LogicGate Information Security Measures Overview for Third Parties

1. PURPOSE AND SCOPE

LogicGate has implemented and will maintain the following security measures for the protection of confidential information and/or Customer Data, once a Customer or its end-users, including third parties, upload or otherwise input data or information into the LogicGate platform, including, without limitation, any information submitted in response to vendor questionnaires or online forms sent to third parties using LogicGate’s platform service  (hereafter, “the LogicGate Service” or “the platform”).

The security practices set forth below apply when LogicGate processes, transmits, or stores confidential information and/or Customer Data, including during LogicGate’s provision of services through the platform and infrastructure that hosts confidential information and/or Customer Data.

2. CUSTOMER SECURITY RESPONSIBILITIES

Due to the flexible nature of the LogicGate Service, the Customer has the capability and responsibility to determine the types of data that it uploads to the LogicGate Service, and stores within the platform, not including data that is required for the use of LogicGate’s Service. The Customer also has the capability and responsibility for defining access controls for its Authorized Users as it relates to what information Authorized Users can read or modify within the LogicGate Service. Based on these responsibilities, the following are the security requirements of the Customer in connection with its use of the LogicGate Service:

Customer Data Responsibilities

Customer is solely responsible for the following as it relates to data Customer chooses to store within the platform:

Customer Access Responsibilities

Customer is solely responsible for the following as it relates to user access to Customer Data within the platform:

Customer General Use Responsibilities

Customer is solely responsible for ensuring the Customer and its Authorized Users, or any third parties who may obtain access to the LogicGate Service directly or indirectly through Customer, do not take the following actions as part of their general use of LogicGate’s services:

Customer is solely responsible for ensuring that Customer’s software systems and infrastructure pertaining to domain security, cyber crime, domain management, brand protection, anti-piracy, counterfeiting, anti-fraud, and/or whitelist are updated to enable Customer’s use of LogicGate’s Services in full so that appropriate scanning, detection, and notification systems can be updated in advance to avoid service disruption for Customer. Where it is not practical or possible for the Customer to ensure such updates to Customer’s software systems or infrastructure, Customer accepts that LogicGate will use commercially reasonable efforts to ensure that the Services are provided, but it may not be able to provide all features or functionality otherwise enabled by the Services, and it shall have no liability to the Customer for such reduction in functionality caused by Customer’s software systems or infrastructure.  Customer agrees that any such reduction in functionality will not constitute a breach of this Agreement by LogicGate or entitle the Customer to benefit under the SLA, where such reduction in functionality results from the Customer no updating Customer’s software systems and infrastructure in accordance with this clause.

3. LogicGate Technical and Organizational Measures

Domain Practices
Organization of Information Security Security Ownership. LogicGate has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Information Security Policies. LogicGate maintains a management-approved corporate information security policy, or set of information security policies, defining responsibilities and setting out LogicGate’s approach to information security, which includes physical, administrative and technical safeguards. Such policies have been published and communicated to employees, contractors, and relevant external parties.
Senior Management Commitment. LogicGate’s Information Security Manager (or designee) develops, maintains, reviews, and approves LogicGate’s security, availability, and confidentiality standards and policies.
Risk Management. LogicGate has a formal cybersecurity risk assessment and management process which includes mitigation of any identified findings. The LogicGate ranks and reviews all identified risks at a minimum annually.
Access Management LogicGate access management program. LogicGate maintains an access management program for LogicGate’s access to Customer Data, applicable where LogicGate maintains access to Customer Data. Management of the program is facilitated through the use of enterprise single-sign-on (SSO) solution.

  • LogicGate allocates system privileges and permissions to users and groups using the principle of least privilege.
  • LogicGate limits access to Customer Data to those personnel performing under the Agreement and, to the extent technical support is needed, its personnel performing such technical support;
  • LogicGate assigns application and data rights based on user groups and roles, and grants access to information based on job function (i.e. role-based security);
  • LogicGate maintains a record of security privileges of its personnel that have access to Personal Information, networks, and network services.

Entitlement reviews

  • LogicGate requires the approval from the respective LogicGate system owner prior to adding or changing user access to its networks and systems that processes, transmits, or stores Customer Data;
  • LogicGate implements role-based security to ensure access to the application is restricted based on defined functional roles;
  • LogicGate promptly removes the application, platform and network access for terminated users upon notification of termination;
  • LogicGate promptly updates user access rights based on changes in job responsibilities;
  • LogicGate reviews access privileges to systems and corporate networks, including administrative access privileges, at a minimum on a semi-annual basis;
  • LogicGate uses separate administrative accounts to perform privileged functions and the accounts are restricted to authorized individuals.

Remote access To access LogicGate’s production environment, the following are required:

  • Role-based privileges to access;
  • Multi-factor authentication (MFA) prior to authorization;
  • Access restricted only through an encrypted Virtual Private Network (VPN).
Authentication LogicGate provides the following controls to manage the authentication of end-users to the platform:

  • LogicGate salts, hashes, and encrypts all passwords it stores for Customer authentication;
  • LogicGate provides SAML 2.0 compliant authentication methods to enable Customer to establish single-sign-on to the LogicGate Service.
Data Encryption
  • LogicGate employs 256-bit AES or higher and SSL/TLS 1.2+ encryption techniques for data at rest and in transit;
  • LogicGate provides 256-bit AES or higher encryption techniques for data backups.
Personnel Security LogicGate requires the following for all employees:

  • Background check;
  • Signed Non-Disclosure/Confidentiality Agreements prior to onboarding;
  • Security training as part of their onboarding, with additional training required at a minimum annually.

Additionally, LogicGate has established policies for disciplinary action, up to and including termination, for noncompliance with security policies and procedures.
Incident Response
  • LogicGate maintains a documented and tested incident handling program, and ensures that all Security Breaches (as defined in the Agreement) follow the LogicGate’s incident handling program.
  • LogicGate will promptly develop and implement an appropriate action plan to address and resolve any impact, vulnerabilities, and/or recommendations identified under this domain.
Business Resiliency Business Continuity Management and Disaster Recovery LogicGate has a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) in place to manage significant disruptions to its operations and infrastructure, which include, without limitation, the following:

  • Annual review, update, and approval of BCP and DRP plans by Management;
  • Exercises conducted to test the response to a specific incident or major change to the platform on a regular basis, but no less than annually; and

Backup Procedures LogicGate employs backup procedures to enhance the security and integrity of the Service.
Physical & Environmental Security Customer Data is hosted within Amazon Web Services (AWS) and the physical security of LogicGate’s services are managed by AWS as part of the AWS Shared Responsibility Model.
Vulnerability Management, Network Security & Monitoring Vulnerability Management

  • LogicGate maintains a threat and vulnerability management program, which includes at a minimum regular (no less than monthly) vulnerability scans of code dependencies, container, and server operating systems.

Network Security & Monitoring

  • Network connections to both internal and external services are controlled through the use of properly configured firewalls and other commercially reasonable methods;
  • Network intrusion detection system (IDS) and other monitoring tools are implemented and monitored via LogicGate’s enterprise security event and incident monitoring (SIEM) pipeline.
Third-Party Certification LogicGate shall maintain an information security certification from a firm that specializes in enterprise information security assessment and certification.