LeaveLogic Security Overview
LeaveLogic is a Business-to-Business (B2B) Software as a Service (SaaS) technology platform that makes leave easier for employees and employers. This means we need to collect some important data about employees and employers. This whitepaper outlines the controls LeaveLogic has in place to ensure this customer data remains safe and customer interactions with LeaveLogic secure.
- Service Organization Controls (SOC2) Type 1 Trust Services Principles (Type 2 expected Q4 2021)
- LeaveLogic services are hosted and managed in the cloud using Amazon Web Services (AWS) in a Common Security Framework (CSF) Certified Virtual Private Cloud (VPC) environment verified by the Health Information Trust Alliance (HITRUST). This independent, third-party certification assures organizations that the cloud computing, backup, disaster-recovery and professional services capabilities meet the highest standards for managing security risks and protecting health information. Learn more about CSF certification by HITRUST at https://hitrustalliance.net/about-hitrust/ .
All data is stored in the United States in multi-tenant data stores.
3. Access Controls
Access to servers, infrastructure, and databases is governed by access rights that are controlled, monitored, and regularly reviewed to ensure access is granted in a least privilege manner. Access to sensitive data requires two-factor authentication and/or connection via a whitelisted IP address range and all users adhere to strong password policies.
4. Data Protections
4.1. DATA ENCRYPTED AT REST
LeaveLogic databases are stored on encrypted AWS Elastic Block Store (EBS) volumes using AES-256 encryption. Encrypted data backups are taken regularly and redundantly stored across multiple facilities and devices within each facility. Encryption keys are stored and managed separately from the data and the data keys.
4.2. DATA ENCRYPTED IN TRANSIT
Communications with LeaveLogic servers are encrypted by default using industry standard TLS/SSL.
5. Credential Management
LeaveLogic follows secure credential storage best practices by salting and hashing user passwords.
5.1. VULNERABILITY MANAGEMENT
LeaveLogic and its supporting infrastructure are reviewed weekly for potentially harmful vulnerabilities. We use host-based security solutions to analyze the application and production infrastructure to ensure that any vulnerabilities are identified, prevented, and mitigated quickly including Web application vulnerabilities such as cross-site scripting (XSS), and SQL injections.
6. Penetration Testing
LeaveLogic engages at least annually with well-regarded third-party auditors to conduct application penetration testing and works with them to resolve potential issues.
LeaveLogic keeps real-time audit logs that include log in events, service calls, data access, and system changes that are inspected automatically and manually at regular intervals for potential treats and security events.
LeaveLogic complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.
Last updated: July 2021
Copyright © 2021, LeaveLogic, Inc. All rights reserved.