Privacy and Security

Our security measures exceed industry standards for data protection and security. The full SOC 2 Type Il report can be made available to customers and prospects under the non-disclosure agreement.

 

 

SOC 2 Type 2

Trust Services Principles

Request More Information

COMPLIANCE REPORTING

LeanDNA is SOC 2 Type Il certified for the Security and Confidentiality principles. The SOC 2 report can be made available to customers and prospects under NDA. LeanDNA’s cloud provider, AWS, has multiple security certifications, including SOC 2 Type Il and ISO 27001. Information about AWS compliance programs can be found here: https://aws.amazon.com/compliance/programs/. SOC2 reports are available from AWS under NDA.

SECURITY GOVERNANCE

SECURITY TEAM

LeanDNA has designated security personnel who are responsible for executing security policies and managing security incidents. The Security Personnel are overseen by executive management.

POLICIES AND STANDARDS

LeanDNA has developed and maintains specific internal guidelines to ensure that all employees are aware of proper procedures and accountable to ensure the security of all systems and customer data. These policies have been verified by third-party auditors as part of SOC 2 compliance.

All employees are subject to disciplinary action for non-compliance with security policies up to, and including termination.

SECURITY POLICIES SET

The following are LeanDNA Security policies:

  • Acceptable Use Policy
  • Access Control Policy
  • Endpoint Protection Software Policy
  • Backup/Restore Policy, including Disaster
  • Recovery Procedures
  • Password Policy
  • Encryption Policy
  • Change Management Policy
  • Incident Response Policy
  • Information Sensitivity Policy
  • Risk Assessment Policy
  • Vendor Risk Assessment Policy

ACCESS CONTROL AND USER MANAGEMENT

ACCESS CONTROL POLICY AND PROCEDURES

LeanDNA’s access control policy applies to employee access to LeanDNA Web Application and supporting infrastructure. The established access control processes include, but are not limited to:

  • unique user identification and authentication
  • account provisioning and de-provisioning processes
  • user credential requirements
  • the principle of least privilege
  • user access auditing

PLATFORM HARDENING

DENIAL OF SERVICE (DOS) PROTECTION

LeanDNA makes use of AWS CloudFront. AWS Route 53 and AWS Shield (Standard) to provide comprehensive DDoS protection against common DoS attacks.

AUDIT LOGGING

LeanDNA audits many different types of events. Some of these events are available to qualified prospects and customers through an administrator view in the web application, and some can be made available upon request.

MONITORING AND ALERTING

An external service regularly monitors the availability of the web application. When downtime is detected, alerts go out to on-duty staff using smartphone apps, instant messages, and emails. In addition, anomalies in LeanDNA logs are reported as email alerts to LeanDNA DevOps. Abnormal usage of AWS resources such as low disk space or memory generates email alerts. Active data pipeline monitoring detects and alerts our teams if customer data imports do
not completed successfully and on time.

INCIDENT RESPONSE

In the event of a security incident that relates to the LeanDNA customer data, Security Personnel follows a formal incident response and escalation plan. In the event of a breach affecting customer data, customers would be notified in accordance with contract terms. Customers do not have additional responsibilities for an incident response unless explicitly communicated or recommended by LeanDNA Support or Security Personnel. All incidents will go through Detection, Analysis, Containment, Eradication, and Recovery stages, and conclude with a formal Retrospective step.

DATA HANDLING

For questions about data privacy refers to the Privacy Policy available on www.leandna.com.

ENCRYPTION

ENCRYPTION IN TRANSIT

All communication, even within the LeanDNA VPC in AWS, is encrypted in transit.

HTTPS: TLS 1.2 is the default, 1.3 is supported. RSA key size is 2048. The minimum cipher strength is 128 bits. LeanDNA supports an industry-standard set of cipher suites, with a minimum of 128-bit keys for symmetric key encryption.

SSH: LeanDNA uses 2048-bit keys for asymmetric encryption and supports an industry-standard set of cipher suites with a minimum of 128-bit keys for symmetric encryption.

ENCRYPTION AT REST

Data at rest (in S3 or AWS database volumes) are encrypted using AES with 256-bit keys. Passwords are stored securely, using the PBKDF2 function with SHA-512, 512-bit salt value, and 4096 iterations.

KEY MANAGEMENT

TLS KEY MANAGEMENT

TLS certificates visible to the end user are managed by AWS. Amazon CloudFront obtains a certificate from Amazon Certificate Manager and maintains it securely on Amazon-administered devices. Amazon handles the periodic rotation of this certificate. LeanDNA administrators cannot export the private key of this certificate.

ENCRYPTION KEY MANAGEMENT

Data at rest is encrypted by an AWS Customer-Managed Key. The key is maintained and secured by AWS Key Management Service (KMS). Files written to Amazon S3 are stored under Server-Side Encryption with KMS. Only authorized entities have the appropriate Amazon Identity and Access Management (IAM) permission to attempt to decrypt data with the key. When decryption is authorized, it is done by the server and the plaintext is returned to the client so the client has no opportunity to misuse the key or retain secret material. Similarly, Amazon Elastic Block Storage volumes that contain customer data are encrypted using an AWS KMS key. Authorized entities receive the plaintext of the block storage on read, and writes are transparently encrypted by the Amazon infrastructure. Unauthorized entities are not able to read the block device at all, even to retrieve the ciphertext, so unauthorized clients cannot perform offline attacks against the Elastic Block Storage (EBS) volume. Attempts to attach the EBS block device to an unauthorized entity fail at attachment time.

PATCHING AND VULNERABILITY MANAGEMENT

PATCHING

LeanDNA regularly applies security updates to all Web Applications and Data Pipeline components. Security updates are evaluated on a weekly basis at a minimum. Patches are applied to a staging environment for testing prior to being deployed to production. If LeanDNA becomes aware of a high-risk vulnerability with a valid or known exploit, the team promptly applies package updates to help maintain the security of the environment.

VULNERABILITY MANAGEMENT

LeanDNA utilizes an independent third-party vendor with security expertise to periodically run vulnerability scans on the environment. In addition, automated code vulnerability scans are executed on a daily basis. Newly-discovered security vulnerabilities are assessed based on potential customer impact and available mitigations in place. Findings are ticketed and addressed by Engineering based on their severity.

CHANGE MANAGEMENT

CHANGE MANAGEMENT POLICY AND PROCESS

LeanDNA uses a best-of-breed ticketing system and a source code management system to support robust change control processes. Code and infrastructure changes are tracked by tickets that help:

  • Define requirements
  • Break down into individual tasks
  • Authorize a task for a specific release
  • Track the progress of the task
  • Track code changes that were made for the task including peer code reviews
  • Document testing required for the related changes
  • Document the results of the testing
  • Authorize the release of the change to the production environment

LeanDNA uses a Continuous Integration pipeline to constantly build, deploy to a test environment, and run automated tests against new code. Post-release retrospectives are performed to identify the root causes for issues that may have occurred during the release cycle. These root causes are documented as improvement tickets and addressed according to priority.

RISK MANAGEMENT

RISK MANAGEMENT POLICY

LeanDNA’s risk management process identifies the impact and likelihood of any potential risks to LeanDNA’s ability to provide reliable, safe services to its clients. A combined risk score is attached to each risk to help prioritize the mitigation process. Risks are reviewed on an annual basis. Following the review, Security Personnel creates an action plan for each item with a combined score of medium or above. The action plan is reviewed quarterly.

The review covers:

  • Risks associated with personnel, e.g. accidental or malicious unauthorized data disclosure
  • Risks associated with 3rd party services
  • Risks associated with the LeanDNA website and web application – e.g. OWASP top 10 vulnerabilities
  • Risks associated with change management and product development process
  • Risks associated with compliance and oversight

LeanDNA established a virtual team responsible for conducting these assessments and recommending mitigation actions. The findings of this team are communicated to executive management. The team is also responsible for reviewing the mitigation actions on a quarterly basis and monitoring that the planned actions are put into place in a timely manner.

VENDOR AND PARTNER MANAGEMENT

LeanDNA’s vendor risk assessment review process occurs before service begins, and at a quarterly cadence for existing vendors. Security Personnel audit and decide if a vendor is a critical vendor based on predefined conditions LeanDNA uses SaaS/Cloud vendors exclusively for services related to data handling. As such, if a vendor is deemed critical (before or after starting to use their services), a cloud-specific risk assessment shall be conducted. If a vendor cannot produce evidence that shows conformance with either SOC 2 Type II, or ISO 27001, alternative vendors are evaluated. If no alternative is found, the vendor must complete the Consensus Assessments Initiative Questionnaire that is published by the Cloud Security Alliance. Answers are reviewed and vetted by Security Personnel.

SECURITY AWARENESS TRAINING

All LeanDNA employees are required to complete Security Awareness training upon hire and annually thereafter. The Security Awareness training covers data privacy and protection, confidentiality, and social engineering. Engineering staff receives additional training on OWASP
top 10 vulnerabilities, as well as ongoing team meetings covering security topics that are relevant to the LeanDNA Web Application and Data Pipeline. Employees must also read and acknowledge the Code of Ethics and Business Conduct Policy.

BUSINESS CONTINUITY AND DISASTER RECOVERY

The backup process for customer data runs on a daily basis and stores encrypted backups in Amazon EC2. LeanDNA backups are replicated between multiple AWS regions, making the data accessible even in the event of an outage of an entire AWS region. LeanDNA does not back up to any physical media, and the backup process is fully automated.

LeanDNA does not own, house, or manage its own cloud infrastructure. Business critical systems are either vendor-provided, cloud-based software solutions, or internally-developed software which is hosted with high-availability cloud providers. In the event of an unexpected outage or disruption at any office location, employees are able to work remotely and continue customer support and normal business operations.

RTO/RPO/SLA

LeanDNA’s SLA document is available upon request. LeanDNA performs daily backups so the Recovery Point Objective (RPO) is 24 hours. The Recovery Time Objective (RTO) is four hours.

See the LeanDNA Difference with a Supply Chain Management Demo!