LogicGate Information Security Measures Overview for Third Parties

1. Purposes and Scope

LogicGate has implemented and will maintain the following security measures for the protection of confidential information and/or Customer Data, once a Customer or its end-users, including third parties, upload or otherwise input data or information into the LogicGate platform, including, without limitation, any information submitted in response to vendor questionnaires or online forms sent to third parties using LogicGate’s platform service  (hereafter, “the LogicGate Service” or “the platform”).

The security practices set forth below apply when LogicGate processes, transmits, or stores confidential information and/or Customer Data, including during LogicGate’s provision of services through the platform and infrastructure that hosts confidential information and/or Customer Data.

2. LogicGate Technical and Organizational Measures

Domain Practices
Organization of Information Security Security Ownership. LogicGate has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.

Information Security Policies. LogicGate maintains a management-approved corporate information security policy, or set of information security policies, defining responsibilities and setting out LogicGate’s approach to information security, which includes physical, administrative and technical safeguards. Such policies have been published and communicated to employees, contractors, and relevant external parties.

Senior Management Commitment. LogicGate’s Information Security Manager (or designee) develops, maintains, reviews, and approves LogicGate’s security, availability, and confidentiality standards and policies.

Risk Management. LogicGate has a formal cybersecurity risk assessment and management process which includes mitigation of any identified findings. The LogicGate ranks and reviews all identified risks at a minimum annually.

Access Management LogicGate access management program. LogicGate maintains an access management program for LogicGate’s access to Customer Data, applicable where LogicGate maintains access to Customer Data. Management of the program is facilitated through the use of enterprise single-sign-on (SSO) solution.

  • LogicGate allocates system privileges and permissions to users and groups using the principle of least privilege.
  • LogicGate limits access to Customer Data to those personnel performing under the Agreement and, to the extent technical support is needed, its personnel performing such technical support;
  • LogicGate assigns application and data rights based on user groups and roles, and grants access to information based on job function (i.e. role-based security);
  • LogicGate maintains a record of security privileges of its personnel that have access to Personal Information, networks, and network services.

Entitlement reviews

  • LogicGate requires the approval from the respective LogicGate system owner prior to adding or changing user access to its networks and systems that processes, transmits, or stores Customer Data;
  • LogicGate implements role-based security to ensure access to the application is restricted based on defined functional roles;
  • LogicGate promptly removes the application, platform and network access for terminated users upon notification of termination;
  • LogicGate promptly updates user access rights based on changes in job responsibilities;
  • LogicGate reviews access privileges to systems and corporate networks, including administrative access privileges, at a minimum on a semi-annual basis;
  • LogicGate uses separate administrative accounts to perform privileged functions and the accounts are restricted to authorized individuals.

Remote access
To access LogicGate’s production environment, the following are required:

  • Role-based privileges to access;
  • Multi-factor authentication (MFA) prior to authorization;
  • Access restricted only through an encrypted Virtual Private Network (VPN).
Authentication LogicGate provides the following controls to manage the authentication of end-users to the platform:

  • LogicGate salts, hashes, and encrypts all passwords it stores for Customer authentication;
  • LogicGate provides SAML 2.0 compliant authentication methods to enable Customer to establish single-sign-on to the LogicGate Service.
Data Encryption
  • LogicGate employs 256-bit AES or higher and SSL/TLS 1.2+ encryption techniques for data at rest and in transit;
  • LogicGate provides 256-bit AES or higher encryption techniques for data backups.
Personnel Security LogicGate requires the following for all employees:

  • Background check;
  • Signed Non-Disclosure/Confidentiality Agreements prior to onboarding;
  • Security training as part of their onboarding, with additional training required at a minimum annually.

Additionally, LogicGate has established policies for disciplinary action, up to and including termination, for noncompliance with security policies and procedures.

Incident Response
  • LogicGate maintains a documented and tested incident handling program, and ensures that all Security Breaches (as defined in the Agreement) follow the LogicGate’s incident handling program.
  • LogicGate will promptly develop and implement an appropriate action plan to address and resolve any impact, vulnerabilities, and/or recommendations identified under this domain.
Business Resiliency Business Continuity Management and Disaster Recovery

LogicGate has a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) in place to manage significant disruptions to its operations and infrastructure, which include, without limitation, the following:

  • Annual review, update, and approval of BCP and DRP plans by Management;
  • Exercises conducted to test the response to a specific incident or major change to the platform on a regular basis, but no less than annually; and

Backup Procedures

LogicGate employs backup procedures to enhance the security and integrity of the Service.

Physical & Environmental Security Customer Data is hosted within Amazon Web Services (AWS) and the physical security of LogicGate’s services are managed by AWS as part of the AWS Shared Responsibility Model.
Vulnerability Management, Network Security & Monitoring Vulnerability Management

  • LogicGate maintains a threat and vulnerability management program, which includes at a minimum regular (no less than monthly) vulnerability scans of code dependencies, container, and server operating systems.

Network Security & Monitoring

  • Network connections to both internal and external services are controlled through the use of properly configured firewalls and other commercially reasonable methods;
  • Network intrusion detection system (IDS) and other monitoring tools are implemented and monitored via LogicGate’s enterprise security event and incident monitoring (SIEM) pipeline.
Third-Party Certification LogicGate shall maintain an information security certification from a firm that specializes in enterprise information security assessment and certification.