ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CategoryQuestionAnswer
2
Data LocationName of Hosting Provider/Data Center Facility that will store or process data. (Where
will the data be hosted?)
Amazon Web Services (AWS). US East (N. Virginia) data centers. Data storage is in multiple Availability Zones (AZs) for disaster recovery.
3
Data LocationIf this is a Cloud solution, which cloud architecture do you support (Multi-tenant or Multi-instance)?Multi-Tenant. Lead Liaison can optionally provide an instance specifically for you. Contact your Sales Manager for more information.
4
Data LocationWho from your company, the hosting provider, and anyone in your supply chain, has access to data?Data is encrypted at rest. Our hosting provider does not have access. Key employees only have access as needed. Except in the scenarios described in the Infrastructure and Sub-Processors for the Lead Liasion Services document, Lead Liaison owns or controls access to the infrastructure that Lead Liaison uses to store data submitted by customers to the Lead Liaison Services (“Customer Data”)
5
Data LocationIn what countries are the data stored?All data is stored in the United States. Contact your Sales Manager for information and pricing on customized instances in non-U.S. data centers.
6
Data LocationWhat certifications do you have for processing data?All processing and storage of data is performed on Lead Liaison's servers hosted in ISO 27001 certified data centers. Our data centers are also ISO/IEC 27017:2015, 27018:2019, and ISO/IEC 9001:2015 certified.
7
Data LocationDo you allow your employees to store customer/end user data on their personal
devices?
Employees do not store customer data on their personal or work-related devices.
8
Data LocationDo you have a diagram showing all data flows, interactions, and installed components?Yes, see the Data Flow diagram here: https://docs.google.com/presentation/d/1tUKXhebgtNDv5IBtqZ24X4XubLlSeqxUIElDtFqijCg/edit?usp=sharing
9
Data LocationExplain the secure process that is used to load/interface data to/from your systemAll data is communicated over HTTPS using TLS 1.2 regardless if coming from our proprietary app, via API communication, or direct entry by client
10
AssessmentsWhat is your PCI DSS Compliance?We do not store any credit card information on our servers, so do not maintain PCI DSS. Payment processing is done using recurly which is PCI DSS level 1, the highest you can obtain
11
AssessmentsWhat kind of third party security assessments has your company completedWe have completed independent penetration and security audits, the results of which are available
12
AssessmentsWill you make available a copy of the associated report or certificate from the
independent third-party assessment?
Yes, the reports are available upon request
13
AssessmentsFor your most recent independent third-party security program assessment: Were all identified Critical, High, and Medium risk findings/non-conformances/issues
remediated?
We strive to resolve all identified findings as quickly as possible, informing the appropriate team of actions required
14
AssessmentsOutside of formal certifications, with which other industry security standards and
frameworks does your security program align?
We are privacy shield self-certified.
15
AssessmentsHow often are penetration tests performed for the in-scope systemsWe perform penetration tests as frequently as necessary, and utilize multiple sources to ensure a broad range of testing results.
16
AssessmentsFor your most recent penetration test, were all identified Critical, High, and Medium risk findings remediated? If no, explain plans to address.Yes, all critical, high and medium findings are immediately shared with the appropriate team for remediation
17
AssessmentsHow often is vulnerability scanning performed?We perform vulnerability scanning at the same time as penetration testing, so timeframe is the same.
18
AssessmentsAre internet-facing and internal network systems included in vulnerability scans?Yes, we run tests against internet-facing and internal network systems as part of our pen testing and vulnerability tests.
19
AssessmentsWere all identified High and Medium risk findings from the most recent vulnerability scan remediated?Yes, all critical, high and medium findings are immediately shared with the appropriate team for remediation.
20
Access ControlDo you support federated single sign-on (SSO), which would allow us to leverage our own identity management solution to authenticate our users to your application?We can provide SSO options, and Google Authentication
21
Access ControlIf SSO is not supported, describe password and other authentication controls.Authentication without SSO is provided by username and password combination. Passwords have complexity requirement rules of 8 characters minimum, and consist of 3 out of 4 character types (lowercase, upper case, numbers, special characters)
22
Access ControlIf SSO is not supported, is multi-factor authentication available?MFA possible with Google Auth, for non-SSO it is not supported at this time
23
Access ControlDo you have formal procedures to request, approve, provision, de-provision, and
review access rights for our employees to all data and systems that process and
handle our data?
Yes, an account administrator for your organization has full control over security profiles and what they can access, along with user control of which employees can access the data.
24
Access ControlDo you have procedures in place to administer and manage system administrator
accounts?
Yes, you have full control over which accounts can be granted administrator access and what tasks administrators can perform.
25
Access ControlDo you monitor the appropriate usage of system administrator accounts?Yes, we have full control over system admins and closely evaluate who should be an admin and who should not.
26
Incident Management
Do you have a 24x7x52 process to notify us in the event of a security incident
(breach)?
We are constantly monitoring all systems, and if a breach is detected an incident report will be released.
27
Incident Management
Do you have network intrusion detection/intrusion prevention (IDS/IPS) systems in place for all Internet Points of Presence?AWS monitors and alerts of any detected intrusions or policy violations
28
Incident Management
Does your incident response plan include a process to determine if an information security incident has taken place?Yes, privacy is key and any incident would involve a full investigation to determine if any information was compromised.
29
Incident Management
Do you have provisions in place (detection, revocation) in the event of the theft of a customer’s credentials?Yes, any accounts credentials can be revoked, access to system can also be revoked invalidating the credentials. Client administrator users have this ability along with our support and IT.
30
Incident Management
Do you have measures in place to disrupt the lifecycle of a malicious attack?Yes, we have an incident management plan that outlines how to mitigate malicious attacks.
31
CryptographyDo you encrypt data transmitted over a public network like the Internet?All data is encrypted when being transmitted from capture device to our servers using TLS 1.2 or higher with strong ciphers
32
CryptographyDo you encrypt customer data at rest (on your database) within your environment?All data on Lead Liaison is stored encrypted on Amazon Aurora and uses SSL (AES-256) to secure the connection between the database instance and the application. Data at rest is encrypted using AWS Key Management Service (KMS). On Lead Liaison’s database running with Amazon Aurora encryption, data stored at rest in the underlying storage is encrypted using AES-256, as are its automated backups, snapshots, and replicas.
33
CryptographyDo you encrypt employee laptops?Employees are not permitted to store customer data on their own devices, regardless mobile or desktop
34
CryptographyDo you encrypt backups (tape or disk)?Yes, backups are also encrypted just like data at rest in our running environment.
35
CryptographyDo you encrypt portable media (USB drives, tapes, etc.)?No customer data is ever stored on portable media.
36
CryptographyDo you have policies and procedures established and mechanisms implemented for effective key management?Yes, we keep our keys in AWS IAM and rotate our keys on a periodic basis.
37
CryptographyDo you use strong, one-way cryptographic hash functions to store passwords?Yes, all passwords are stored using salted encryption hashing algorithms.
38
CryptographyDoes your server offer forward secrecy for clients that support it?Yes, the server supports ECDHE and DHE ciphers that offer forward secrecy.
39
CryptographyWhere is the SSL connection between the user and your application terminated?At the application server
40
CryptographyTo improve security for your users even further, have you deployed HTTP Strict Transport Security (HSTS) on your server?Yes, we have HSTS configured with a max-age value of at least 6 months on application servers.
41
CryptographyIf your application supports authentication, are authentication cookies marked with the 'secure' attribute?Yes, the authentication cookies are marked 'secure.'
42
CryptographyAre cookies decorated with the special keyword, 'HttpOnly'?The HttpOnly keyword is set for all our authentication cookies.
43
CryptographyDoes your application offer a "log out" button or link that when clicked, not only terminates the session but also invalidates the session ID?Yes
44
Business Continuity/Disaster Recovery
In the event of a disaster, describe when and how you would notify us of the event.If a client-affected disaster was to occur, notification would be provided by email or phone as appropriate.
45
Business Continuity/Disaster Recovery
How often do you update and test your business continuity and IT disaster recovery plans?The mobile apps can function without internet connection or if servers are offline. Backups are consistently performed.
46
Business Continuity/Disaster Recovery
What is your RTO (Recovery Time Objective)?Our RTO is less than four hours.
47
Business Continuity/Disaster Recovery
What is your RPO (Recovery Point Objective)?In case of disaster, our RPO is 100% recovery.
48
Operations SecurityDo you have controls to manage malware/malicious code?Yes, we do code reviews internally and also scan our services to ensure no malicious code, such as cross-site scripting or SQL injection attacks occur.
49
Operations SecurityDo you have logging and monitoring processes in place for your infrastructure and applications?Yes, we use AWS Cloudwatch and database monitoring tools to keep track of system activity, both internally and externally.
50
Operations SecurityDo you protect logs from unauthorized access or tampering?Yes, nobody can see logs unless they have access to our AWS console, which is guarded closely and protected with two-factor authentication.
51
Operations SecurityDo you review administrator and privileged account usage?Yes, we review access periodically.
52
Operations SecurityAre there policies, procedures, and mechanisms implemented which define patch
management?
Yes, we have a well defined software release process that our engineering team adheres to when releasing software patches.
53
Operations SecurityHow quickly are patches applied?Software updates and patches are usually made once a week, however when needed they can be applied within minutes.
54
Operations SecurityDo you use anti-malware and ensure that associated virus signature definitions are updated across all components as prescribed by industry best practices?We standardize on McAfee for all of our endpoints. We have strict security profiles for who can access Amazon Web Services where our Services are hosted.
55
Operations SecurityDo your engineers and your QA team look for potential security issues during release testing, and have they been trained to do so?Yes, our QA process explicitly includes testing for security issues that might have been introduced in the new version.
56
Operations SecurityHow would you describe your post-launch monitoring?Robust: We have procedures in place to log and monitor for unexpected crashes, exceptions, and other error conditions. If something looks suspicious, a security-conscious engineer evaluates it.
57
Operations SecurityAs an application using SQL, what steps do you take to ensure you are not vulnerable to injection attacks?Our application uses ORM (Object-Relational Mapping) in the framework. We also use prepared statements and let the framework handle the escaping, if an instance occurs a direct database query is needed with user input it is escaped following set SQL standards.
58
Operations SecurityWhat ORM framework are you using?Doctrine
59
Operations Security
Describe your strategy for protecting against cross-site scripting (XSS)
Our application has a central choke point where all user input is validated and escaped depending on the context in which it will be interpreted.
60
Operations SecurityAre you using Unit Tests or similar methods?Yes we use Unit Tests
61
Operations SecurityWhat strategy do you use to protect against XSRF?We protect requests that change the state with tokens that are bound to the user they were generated for, and that expire after a certain amount of time.
62
Mobile Device Solution
Is data encrypted in transit from a user’s device to the hosting platform?Yes all data is encrypted by https using TLS 1.2 or higher, along with strong cipher requirements
63
Mobile Device Solution
Are permissions required for the application to function normally?There are no required permissions by default. If you wish to utilise badge or business card scanning then camera permission is needed. If you wish voice recording, then microphone permission is needed. If you wish push updates for notifications from the app, then that permission would be needed.
64
Mobile Device Solution
Are users authenticated and authorized for the mobile application?Devices are tracked and a unique event code is utilised to deploy the capture form to the device
65
Mobile Device Solution
Are the user credentials persistent, which could allow access to the application until the token expires, and potentially after the employee leaves the company?Event codes and device access can be changed by an account administrator to cancel or invalidate any device's access
66
Mobile Device Solution
Is device/user specific data collected and stored from the application (i.e. location, credentials, etc.)?Data collected is up to the person who creates the collection form and what options they deem required to be added.
67
Mobile Device Solution
Is data stored locally on the mobile device?Data is stored locally temporarily until a connection can be made to the server to transmit the collected data
68
Supplier Relationships
Do you ensure that your third-party partners adhere to your Security and Privacy
policies?
Yes, all third party partners are reviewed before any implementation begins.
69
Privacy and Compliance
Can you handle "model contract clause" requests from customers to meet EU
Directive compliance?
Model contract clauses and Data provision addendums may be possible on a contract by contract basis. Talk with your sales rep or CSM for details. For general privacy, we are self-certified with privacy shield.
70
Privacy and Compliance
Will personal data move across national borders or from Europe to the United States?If device capture device is outside the US, then information will be sent to the US for processing and holding. Internally data never leaves US servers. EU only data locations are possible, contact sales for more information.
71
Privacy and Compliance
How is consent (opt-in/opt-out) handled (particularly for EU employees)?No data is collected about employees to require consent. Event forms can have as much or as little consent to meet your requirements.
72
Privacy and Compliance
Explain how you comply with EU cookie law.Accounts can configure cookies to track information or to not be used in tracking depending on local requirements.
73
Privacy and Compliance
Are you authorized for the EU Binding Corporate Rules for data processes? If not and you handle/transfer personal information on a global basis, explain how you comply with global data transfer laws.We adhere to the US-EU Privacy Shield, https://www.privacyshield.gov/participant?id=a2zt0000000Cbv5AAC.
74
Information TransferProvide a diagram showing all data flows, interactions, and installed componentssee the Data Flow diagram here: https://docs.google.com/presentation/d/1tUKXhebgtNDv5IBtqZ24X4XubLlSeqxUIElDtFqijCg/edit?usp=sharing
75
Information TransferIs Personal Information handled by you processed and protected in accordance with global information protection laws, subpoena, EU data protection, and litigation
freeze?
Yes, as outlined in our Data Architecture, Privacy, and Security Policy we take extra steps to make sure our customer's data is secure. We also have a Data Protection Agreement (DPA) that customers can sign for added assurance that their data is being protected.
76
Information TransferIn the event of a subpoena, do you logically segment and encrypt data so that it may be produced and recovered for a single customer only, without inadvertently
accessing another customer's data?
Yes, we keep all data in a relational database and can reference and recover data by customer ID.
77
Information TransferDo you support litigation holds (freeze of data from a specific point in time)?Yes, we can take snapshots of our database and store the information on hold.
78
Information TransferDoes your application protect all state-changing actions against XSRF?Yes, all state-changing actions are protected. We have a way to ensure that no actions are missed (such as enforcing XSRF-token checks in a central place).
79
Information TransferDoes your application protect against 'clickjacking'?X-Frame-Options: SAMEORIGIN is included in the headers of all pages that should not ever be iframed.
80
Information TransferDoes the application set a valid and appropriate content type and character set for each page (in the 'Content-Type' HTTP header)?Yes, we take great care to set this, knowing that otherwise we might be introducing XSS vulnerabilities.
81
Human Resources Security
Do you perform background investigations for all personnel (employees and
contractors) who have access to infrastructure, servers, applications, and data?
Yes, for those team members that need access to sensitive data background checks are performed.
82
Human Resources Security
Are all personnel who have access to systems or data trained for the secure handling of that information?Yes, all access is limited to only those who require it, and training is performed to ensure privacy, security and handling.
83
Human Resources Security
Is a disciplinary process in place for employees who knowingly deviate from policies?Yes, there is a zero tolerance policy for deviation of established policies.
84
Asset ManagementIs a process in place to wipe data from hardware before it is disposed or reused?No data is stored outside Amazon services. Amazon is certified ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 for compliance of data storage policies.
85
AuthenticationWhat authentication options are available (password, hardware token, software token, SMS, client certificate, SAML/OAUTH/SSO, other)?Secure password, SSO and Google OAUTH are authentication options for web app access.
86
AuthenticationCan the product be configured to require two factors of authentication (e.g. password + client certificate)?We do not offer two factor logins for secure password authentication at this time; however, have a plan to do so on our roadmap. Google OAUTH can require it if it's a needed requirement.
87
AuthenticationAre passwords and other authentication credentials stored as a one-way hash? If so, which hash algorithm is used, are they salted, and how long is the salt?Yes, they are stored as a one-way hash. We use salt + bcrypt. The salt is 21 characters.
88
AuthenticationWhat is the minimum password length?8 characters minimum length, with requirement 1 upper, 1 lower, and 1 number or special character
89
AuthenticationIs the password complexity configurable by the customer, if so what parameters are configurable?Password complexity is not configurable at this time
90
AuthenticationDo repeated authentication failures trigger a lockout? If so, how many failures and how long is the lockout?5 failures will trigger a 15 minute lockout.
91
AuthenticationAre the lockout parameters configurable?We are working on adding this feature.
92
AuthenticationWhat is the password reset procedure for a lost/forgotten password?Link provided to users email address to reset the password
93
AuthenticationCan authentication attempts be restricted to only the customer's IP addresses?We do not offer restriction by IP at this time
94
AuthenticationDo authenticated sessions expire? If so, what is the enforcement mechanism (e.g. encoded client-side cookie, server-encrypted client-side cookie, or server state table)?Yes sessions expire. We use a client side cookie in addition to server side management.
95
AuthenticationWhat is your method for building and maintaining Session ID'sWe use a combination of both PHP session, and application generated security token
96
97
98
99
100