Last Updated: March 2, 2022
SCOPE OF THIS SECURITY STATEMENT
This Security Statement (“Statement”) explains the security measures LiquidPlanner, Inc. (“LiquidPlanner”) employs to protect the content posted in private Organizations and Workspaces (as such terms are defined in our Terms of Service) on our website (the “Site”). As our policies and procedures may change from time to time, we reserve the right to update and modify this Statement at any time. We will post changes to this Statement on the Site and will update the revision date at the top of this Statement.
LiquidPlanner does not operate out of a physical site. AWS (Amazon Web Services) and other cloud services are used for all server and network operations and equipment.
All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, EDR/antivirus, Zero Trust and firewall. Updates are regularly applied to all employee machines.
NETWORK AND SYSTEM SECURITY
LiquidPlanner uses a dedicated environment for the production application. We use a firewall configured with a default deny policy and run an intrusion detection system. Only specific authorized employees have access to the production network and hosts, and all access is logged and monitored.
Data Center. The LiquidPlanner application is hosted with Amazon Web Services (AWS) and is delivered from SOC audited data centers from geographically distributed locations in the United States. AWS data centers comply with many assurance certifications including ISO 27001 and SOC 1/2/3. For more information on AWS Security, please visit aws.amazon.com/security. LiquidPlanner does not offer a version of our application that can be hosted on your own servers (on-premise).
Database. LiquidPlanner uses RDS for the SQL database. RDS is configured with a hot replica to provide high availability. We periodically store encrypted snapshots for disaster recovery.
Servers and OS. LiquidPlanner uses EC2 for virtual machines. We build machine images that install only the software necessary to operate the application. Our provisioning and configuration process of EC2 virtual machines is fully automated and repeatable. We promptly apply security updates to production hosts.
File Storage. LiquidPlanner uses S3 for file storage. All files are encrypted at rest. We store an encrypted copy for disaster recovery purposes.
Data Encryption. All LiquidPlanner customer data is stored using Encryption at Rest. For Encryption in Transit, browser connections to LiquidPlanner use TLS. We configure for an “A+” rating from Qualys SSL Labs.
Request Logging. Every request to LiquidPlanner is logged with a timestamp, user identity, and source IP address.
Backups. Backup jobs run automatically and are monitored by several systems. On-call engineers are alerted on failed jobs and they remediate as necessary. We perform nightly full database backups and incremental database backups on a continuous basis. We monitor for the existence of backups and test restoration on a regular basis. The backup and recovery process is regularly tested and verified.
Continuous Service Monitoring. LiquidPlanner commits to a 99.9% SLA (service level agreement) for monthly availability and plans accordingly. We maintain a high-availability configuration with built-in “hot” redundancy to handle the failure of individual components. We use automated monitoring to page on-call team members for availability issues. We publish uptime as tracked by external monitoring.
Security Audit. LiquidPlanner routinely reviews code internally for security issues. In addition, we employ a third party to perform periodic security audits of our application.
Intrusion Detection. For certain products, LiquidPlanner runs a host-based Intrusion Detection System. Alerts are reviewed by our Security Team.
External Testing. LiquidPlanner performs annual penetration tests. Our most recent report can be made available upon request.
Content. Content posted in an Organization or Workspace is designated as private. This means that users who have not been invited to join an Organization or Workspace are not allowed to see the content posted there. Only the authorized users you invite into your Organization or Workspace have access to your data.
Customer Access. The owner of an Organization or Workspace retains control and rights over all content posted within that Organization or Workspace. They also control who is permitted to access the Organization or Workspace. If a user’s permission to access an Organization or Workspace is revoked in accordance with the procedures set forth on the Site, then such user will no longer be permitted to access the Organization or Workspace or the content posted in such Organization or Workspace.
LiquidPlanner Staff Access. Customer Organizations and Workspaces are not accessed by LiquidPlanner staff unless the customer explicitly provides access to LiquidPlanner Support. Access to the customer database by LiquidPlanner staff is gated and requires two-factor authentication.
Two-Factor Authentication. Depending on your product or plan, you can use LiquidPlanner’s centrally managed Single SignOn (SSO) configuration to integrate with your corporate SSO solution. LiquidPlanner supports SAML 2.0 for SSO use with enterprise identity providers such as Active Directory.
User Accounts & Passwords. LiquidPlanner follows industry standards for password safety. Users must provide an email address and password to begin a session with LiquidPlanner. Each user in LiquidPlanner has a unique account with a verified email address. Passwords are stored securely using a one-way hash.
Software Development Lifecycle. LiquidPlanner uses a version-control system to track changes to our code base. Changes to the code base go through a suite of automated tests. Additionally, code changes are reviewed by other developers. Changes are pushed to a staging environment for thorough testing before being released into production. Releases are generally rolled out using zero-downtime deployments. If an outage window is necessary, customers are notified in the application. Urgent changes may be deployed (e.g., a security patch) at any time as needed.
All LiquidPlanner employees are pre-screened, and when allowable by law, subject to background checks. Employees are held accountable to the LiquidPlanner Security Statement and Code of Ethics.
The LiquidPlanner Security Team is responsible for developing, documenting, and implementing security policies and standards. Employees are expected to abide by the security policies and are trained on security best-practices on a monthly basis.
TERMS OF SERVICE
Please refer to our Terms of Service for information on how the LiquidPlanner service is delivered.