LeaveLogic Security Overview

LeaveLogic is a Business-to-Business (B2B) Software as a Service (SaaS) technology platform that makes parental leave seamless for employees and employers. This means we need to collect some important data about employees and employers. This whitepaper outlines the controls LeaveLogic has in place to ensure this customer data remains safe and customer interactions with LeaveLogic secure.

Servers Hosted in HITRUST Certified, World Class Data Center

LeaveLogic servers are all hosted and managed in the cloud using Amazon Web Services (AWS) in a Common Security Framework (CSF) Certified Virtual Private Cloud (VPC) environment verified by the Health Information Trust Alliance (HITRUST). LeaveLogic does not administer our own routers, DNS servers, load balancers, or physical servers.

This independent, third-party certification assures organizations that the cloud computing, backup, disaster-recovery and professional services capabilities meet the highest standards for managing security risks and protecting health information. Learn more about CSF certification by HITRUST at https://hitrustalliance.net/about-us.

Data

All data is stored in the United States in multi-tenant data stores.

Access Controls

Access to servers, infrastructure, and databases is governed by access rights that are controlled, monitored, and regularly reviewed to ensure access is granted in a least privilege manner. Access to sensitive data requires two-factor authentication and/or connection via a whitelisted IP address range and all users adhere to strong password policies.

Data Protections

Data Encrypted at Rest

LeaveLogic databases are stored on encrypted AWS Elastic Block Store (EBS) volumes using AES-256 encryption. Encrypted data backups are taken regularly and redundantly stored across multiple facilities and devices within each facility. Encryption keys are stored and managed separately from the data and the data keys.

Data Encrypted in Transit

Communications with LeaveLogic servers are encrypted by default using industry standard SSL.

Credential Management

LeaveLogic follows secure credential storage best practices by salting and hashing user passwords.

Vulnerability Management

LeaveLogic and its supporting infrastructure are reviewed monthly for potentially harmful vulnerabilities. We use host-based security solutions to analyze the application and production infrastructure to ensure that any vulnerabilities are identified, prevented, and mitigated quickly including Web application vulnerabilities such as cross-site scripting (XSS), and SQL injections.

Penetration Testing

LeaveLogic engages at least annually with well-regarded third-party auditors to conduct application penetration testing and works with them to resolve potential issues.

Monitoring

LeaveLogic keeps real-time audit logs that include log in events, service calls, data access, and system changes that are inspected automatically and manually at regular intervals for potential treats and security events.

Compliance

LeaveLogic complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.

 

Last updated: September 2017