact for 30 days after which time it s securely deleted. The active databases are also dropped from the production servers after the XML dump is transferred to the customer. Retired media used for storage is scrubbed or destroyed using NIST SP guidelines. 9

10 Security and Privacy for Products Contact For Privacy related requests please Please consider using a secure communication method such as PGP or SMIME for sharing sensitive information. s Privacy Policy is located at For Security related requests please security@lithium.com. Please consider using a secure communication method such as PGP or SMIME for sharing sensitive information. Please be sure to read and adhere to our Security Testing and Reporting Policy located at Please visit our security page above to obtain a copy of our PGP key for secure communications. For all other inquiries please open a support case by visiting our online Support Portal at and clicking on the Support tab. For sales related and general inquiries please contact your designated Account Manager or visit our website at and click on Contact tab. About Technologies, Inc. ( or Company) delivers a competitive advantage by helping brands deliver better digital customer experiences at scale. Comprising Social Media Management and Communities, the engagement platform enables brands to manage multiple digital touchpoints, facilitate millions of conversations, and drive smarter decisions through data connecting customers, content and conversations at the right digital moment. has a massive digital footprint with approximately 480 million new digital interactions analyzed daily, 100 million monthly visitors across its Online Communities, and 850 million online profiles scored through Klout. The engagement platform comprises a complete set of solutions for social customer service, social media marketing and crowdsourced innovation that allow you to listen, respond and act on your customers conversations, creating deeper customer relationships and fostering brand loyalty and advocacy. Pair this with deep insights based on data and our expertise in maintaining vibrancy in your engagement strategy, and you get one amazing set of business solutions for a great digital customer experience. Founded in 2001, is a privately held company with headquarters in San Francisco, California. The Company s website address is 10