Security

Security

Date of Last Revision: March 26, 2016

This Security Policy (“Policy”) explains the security measures LiquidPlanner, Inc. (“LiquidPlanner”) employs to protect the content posted in private Workspaces (as such term is defined in our Terms of Service) on our website (the “Site”). As our policies and procedures may change from time to time, we reserve the right to update and modify this Policy at any time. We will post changes to this Policy on the Site and will update the revision date at the top of this Policy.

Your Workspace Content Is Always Kept Private

Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Only the authorized users you invite into your workspace have access to your data.

You Own Your Workspace Content and Control Who Has Access to It

The owner of a Workspace retains control and rights over all content posted within that Workspace. They also control who is permitted to access the Workspace. If a user’s permission to access a Workspace is revoked in accordance with the procedures set forth on the Site, then such user will no longer be permitted to access the Workspace or the content posted in such Workspace.

World-Class Datacenter and Database

LiquidPlanner uses AWS (Amazon Web Services) for hosting our application, and is delivered from SSAE16 audited data centers located in the United States.

LiquidPlanner uses RDS for the SQL database. RDS is configured with a hot replica to provide high availability. We periodically store encrypted snapshots in another geographic region for disaster recovery.

User Accounts

Content posted in a Workspace is designated as private. This means that users who have not been invited to join a Workspace are not allowed to see the content posted there. Each LiquidPlanner user has their own account and password, which is stored in a hashed format (bcrypt). Users must provide an email address and password to begin a session with LiquidPlanner.

Request Logging

Every request to LiquidPlanner is logged with a timestamp, user identity, and source IP address.

Network and System Security

LiquidPlanner uses a dedicated environment for the production application. We use a firewall configured with default deny policy, and run an intrusion detection system. Only specific authorized employees have access to the production network and hosts, and all access is logged and monitored.

Servers and OS

LiquidPlanner uses EC2 for virtual machines. We build machine images that install only the software necessary to operate the Site. Our provisioning and configuration of EC2 virtual machines is fully automated and repeatable. We promptly apply security updates to production hosts.

File Storage

LiquidPlanner uses S3 for file storage. All files are encrypted at rest. We store an encrypted copy in another geographic region for disaster recovery purposes.

Data Encryption

All LiquidPlanner customer data is stored using Encryption at Rest.

For Encryption in Transit, browser connections to LiquidPlanner use TLS. We configure for an “A+” rating from Qualys SSL Labs.

Security Audit

LiquidPlanner routinely reviews code internally for security issues. In addition, we employ a third-party to perform periodic security audits of our application.

Availability

LiquidPlanner commits to a 99.9% SLA for monthly availability and plan accordingly. We maintain a high-availability configuration, with built-in “hot” redundancy to handle failure of individual components. We use automated monitoring to page on-call team members for availability issues. We publish uptime as tracked by external monitoring.

Software Development Lifecycle

LiquidPlanner uses a version control system to track changes to our code base. Changes to the code base go through a suite of automated tests. Additionally, code changes are reviewed by another developer. Changes are pushed to a staging server for thorough testing before being released into production.

Releases are generally deployed during a planned outage window, typically Saturday AM, US Pacific Time. Urgent changes may be deployed (E.g. a security patch) at any time as needed.

Employee Laptops and Workstations

All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, antivirus, and firewall. Updates are regularly applied to all employee machines.

Privacy Policy

Please refer to our Privacy Policy for information on how LiquidPlanner collects, uses and discloses personal information.

Terms of Service

Please refer to our Terms of Service for information on how the LiquidPlanner service is delivered.

Learn More

Have a concern? If you have any questions about the security of LiquidPlanner, please contact sales@liquidplanner.com or call 1-888-881-2561.

Security was last modified: March 28th, 2016 by liquidplanner