Date of Last Revision: March 26, 2016
This Security Policy (“Policy”) explains the security measures LiquidPlanner, Inc. (“LiquidPlanner”) employs to protect the content posted in private Workspaces (as such term is defined in our Terms of Service) on our website (the “Site”). As our policies and procedures may change from time to time, we reserve the right to update and modify this Policy at any time. We will post changes to this Policy on the Site and will update the revision date at the top of this Policy.
Your Workspace Content Is Always Kept Private
Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Only the authorized users you invite into your workspace have access to your data.
You Own Your Workspace Content and Control Who Has Access to It
The owner of a Workspace retains control and rights over all content posted within that Workspace. They also control who is permitted to access the Workspace. If a user’s permission to access a Workspace is revoked in accordance with the procedures set forth on the Site, then such user will no longer be permitted to access the Workspace or the content posted in such Workspace.
World-Class Datacenter and Database
LiquidPlanner uses AWS (Amazon Web Services) for hosting our application, and is delivered from SSAE16 audited data centers located in the United States.
LiquidPlanner uses RDS for the SQL database. RDS is configured with a hot replica to provide high availability. We periodically store encrypted snapshots in another geographic region for disaster recovery.
Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Each LiquidPlanner user has their own account and password, which is stored in a hashed format (bcrypt). Users must provide an email address and password to begin a session with LiquidPlanner.
Every request to LiquidPlanner is logged with a timestamp, user identity, and source IP address.
Network and System Security
LiquidPlanner uses a dedicated environment for the production application. We use a firewall configured with default deny policy, and run an intrusion detection system. Only specific authorized employees have access to the production network and hosts, and all access is logged and monitored.
Servers and OS
LiquidPlanner uses EC2 for virtual machines. We build machine images that install only the software necessary to operate the Site. Our provisioning and configuration of EC2 virtual machines is fully automated and repeatable. We promptly apply security updates to production hosts.
LiquidPlanner uses S3 for file storage. All files are encrypted at rest. We store an encrypted copy in another geographic region for disaster recovery purposes.
All LiquidPlanner customer data is stored using Encryption at Rest.
For Encryption in Transit, browser connections to LiquidPlanner use TLS. We configure for an “A+” rating from Qualys SSL Labs.
LiquidPlanner routinely reviews code internally for security issues. In addition, we employ a third-party to perform periodic security audits of our application.
LiquidPlanner commits to a 99.9% SLA for monthly availability and plan accordingly. We maintain a high-availability configuration, with built-in “hot” redundancy to handle failure of individual components. We use automated monitoring to page on-call team members for availability issues. We publish uptime as tracked by external monitoring.
Software Development Lifecycle
LiquidPlanner uses a version control system to track changes to our code base. Changes to the code base go through a suite of automated tests. Additionally, code changes are reviewed by another developer. Changes are pushed to a staging server for thorough testing before being released into production.
Releases are generally deployed during a planned outage window, typically Saturday AM, US Pacific Time. Urgent changes may be deployed (E.g. a security patch) at any time as needed.
Employee Laptops and Workstations
All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, antivirus, and firewall. Updates are regularly applied to all employee machines.
Terms of Service
Please refer to our Terms of Service for information on how the LiquidPlanner service is delivered.
Have a concern? If you have any questions about the security of LiquidPlanner, please contact firstname.lastname@example.org or call 1-888-881-2561.