Security Policy - LiquidPlanner

SECURITY POLICY

Last Updated: August 28, 2020

This Security Policy (“Policy”) explains the security measures LiquidPlanner, Inc. (“LiquidPlanner”) employs to protect the content posted in private Workspaces (as such term is defined in our Terms of Service) on our website (the “Site”). As our policies and procedures may change from time to time, we reserve the right to update and modify this Policy at any time. We will post changes to this Policy on the Site and will update the revision date at the top of this Policy.

PHYSICAL SECURITY

LiquidPlanner offices are secured via electronic surveillance, a reception desk, keycard access. The LiquidPlanner office server room is locked and only accessible by members of the Security Team.

All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, antivirus, and firewall. Updates are regularly applied to all employee machines.

NETWORK AND SYSTEM SECURITY

LiquidPlanner uses a dedicated environment for the production application. We use a firewall configured with a default deny policy and run an intrusion detection system. Only specific authorized employees have access to the production network and hosts, and all access is logged and monitored.

Data Center. The LiquidPlanner application is hosted with Amazon Web Services (AWS) and is delivered from SOC audited data centers from geographically distributed locations in the United States. AWS data centers comply with many assurance certifications including ISO 27001 and SOC 1/2/3. For more information on AWS Security, please visit aws.amazon.com/security. LiquidPlanner does not offer a version of our application that can be hosted on your own servers (on-premise).

Database. LiquidPlanner uses RDS for the SQL database. RDS is configured with a hot replica to provide high availability. We periodically store encrypted snapshots in another geographic region for disaster recovery.

Servers and OS. LiquidPlanner uses EC2 for virtual machines. We build machine images that install only the software necessary to operate the application. Our provisioning and configuration process of EC2 virtual machines is fully automated and repeatable. We promptly apply security updates to production hosts.

File Storage. LiquidPlanner uses S3 for file storage. All files are encrypted at rest. We store an encrypted copy in another geographic region for disaster recovery purposes.

Data Encryption. All LiquidPlanner customer data is stored using Encryption at Rest. For Encryption in Transit, browser connections to LiquidPlanner use TLS. We configure for an “A+” rating from Qualys SSL Labs.

Request Logging. Every request to LiquidPlanner is logged with a timestamp, user identity, and source IP address.

Backups. Backup jobs run automatically and are monitored by several systems. On-call engineers are alerted on failed jobs and they remediate as necessary. We perform nightly full database backups and incremental database backups on a continuous basis. We monitor for the existence of backups and test restoration on a regular basis. The backup and recovery process is regularly tested and verified.

Continuous Service Monitoring. LiquidPlanner commits to a 99.9% SLA (service level agreement) for monthly availability and plans accordingly. We maintain a high-availability configuration with built-in “hot” redundancy to handle the failure of individual components. We use automated monitoring to page on-call team members for availability issues. We publish uptime as tracked by external monitoring.

Security Audit. LiquidPlanner routinely reviews code internally for security issues. In addition, we employ a third party to perform periodic security audits of our application.

Intrusion Detection. LiquidPlanner runs a host-based Intrusion Detection System. Any alerts are reviewed by our Security Team.

External Testing. LiquidPlanner performs annual penetration tests. Our most recent report can be made available upon request.

APPLICATION

Content. Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Only the authorized users you invite into your workspace have access to your data.

Customer Access. The owner of a Workspace retains control and rights over all content posted within that Workspace. They also control who is permitted to access the Workspace. If a user’s permission to access a Workspace is revoked in accordance with the procedures set forth on the Site, then such user will no longer be permitted to access the Workspace or the content posted in such Workspace.

LiquidPlanner Staff Access. Customer workspaces are inaccessible by LiquidPlanner staff unless the customer explicitly provides access to LiquidPlanner Support. Access to the customer database by LiquidPlanner staff is gated and requires 2-factor authentication.

Two-Factor Authentication. Depending on your plan, you can use LiquidPlanner’s centrally managed Single SignOn (SSO) configuration to integrate with your corporate SSO solution. LiquidPlanner supports SAML 2.0 for SSO use with enterprise identity providers like Active Directory.

User Accounts & Passwords. LiquidPlanner follows industry standards for password safety. Users must provide an email address and password to begin a session with LiquidPlanner. Each user in LiquidPlanner has a unique account with a verified email address. Passwords are stored securely using a one-way salted hash (bcrypt).

Software Development Lifecycle. LiquidPlanner uses a version-control system to track changes to our code base. Changes to the code base go through a suite of automated tests. Additionally, code changes are reviewed by other developers. Changes are pushed to a staging environment for thorough testing before being released into production. Releases are generally rolled out using zero-downtime deployments. If an outage window is necessary, customers are notified in the application. Outage windows are typically planned for Saturday AM, U.S. Pacific Time. Urgent changes may be deployed (e.g., a security patch) at any time as needed.

PEOPLE

All LiquidPlanner employees are pre-screened, and when allowable by law, subject to background checks. Employees are held accountable to the LiquidPlanner Security Policy and Code of Ethics.

The LiquidPlanner Security Team is responsible for developing, documenting, and implementing security policies and standards. Employees are expected to abide by the security policies and are trained bi-annually on security best-practices.

PRIVACY POLICY

Personal information you provide to LiquidPlanner is governed by the LiquidPlanner Privacy Policy. For more information about how LiquidPlanner collects, uses, and shares information about users of the Sites and Hosted Services, please refer to the Privacy Policy.

TERMS OF SERVICE

Please refer to our Terms of Service for information on how the LiquidPlanner service is delivered.

LEARN MORE

Have a concern? If you have any questions about the security of LiquidPlanner, please contact sales@liquidplanner.com or call 1-888-881-2561.