Security

​

As a software company, security is the foundation of everything we do. We invest heavily in securing both our software products and internal systems. Our security model and controls are based on international standards and industry best practices, such as ISO 27001, ISO 27018 and OWASP Top 10.

​

Infrastructure Security

• We host our systems on multiple Availability Zones at Amazon Web Services (AWS) allowing us to provide a reliable service and keep your data available whenever you need it. Another AWS region is configured as a disaster recovery site.

• AWS data centers implement physical and environmental security measures to ensure a highly resilient infrastructure. For more information about its security practices, see AWS Security.

• Our infrastructure uses Virtual Private Cloud (VPC) to isolate and segment customer environments, and Network Access Control Lists / Security Groups to control inbound and outbound traffic at the subnet and instance levels.

• Our website is protected and monitored by sucuri.net solution against malware & hack removals, Web Application Firewall (WAF), blocklist monitoring & removal, SSL support & monitoring, stop layer 3, 4, 7 DDoS attacks, Firewall Protection, High Availability/Load Balancing.

​

​

Access Control

• All access to the servers is authenticated against our Identity Provider (IdP), fully audited, and with a Multi-Factor Authentication (MFA) mechanism.

• A Role-based Access Control (RBAC) model is used to ensure appropriate permissions, based on the least privilege principle.

• Access to production assets is granted based on role and in accordance with the need-to-know and least-privileged principles.

​

​

Application Security

• Microservices architecture is utilized, and our applications are fully containerized, with Kubernetes used for orchestration; providing for high scalability and reliability.

• Infrastructure-as-code is widely used to ensure the audibility and maintainability of infrastructure resources.

• Our applications are developed according to the OWASP Top 10 framework, and all code is peer reviewed before deployment to production.

• Our development and CI/CD processes include license management, pre/post-commit checks, secrets scans, static code analysis, third-party dependencies vulnerability scans, end-to-end testing, unit testing, and malicious code scanning.

• Vulnerabilities are classified based on their risk level and mitigated according to predefined timeframes.

• Periodic security training is performed, to keep our R&D teams up-to-date with secure development best practices and tools.

​

​

Quality Assurance

• Authentication and Authorization Testing

  • Validate all authentication, user roles, and access controls are functioning securely.

​

• Session Management Testing

  • Check issues like session fixation, hijacking, expiration, and termination.

​

• Data Validation Testing

  • Test input fields to prevent injection attacks like SQL injection, XML injection, and command injection. Validate input data to ensure it meets expected formats and standards.

​

• Encryption Testing

  • Test encryption algorithms and protocols are used to protect sensitive data in transit and at rest.

  • Verify that encryption keys are securely managed and stored.

​

• Error Handling and Logging Testing

  • Evaluate how the application handles errors and exceptions to prevent information leakage.

  • Check that sensitive information is not logged or displayed in error messages.

​

• Security Configuration Testing

  • Review server and application configurations for security best practices.

  • Ensure that default settings are changed, unnecessary services are disabled, and security patches are up to date.

​

• API Security Testing

  • Test APIs for vulnerabilities such as insecure direct object references, insufficient authentication, and excessive data exposure.

  • Verify that APIs enforce proper authorization and access controls.

​

​

Data Encryption

• Data in transit is encrypted using TLS with a modern cipher suite.

• Data at rest is encrypted using AES-256. Encryption keys are managed in AWS Key Management Service.

• Credentials are hashed and salted using a secure hash function.

​

Endpoint Protection

• Endpoint Detection and Response (EDR) technology is deployed across all endpoints to ensure proactive threat detection and rapid response capabilities.

• The EDR solution provides real-time visibility into our endpoint activities, enabling swift detection and containment of suspicious behavior or potential security breaches.

• Continuous monitoring of endpoints by a Managed Security Information and Event Management (SIEM) coupled with a Security Operations Center (SOC) guarantees round-the-clock vigilance against cyber threats and ensures that security incidents are promptly identified, investigated, and remediated to minimize impact and protect sensitive data.

• Integration of EDR with Managed SIEM/SOC infrastructure enhances threat intelligence correlation, enabling advanced threat hunting and mitigation strategies.

• With 24/7 monitoring and response capabilities, we proactively defend against evolving cyber threats, providing peace of mind to our stakeholders and customers.

​

Security Audits and Penetration Tests

• Security audits are performed on an annual basis both in the application and in the infrastructure level.

• Penetration tests are performed on the final version before deployment to production environment.

• We are going through external auditing as part of the ISO certifications and other external audits.

​

Disaster Recovery and Backups

• We are consistently backup user data every X minutes.

• All backups are encrypted and distributed to various locations.

• We maintain a Disaster Recovery Plan (DRP) for dealing with disasters affecting our production environment, which includes the restoration of the service's core functionality from our dedicated DR location.

• DR testing is conducted at least yearly. DR test may be in the form of a walk-through, mock disaster, or component testing.

​

Incident Response

• Our incident response plan (IRP) sets guidelines for detecting security and privacy incidents, escalating them to the relevant personnel, communication (internal and external), mitigation, and post-mortem analysis.

• Our Incident Response Team (IRT) comprises representatives from Security, R&D, Legal, and if needed, a third-party incident response firm.

​

Security Awareness and Training

• Our employees undergo thorough information security awareness training.

• Additionally, security training is provided periodically.

​

Transparency

Transparency is the guiding force behind our security and privacy principles. We share all of our policies with our customers so that you always know how we keep your information secure and comply with local and international laws, standards, and regulations.

• Information Security Policy

• Disaster Recovery Plan Policy

​

Privacy

We are fully committed to protecting the privacy of our customers as well as the sensitive employee data that our products collect and analyze. Some key aspects of our privacy program:

• We collect only the minimum employee data necessary for our software to function effectively.

• All employee data is encrypted in transit and at rest. We use industry-standard encryption protocols and techniques.

• Access to employee data is limited only to those engineers who need it for development, testing, and troubleshooting purposes.

• Our privacy policy clearly communicates what data we collect, how it is used, how long it is retained etc.

​

​

​

Compliance and certifications

Adhering to legal, regulatory, and contractual requirements is vital for our business.

• Our RISK-HR and EmoRisk products enable customers to meet their workplace compliance obligations around employee screening and monitoring.

• We continually track privacy and employment laws across all our operating jurisdictions. Our products and policies are designed to comply.

• Our compliance program includes audits, risk assessments, and policy reviews. We have clear accountability for compliance activities.

• Logical Commander follows the international standards of ISO (International Organization for Standardization) and manages its information security, cloud service, and privacy in accordance.

• We are audited by an independent third party on an annual basis and maintain the following certificates: