Last Updated: March 14, 2018
This Security Policy (“Policy”) explains the security measures LiquidPlanner, Inc. (“LiquidPlanner”) employs to protect the content posted in private Workspaces (as such term is defined in our Terms of Service) on our website (the “Site”). As our policies and procedures may change from time to time, we reserve the right to update and modify this Policy at any time. We will post changes to this Policy on the Site and will update the revision date at the top of this Policy.
Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Only the authorized users you invite into your workspace have access to your data.
The owner of a Workspace retains control and rights over all content posted within that Workspace. They also control who is permitted to access the Workspace. If a user’s permission to access a Workspace is revoked in accordance with the procedures set forth on the Site, then such user will no longer be permitted to access the Workspace or the content posted in such Workspace.
LiquidPlanner uses AWS (Amazon Web Services) for hosting our application and is delivered from SSAE16-audited data centers located in the United States.
LiquidPlanner uses RDS for the SQL database. RDS is configured with a hot replica to provide high availability. We periodically store encrypted snapshots in another geographic region for disaster recovery.
Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Each LiquidPlanner user has their own account and password, which is stored in a hashed format (bcrypt). Users must provide an email address and password to begin a session with LiquidPlanner.
Every request to LiquidPlanner is logged with a timestamp, user identity, and source IP address.
LiquidPlanner uses a dedicated environment for the production application. We use a firewall configured with a default deny policy and run an intrusion detection system. Only specific authorized employees have access to the production network and hosts, and all access is logged and monitored.
LiquidPlanner uses EC2 for virtual machines. We build machine images that install only the software necessary to operate the Site. Our provisioning and configuration process of EC2 virtual machines is fully automated and repeatable. We promptly apply security updates to production hosts.
LiquidPlanner uses S3 for file storage. All files are encrypted at rest. We store an encrypted copy in another geographic region for disaster recovery purposes.
All LiquidPlanner customer data is stored using Encryption at Rest.
For Encryption in Transit, browser connections to LiquidPlanner use TLS. We configure for an “A+” rating from Qualys SSL Labs.
LiquidPlanner routinely reviews code internally for security issues. In addition, we employ a third party to perform periodic security audits of our application.
LiquidPlanner commits to a 99.9% SLA (service level agreement) for monthly availability and plans accordingly. We maintain a high-availability configuration with built-in “hot” redundancy to handle the failure of individual components. We use automated monitoring to page on-call team members for availability issues. We publish uptime as tracked by external monitoring.
LiquidPlanner uses a version-control system to track changes to our code base. Changes to the code base go through a suite of automated tests. Additionally, code changes are reviewed by another developer. Changes are pushed to a staging server for thorough testing before being released into production.
Releases are generally deployed during a planned outage window, typically Saturday a.m., U.S. Pacific Time. Urgent changes may be deployed (e.g., a security patch) at any time as needed.
All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, antivirus, and a firewall. Updates are regularly applied to all employee machines.
Please refer to our Terms of Service for information on how the LiquidPlanner service is delivered.
Have a concern? If you have any questions about the security of LiquidPlanner, please contact firstname.lastname@example.org or call 1-888-881-2561.