Skip to content

LeaveLogic Security Overview

LeaveLogic is a Business-to-Business (B2B) Software as a Service (SaaS) technology platform that makes leave easier for employees and employers. This means we need to collect some important data about employees and employers. This whitepaper outlines the controls LeaveLogic has in place to ensure this customer data remains safe and customer interactions with LeaveLogic secure.

1. Certifications

  • Service Organization Controls (SOC2) Type 2 Trust Services Principles 
  • LeaveLogic services are hosted and managed in the cloud using Amazon Web Services (AWS) in a Common Security Framework (CSF) Certified Virtual Private Cloud (VPC) environment verified by the Health Information Trust Alliance (HITRUST). This independent, third-party certification assures organizations that the cloud computing, backup, disaster-recovery and professional services capabilities meet the highest standards for managing security risks and protecting health information. Learn more about CSF certification by HITRUST at https://hitrustalliance.net/about-hitrust/ .

2. Data

All data is stored in the United States in multi-tenant data stores.

3. Access Controls

Access to servers, infrastructure, and databases is governed by access rights that are controlled, monitored, and regularly reviewed to ensure access is granted in a least privilege manner. Access to sensitive data requires two-factor authentication and/or connection via a whitelisted IP address range and all users adhere to strong password policies.

4. Data Protections

4.1. DATA ENCRYPTED AT REST

LeaveLogic databases are stored on encrypted AWS Elastic Block Store (EBS) volumes using AES-256 encryption. Encrypted data backups are taken regularly and redundantly stored across multiple facilities and devices within each facility. Encryption keys are stored and managed separately from the data and the data keys.

4.2. DATA ENCRYPTED IN TRANSIT

Communications with LeaveLogic servers are encrypted by default using industry standard TLS/SSL.

5. Credential Management

LeaveLogic follows secure credential storage best practices by salting and hashing user passwords.

5.1. VULNERABILITY MANAGEMENT

LeaveLogic and its supporting infrastructure are reviewed weekly for potentially harmful vulnerabilities. We use host-based security solutions to analyze the application and production infrastructure to ensure that any vulnerabilities are identified, prevented, and mitigated quickly including Web application vulnerabilities such as cross-site scripting (XSS), and SQL injections.

6. Penetration Testing

LeaveLogic engages at least annually with well-regarded third-party auditors to conduct application penetration testing and works with them to resolve potential issues.

7. Monitoring

LeaveLogic keeps real-time audit logs that include log in events, service calls, data access, and system changes that are inspected automatically and manually at regular intervals for potential treats and security events.

Last updated: November 2023

Copyright © 2023, LeaveLogic, Inc. All rights reserved.