Our security measures exceed industry standards for data protection and security. The full SOC 2 Type Il report can be made available to customers and prospects under the non-disclosure agreement.
Trust Services Principles
LeanDNA is SOC 2 Type Il certified for the Security and Confidentiality principles. The SOC 2 report can be made available to customers and prospects under NDA. LeanDNA’s cloud provider, AWS, has multiple security certifications, including SOC 2 Type Il and ISO 27001. Information about AWS compliance programs can be found here: https://aws.amazon.com/compliance/programs/. SOC2 reports are available from AWS under NDA.
LeanDNA has designated security personnel who are responsible for executing security policies and managing security incidents. The Security Personnel are overseen by executive management.
LeanDNA has developed and maintains specific internal guidelines to ensure that all employees are aware of proper procedures and accountable to ensure the security of all systems and customer data. These policies have been verified by third-party auditors as part of SOC 2 compliance.
All employees are subject to disciplinary action for non-compliance with security policies up to, and including termination.
The following are LeanDNA Security policies:
LeanDNA’s access control policy applies to employee access to LeanDNA Web Application and supporting infrastructure. The established access control processes include, but are not limited to:
LeanDNA makes use of AWS CloudFront. AWS Route 53 and AWS Shield (Standard) to provide comprehensive DDoS protection against common DoS attacks.
LeanDNA audits many different types of events. Some of these events are available to qualified prospects and customers through an administrator view in the web application, and some can be made available upon request.
An external service regularly monitors the availability of the web application. When downtime is detected, alerts go out to on-duty staff using smartphone apps, instant messages, and emails. In addition, anomalies in LeanDNA logs are reported as email alerts to LeanDNA DevOps. Abnormal usage of AWS resources such as low disk space or memory generates email alerts. Active data pipeline monitoring detects and alerts our teams if customer data imports do
not completed successfully and on time.
In the event of a security incident that relates to the LeanDNA customer data, Security Personnel follows a formal incident response and escalation plan. In the event of a breach affecting customer data, customers would be notified in accordance with contract terms. Customers do not have additional responsibilities for an incident response unless explicitly communicated or recommended by LeanDNA Support or Security Personnel. All incidents will go through Detection, Analysis, Containment, Eradication, and Recovery stages, and conclude with a formal Retrospective step.
For questions about data privacy refers to the Privacy Policy available on www.leandna.com.
All communication, even within the LeanDNA VPC in AWS, is encrypted in transit.
HTTPS: TLS 1.2 is the default, 1.3 is supported. RSA key size is 2048. The minimum cipher strength is 128 bits. LeanDNA supports an industry-standard set of cipher suites, with a minimum of 128-bit keys for symmetric key encryption.
SSH: LeanDNA uses 2048-bit keys for asymmetric encryption and supports an industry-standard set of cipher suites with a minimum of 128-bit keys for symmetric encryption.
Data at rest (in S3 or AWS database volumes) are encrypted using AES with 256-bit keys. Passwords are stored securely, using the PBKDF2 function with SHA-512, 512-bit salt value, and 4096 iterations.
TLS certificates visible to the end user are managed by AWS. Amazon CloudFront obtains a certificate from Amazon Certificate Manager and maintains it securely on Amazon-administered devices. Amazon handles the periodic rotation of this certificate. LeanDNA administrators cannot export the private key of this certificate.
Data at rest is encrypted by an AWS Customer-Managed Key. The key is maintained and secured by AWS Key Management Service (KMS). Files written to Amazon S3 are stored under Server-Side Encryption with KMS. Only authorized entities have the appropriate Amazon Identity and Access Management (IAM) permission to attempt to decrypt data with the key. When decryption is authorized, it is done by the server and the plaintext is returned to the client so the client has no opportunity to misuse the key or retain secret material. Similarly, Amazon Elastic Block Storage volumes that contain customer data are encrypted using an AWS KMS key. Authorized entities receive the plaintext of the block storage on read, and writes are transparently encrypted by the Amazon infrastructure. Unauthorized entities are not able to read the block device at all, even to retrieve the ciphertext, so unauthorized clients cannot perform offline attacks against the Elastic Block Storage (EBS) volume. Attempts to attach the EBS block device to an unauthorized entity fail at attachment time.
LeanDNA regularly applies security updates to all Web Applications and Data Pipeline components. Security updates are evaluated on a weekly basis at a minimum. Patches are applied to a staging environment for testing prior to being deployed to production. If LeanDNA becomes aware of a high-risk vulnerability with a valid or known exploit, the team promptly applies package updates to help maintain the security of the environment.
LeanDNA utilizes an independent third-party vendor with security expertise to periodically run vulnerability scans on the environment. In addition, automated code vulnerability scans are executed on a daily basis. Newly-discovered security vulnerabilities are assessed based on potential customer impact and available mitigations in place. Findings are ticketed and addressed by Engineering based on their severity.
LeanDNA uses a best-of-breed ticketing system and a source code management system to support robust change control processes. Code and infrastructure changes are tracked by tickets that help:
LeanDNA uses a Continuous Integration pipeline to constantly build, deploy to a test environment, and run automated tests against new code. Post-release retrospectives are performed to identify the root causes for issues that may have occurred during the release cycle. These root causes are documented as improvement tickets and addressed according to priority.
LeanDNA’s risk management process identifies the impact and likelihood of any potential risks to LeanDNA’s ability to provide reliable, safe services to its clients. A combined risk score is attached to each risk to help prioritize the mitigation process. Risks are reviewed on an annual basis. Following the review, Security Personnel creates an action plan for each item with a combined score of medium or above. The action plan is reviewed quarterly.
The review covers:
LeanDNA established a virtual team responsible for conducting these assessments and recommending mitigation actions. The findings of this team are communicated to executive management. The team is also responsible for reviewing the mitigation actions on a quarterly basis and monitoring that the planned actions are put into place in a timely manner.
LeanDNA’s vendor risk assessment review process occurs before service begins, and at a quarterly cadence for existing vendors. Security Personnel audit and decide if a vendor is a critical vendor based on predefined conditions LeanDNA uses SaaS/Cloud vendors exclusively for services related to data handling. As such, if a vendor is deemed critical (before or after starting to use their services), a cloud-specific risk assessment shall be conducted. If a vendor cannot produce evidence that shows conformance with either SOC 2 Type II, or ISO 27001, alternative vendors are evaluated. If no alternative is found, the vendor must complete the Consensus Assessments Initiative Questionnaire that is published by the Cloud Security Alliance. Answers are reviewed and vetted by Security Personnel.
All LeanDNA employees are required to complete Security Awareness training upon hire and annually thereafter. The Security Awareness training covers data privacy and protection, confidentiality, and social engineering. Engineering staff receives additional training on OWASP
top 10 vulnerabilities, as well as ongoing team meetings covering security topics that are relevant to the LeanDNA Web Application and Data Pipeline. Employees must also read and acknowledge the Code of Ethics and Business Conduct Policy.
The backup process for customer data runs on a daily basis and stores encrypted backups in Amazon EC2. LeanDNA backups are replicated between multiple AWS regions, making the data accessible even in the event of an outage of an entire AWS region. LeanDNA does not back up to any physical media, and the backup process is fully automated.
LeanDNA does not own, house, or manage its own cloud infrastructure. Business critical systems are either vendor-provided, cloud-based software solutions, or internally-developed software which is hosted with high-availability cloud providers. In the event of an unexpected outage or disruption at any office location, employees are able to work remotely and continue customer support and normal business operations.
LeanDNA’s SLA document is available upon request. LeanDNA performs daily backups so the Recovery Point Objective (RPO) is 24 hours. The Recovery Time Objective (RTO) is four hours.