| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Category | Question | Answer | |||||||||||||||||||||||
2 | Data Location | Name of Hosting Provider/Data Center Facility that will store or process data. (Where will the data be hosted?) | Amazon Web Services (AWS). US East (N. Virginia) data centers. Data storage is in multiple Availability Zones (AZs) for disaster recovery. | |||||||||||||||||||||||
3 | Data Location | If this is a Cloud solution, which cloud architecture do you support (Multi-tenant or Multi-instance)? | Multi-Tenant. Lead Liaison can optionally provide an instance specifically for you. Contact your Sales Manager for more information. | |||||||||||||||||||||||
4 | Data Location | Who from your company, the hosting provider, and anyone in your supply chain, has access to data? | Data is encrypted at rest. Our hosting provider does not have access. Key employees only have access as needed. Except in the scenarios described in the Infrastructure and Sub-Processors for the Lead Liasion Services document, Lead Liaison owns or controls access to the infrastructure that Lead Liaison uses to store data submitted by customers to the Lead Liaison Services (“Customer Data”) | |||||||||||||||||||||||
5 | Data Location | In what countries are the data stored? | All data is stored in the United States. Contact your Sales Manager for information and pricing on customized instances in non-U.S. data centers. | |||||||||||||||||||||||
6 | Data Location | What certifications do you have for processing data? | All processing and storage of data is performed on Lead Liaison's servers hosted in ISO 27001 certified data centers. Our data centers are also ISO/IEC 27017:2015, 27018:2019, and ISO/IEC 9001:2015 certified. | |||||||||||||||||||||||
7 | Data Location | Do you allow your employees to store customer/end user data on their personal devices? | Employees do not store customer data on their personal or work-related devices. | |||||||||||||||||||||||
8 | Data Location | Do you have a diagram showing all data flows, interactions, and installed components? | Yes, see the Data Flow diagram here: https://docs.google.com/presentation/d/1tUKXhebgtNDv5IBtqZ24X4XubLlSeqxUIElDtFqijCg/edit?usp=sharing | |||||||||||||||||||||||
9 | Data Location | Explain the secure process that is used to load/interface data to/from your system | All data is communicated over HTTPS using TLS 1.2 regardless if coming from our proprietary app, via API communication, or direct entry by client | |||||||||||||||||||||||
10 | Assessments | What is your PCI DSS Compliance? | We do not store any credit card information on our servers, so do not maintain PCI DSS. Payment processing is done using recurly which is PCI DSS level 1, the highest you can obtain | |||||||||||||||||||||||
11 | Assessments | What kind of third party security assessments has your company completed | We have completed independent penetration and security audits, the results of which are available | |||||||||||||||||||||||
12 | Assessments | Will you make available a copy of the associated report or certificate from the independent third-party assessment? | Yes, the reports are available upon request | |||||||||||||||||||||||
13 | Assessments | For your most recent independent third-party security program assessment: Were all identified Critical, High, and Medium risk findings/non-conformances/issues remediated? | We strive to resolve all identified findings as quickly as possible, informing the appropriate team of actions required | |||||||||||||||||||||||
14 | Assessments | Outside of formal certifications, with which other industry security standards and frameworks does your security program align? | We are privacy shield self-certified. | |||||||||||||||||||||||
15 | Assessments | How often are penetration tests performed for the in-scope systems | We perform penetration tests as frequently as necessary, and utilize multiple sources to ensure a broad range of testing results. | |||||||||||||||||||||||
16 | Assessments | For your most recent penetration test, were all identified Critical, High, and Medium risk findings remediated? If no, explain plans to address. | Yes, all critical, high and medium findings are immediately shared with the appropriate team for remediation | |||||||||||||||||||||||
17 | Assessments | Do you have SOC 2 Type 2 or ISO 27001? | While we do not have SOC 2 Type 2 or ISO 27001 certification ourselves, we do not maintain any physical hardware. Our infrastructure is built around AWS. AWS is SOC 2 Type 2 and ISO 27001, and they maintain responsibility for protecting the infrastructure of all services. | |||||||||||||||||||||||
18 | Assessments | How often is vulnerability scanning performed? | We perform vulnerability scanning at the same time as penetration testing, so timeframe is the same. | |||||||||||||||||||||||
19 | Assessments | Are internet-facing and internal network systems included in vulnerability scans? | Yes, we run tests against internet-facing and internal network systems as part of our pen testing and vulnerability tests. | |||||||||||||||||||||||
20 | Assessments | Were all identified High and Medium risk findings from the most recent vulnerability scan remediated? | Yes, all critical, high and medium findings are immediately shared with the appropriate team for remediation. | |||||||||||||||||||||||
21 | Access Control | Do you support federated single sign-on (SSO), which would allow us to leverage our own identity management solution to authenticate our users to your application? | We can provide SSO options, and Google Authentication | |||||||||||||||||||||||
22 | Access Control | If SSO is not supported, describe password and other authentication controls. | Authentication without SSO is provided by username and password combination. Passwords have complexity requirement rules of 8 characters minimum, and consist of 3 out of 4 character types (lowercase, upper case, numbers, special characters) | |||||||||||||||||||||||
23 | Access Control | If SSO is not supported, is multi-factor authentication available? | MFA possible with Google Auth, for non-SSO it is not supported at this time | |||||||||||||||||||||||
24 | Access Control | Do you have formal procedures to request, approve, provision, de-provision, and review access rights for our employees to all data and systems that process and handle our data? | Yes, an account administrator for your organization has full control over security profiles and what they can access, along with user control of which employees can access the data. | |||||||||||||||||||||||
25 | Access Control | Do you have procedures in place to administer and manage system administrator accounts? | Yes, you have full control over which accounts can be granted administrator access and what tasks administrators can perform. | |||||||||||||||||||||||
26 | Access Control | Do you monitor the appropriate usage of system administrator accounts? | Yes, we have full control over system admins and closely evaluate who should be an admin and who should not. | |||||||||||||||||||||||
27 | Incident Management | Do you have a 24x7x52 process to notify us in the event of a security incident (breach)? | We are constantly monitoring all systems, and if a breach is detected an incident report will be released. | |||||||||||||||||||||||
28 | Incident Management | Do you have network intrusion detection/intrusion prevention (IDS/IPS) systems in place for all Internet Points of Presence? | AWS monitors and alerts of any detected intrusions or policy violations | |||||||||||||||||||||||
29 | Incident Management | Does your incident response plan include a process to determine if an information security incident has taken place? | Yes, privacy is key and any incident would involve a full investigation to determine if any information was compromised. | |||||||||||||||||||||||
30 | Incident Management | Do you have provisions in place (detection, revocation) in the event of the theft of a customer’s credentials? | Yes, any accounts credentials can be revoked, access to system can also be revoked invalidating the credentials. Client administrator users have this ability along with our support and IT. | |||||||||||||||||||||||
31 | Incident Management | Do you have measures in place to disrupt the lifecycle of a malicious attack? | Yes, we have an incident management plan that outlines how to mitigate malicious attacks. | |||||||||||||||||||||||
32 | Cryptography | Do you encrypt data transmitted over a public network like the Internet? | All data is encrypted when being transmitted from capture device to our servers using TLS 1.2 or higher with strong ciphers | |||||||||||||||||||||||
33 | Cryptography | Do you encrypt customer data at rest (on your database) within your environment? | All data on Lead Liaison is stored encrypted on Amazon Aurora and uses SSL (AES-256) to secure the connection between the database instance and the application. Data at rest is encrypted using AWS Key Management Service (KMS). On Lead Liaison’s database running with Amazon Aurora encryption, data stored at rest in the underlying storage is encrypted using AES-256, as are its automated backups, snapshots, and replicas. | |||||||||||||||||||||||
34 | Cryptography | Do you encrypt employee laptops? | Employees are not permitted to store customer data on their own devices, regardless mobile or desktop | |||||||||||||||||||||||
35 | Cryptography | Do you encrypt backups (tape or disk)? | Yes, backups are also encrypted just like data at rest in our running environment. | |||||||||||||||||||||||
36 | Cryptography | Do you encrypt portable media (USB drives, tapes, etc.)? | No customer data is ever stored on portable media. | |||||||||||||||||||||||
37 | Cryptography | Do you have policies and procedures established and mechanisms implemented for effective key management? | Yes, we keep our keys in AWS IAM and rotate our keys on a periodic basis. | |||||||||||||||||||||||
38 | Cryptography | Do you use strong, one-way cryptographic hash functions to store passwords? | Yes, all passwords are stored using salted encryption hashing algorithms. | |||||||||||||||||||||||
39 | Cryptography | Does your server offer forward secrecy for clients that support it? | Yes, the server supports ECDHE and DHE ciphers that offer forward secrecy. | |||||||||||||||||||||||
40 | Cryptography | Where is the SSL connection between the user and your application terminated? | At the application server | |||||||||||||||||||||||
41 | Cryptography | To improve security for your users even further, have you deployed HTTP Strict Transport Security (HSTS) on your server? | Yes, we have HSTS configured with a max-age value of at least 6 months on application servers. | |||||||||||||||||||||||
42 | Cryptography | If your application supports authentication, are authentication cookies marked with the 'secure' attribute? | Yes, the authentication cookies are marked 'secure.' | |||||||||||||||||||||||
43 | Cryptography | Are cookies decorated with the special keyword, 'HttpOnly'? | The HttpOnly keyword is set for all our authentication cookies. | |||||||||||||||||||||||
44 | Cryptography | Does your application offer a "log out" button or link that when clicked, not only terminates the session but also invalidates the session ID? | Yes | |||||||||||||||||||||||
45 | Business Continuity/Disaster Recovery | In the event of a disaster, describe when and how you would notify us of the event. | If a client-affected disaster was to occur, notification would be provided by email or phone as appropriate. | |||||||||||||||||||||||
46 | Business Continuity/Disaster Recovery | How often do you update and test your business continuity and IT disaster recovery plans? | The mobile apps can function without internet connection or if servers are offline. Backups are consistently performed. | |||||||||||||||||||||||
47 | Business Continuity/Disaster Recovery | What is your RTO (Recovery Time Objective)? | Our RTO is less than four hours. | |||||||||||||||||||||||
48 | Business Continuity/Disaster Recovery | What is your RPO (Recovery Point Objective)? | In case of disaster, our RPO is 100% recovery. | |||||||||||||||||||||||
49 | Operations Security | Do you have controls to manage malware/malicious code? | Yes, we do code reviews internally and also scan our services to ensure no malicious code, such as cross-site scripting or SQL injection attacks occur. | |||||||||||||||||||||||
50 | Operations Security | Do you have logging and monitoring processes in place for your infrastructure and applications? | Yes, we use AWS Cloudwatch and database monitoring tools to keep track of system activity, both internally and externally. | |||||||||||||||||||||||
51 | Operations Security | Do you protect logs from unauthorized access or tampering? | Yes, nobody can see logs unless they have access to our AWS console, which is guarded closely and protected with two-factor authentication. | |||||||||||||||||||||||
52 | Operations Security | Do you review administrator and privileged account usage? | Yes, we review access periodically. | |||||||||||||||||||||||
53 | Operations Security | Are there policies, procedures, and mechanisms implemented which define patch management? | Yes, we have a well defined software release process that our engineering team adheres to when releasing software patches. | |||||||||||||||||||||||
54 | Operations Security | How quickly are patches applied? | Software updates and patches are usually made once a week, however when needed they can be applied within minutes. | |||||||||||||||||||||||
55 | Operations Security | Do you use anti-malware and ensure that associated virus signature definitions are updated across all components as prescribed by industry best practices? | We standardize on McAfee for all of our endpoints. We have strict security profiles for who can access Amazon Web Services where our Services are hosted. | |||||||||||||||||||||||
56 | Operations Security | Do your engineers and your QA team look for potential security issues during release testing, and have they been trained to do so? | Yes, our QA process explicitly includes testing for security issues that might have been introduced in the new version. | |||||||||||||||||||||||
57 | Operations Security | How would you describe your post-launch monitoring? | Robust: We have procedures in place to log and monitor for unexpected crashes, exceptions, and other error conditions. If something looks suspicious, a security-conscious engineer evaluates it. | |||||||||||||||||||||||
58 | Operations Security | As an application using SQL, what steps do you take to ensure you are not vulnerable to injection attacks? | Our application uses ORM (Object-Relational Mapping) in the framework. We also use prepared statements and let the framework handle the escaping, if an instance occurs a direct database query is needed with user input it is escaped following set SQL standards. | |||||||||||||||||||||||
59 | Operations Security | What ORM framework are you using? | Doctrine | |||||||||||||||||||||||
60 | Operations Security | Describe your strategy for protecting against cross-site scripting (XSS) | Our application has a central choke point where all user input is validated and escaped depending on the context in which it will be interpreted. | |||||||||||||||||||||||
61 | Operations Security | Are you using Unit Tests or similar methods? | Yes we use Unit Tests | |||||||||||||||||||||||
62 | Operations Security | What strategy do you use to protect against XSRF? | We protect requests that change the state with tokens that are bound to the user they were generated for, and that expire after a certain amount of time. | |||||||||||||||||||||||
63 | Mobile Device Solution | Is data encrypted in transit from a user’s device to the hosting platform? | Yes all data is encrypted by https using TLS 1.2 or higher, along with strong cipher requirements | |||||||||||||||||||||||
64 | Mobile Device Solution | Are permissions required for the application to function normally? | There are no required permissions by default. If you wish to utilise badge or business card scanning then camera permission is needed. If you wish voice recording, then microphone permission is needed. If you wish push updates for notifications from the app, then that permission would be needed. | |||||||||||||||||||||||
65 | Mobile Device Solution | Are users authenticated and authorized for the mobile application? | Devices are tracked and a unique event code is utilised to deploy the capture form to the device | |||||||||||||||||||||||
66 | Mobile Device Solution | Are the user credentials persistent, which could allow access to the application until the token expires, and potentially after the employee leaves the company? | Event codes and device access can be changed by an account administrator to cancel or invalidate any device's access | |||||||||||||||||||||||
67 | Mobile Device Solution | Is device/user specific data collected and stored from the application (i.e. location, credentials, etc.)? | Data collected is up to the person who creates the collection form and what options they deem required to be added. | |||||||||||||||||||||||
68 | Mobile Device Solution | Is data stored locally on the mobile device? | Data is stored locally temporarily until a connection can be made to the server to transmit the collected data | |||||||||||||||||||||||
69 | Supplier Relationships | Do you ensure that your third-party partners adhere to your Security and Privacy policies? | Yes, all third party partners are reviewed before any implementation begins. | |||||||||||||||||||||||
70 | Privacy and Compliance | Can you handle "model contract clause" requests from customers to meet EU Directive compliance? | Model contract clauses and Data provision addendums may be possible on a contract by contract basis. Talk with your sales rep or CSM for details. For general privacy, we are self-certified with privacy shield. | |||||||||||||||||||||||
71 | Privacy and Compliance | Will personal data move across national borders or from Europe to the United States? | If device capture device is outside the US, then information will be sent to the US for processing and holding. Internally data never leaves US servers. EU only data locations are possible, contact sales for more information. | |||||||||||||||||||||||
72 | Privacy and Compliance | How is consent (opt-in/opt-out) handled (particularly for EU employees)? | No data is collected about employees to require consent. Event forms can have as much or as little consent to meet your requirements. | |||||||||||||||||||||||
73 | Privacy and Compliance | Explain how you comply with EU cookie law. | Accounts can configure cookies to track information or to not be used in tracking depending on local requirements. | |||||||||||||||||||||||
74 | Privacy and Compliance | Are you authorized for the EU Binding Corporate Rules for data processes? If not and you handle/transfer personal information on a global basis, explain how you comply with global data transfer laws. | We adhere to the US-EU Privacy Shield, https://www.privacyshield.gov/participant?id=a2zt0000000Cbv5AAC. | |||||||||||||||||||||||
75 | Information Transfer | Provide a diagram showing all data flows, interactions, and installed components | see the Data Flow diagram here: https://docs.google.com/presentation/d/1tUKXhebgtNDv5IBtqZ24X4XubLlSeqxUIElDtFqijCg/edit?usp=sharing | |||||||||||||||||||||||
76 | Information Transfer | Is Personal Information handled by you processed and protected in accordance with global information protection laws, subpoena, EU data protection, and litigation freeze? | Yes, as outlined in our Data Architecture, Privacy, and Security Policy we take extra steps to make sure our customer's data is secure. We also have a Data Protection Agreement (DPA) that customers can sign for added assurance that their data is being protected. | |||||||||||||||||||||||
77 | Information Transfer | In the event of a subpoena, do you logically segment and encrypt data so that it may be produced and recovered for a single customer only, without inadvertently accessing another customer's data? | Yes, we keep all data in a relational database and can reference and recover data by customer ID. | |||||||||||||||||||||||
78 | Information Transfer | Do you support litigation holds (freeze of data from a specific point in time)? | Yes, we can take snapshots of our database and store the information on hold. | |||||||||||||||||||||||
79 | Information Transfer | Does your application protect all state-changing actions against XSRF? | Yes, all state-changing actions are protected. We have a way to ensure that no actions are missed (such as enforcing XSRF-token checks in a central place). | |||||||||||||||||||||||
80 | Information Transfer | Does your application protect against 'clickjacking'? | X-Frame-Options: SAMEORIGIN is included in the headers of all pages that should not ever be iframed. | |||||||||||||||||||||||
81 | Information Transfer | Does the application set a valid and appropriate content type and character set for each page (in the 'Content-Type' HTTP header)? | Yes, we take great care to set this, knowing that otherwise we might be introducing XSS vulnerabilities. | |||||||||||||||||||||||
82 | Human Resources Security | Do you perform background investigations for all personnel (employees and contractors) who have access to infrastructure, servers, applications, and data? | Yes, for those team members that need access to sensitive data background checks are performed. | |||||||||||||||||||||||
83 | Human Resources Security | Are all personnel who have access to systems or data trained for the secure handling of that information? | Yes, all access is limited to only those who require it, and training is performed to ensure privacy, security and handling. | |||||||||||||||||||||||
84 | Human Resources Security | Is a disciplinary process in place for employees who knowingly deviate from policies? | Yes, there is a zero tolerance policy for deviation of established policies. | |||||||||||||||||||||||
85 | Asset Management | Is a process in place to wipe data from hardware before it is disposed or reused? | No data is stored outside Amazon services. Amazon is certified ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 for compliance of data storage policies. | |||||||||||||||||||||||
86 | Authentication | What authentication options are available (password, hardware token, software token, SMS, client certificate, SAML/OAUTH/SSO, other)? | Secure password, SSO and Google OAUTH are authentication options for web app access. | |||||||||||||||||||||||
87 | Authentication | Can the product be configured to require two factors of authentication (e.g. password + client certificate)? | We do not offer two factor logins for secure password authentication at this time; however, have a plan to do so on our roadmap. Google OAUTH can require it if it's a needed requirement. | |||||||||||||||||||||||
88 | Authentication | Are passwords and other authentication credentials stored as a one-way hash? If so, which hash algorithm is used, are they salted, and how long is the salt? | Yes, they are stored as a one-way hash. We use salt + bcrypt. The salt is 21 characters. | |||||||||||||||||||||||
89 | Authentication | What is the minimum password length? | 8 characters minimum length, with requirement 1 upper, 1 lower, and 1 number or special character | |||||||||||||||||||||||
90 | Authentication | Is the password complexity configurable by the customer, if so what parameters are configurable? | Password complexity is not configurable at this time | |||||||||||||||||||||||
91 | Authentication | Do repeated authentication failures trigger a lockout? If so, how many failures and how long is the lockout? | 5 failures will trigger a 15 minute lockout. | |||||||||||||||||||||||
92 | Authentication | Are the lockout parameters configurable? | We are working on adding this feature. | |||||||||||||||||||||||
93 | Authentication | What is the password reset procedure for a lost/forgotten password? | Link provided to users email address to reset the password | |||||||||||||||||||||||
94 | Authentication | Can authentication attempts be restricted to only the customer's IP addresses? | We do not offer restriction by IP at this time | |||||||||||||||||||||||
95 | Authentication | Do authenticated sessions expire? If so, what is the enforcement mechanism (e.g. encoded client-side cookie, server-encrypted client-side cookie, or server state table)? | Yes sessions expire. We use a client side cookie in addition to server side management. | |||||||||||||||||||||||
96 | Authentication | What is your method for building and maintaining Session ID's | We use a combination of both PHP session, and application generated security token | |||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |