At LogicGate, our commitment to our customers doesn’t end with our GRC automation in Risk Cloud, it extends to the data we store and manage on their behalf.
At LogicGate, we are driven to not only provide the best possible security but also to offer our future and current customers insight to our security strategies and tactics. Our goal is to create a dialogue that highlights our respective roles in our relationship with our customers and help make all of us more secure.
Our goal with this transparency is to create a dialogue that highlights our respective roles in the partnership and allows us all to become more secure as a result.
We design our systems to treat all customer data as critical, with key data protections around all data you choose to upload into Risk Cloud. These data protections include but are not limited to:
Encryption at Rest and in Transit - LogicGate encrypts all data between your end users and your data. All customer data is encrypted at rest and in transit using industry-accepted tools, standards, and best practices for the services we leverage.
Fine-grained Access Controls - LogicGate provides access controls to all records that can be modified and combined to ensure access is tailored to your process needs, business context, and least privilege.
Authentication - LogicGate supports the use of SAML 2.0 for Single-Sign-On (SSO). We are firm believers that SSO and a centralized authentication and identity plane is the best way to design your team’s access to all third-party platforms and services.
Cloud-Hosted Services - LogicGate’s Risk Cloud platform leverages Amazon Web Services (AWS) as our hosting provider. LogicGate utilizes AWS’s best in class infrastructure to ensure that your data is available and secure.
Three-Tier Architecture - All of LogicGate’s infrastructure is built behind Firewalls. LogicGate has aligned the platform into three layers (web, application, and data) and aligned both internal and external access with more restricted access as you get closer to where your data is stored.
Application Programming Interface (API) - LogicGate’s Risk Cloud platform can enable customer and partner interfaces through a secure RESTful API. These API endpoints are designed to require OAUTH 2.0 authentication.
Continuous Monitoring & Incident Response
LogicGate’s Risk Cloud platform is monitored for operational performance, availability, and security events. Examples of the types of security events include: abnormal external network interactions, platform behavior abnormalities, and internal user behavior changes. Our InfoSec and DevOps teams employ a security information and event monitoring (SIEM) platform to help ensure that there are no security ramifications based on any alerts we receive.
If a suspected incident is identified, our incident response team has an established plan to investigate and address the situation. Key aspects of our incident response plan include:
Critical Escalation Team - For any potential critical incident (e.g., impact to customer data), our Critical Escalation Team will ensure that from the top down, our communication to impacted customers and next steps are quick, direct, and timely.
Customer Point of Contact - During a potential critical incident, LogicGate will give you a single point of contact to work with during an incident to ensure that your team is able to get the information you require to verify or take appropriate action on your data.
Incident Response Testing - Our team initiates “dry runs” periodically to ensure our team has established procedures that are tested for their role if a critical incident were to occur.
Response into Recovery - Our team will work with customers, as well as internally, to ensure that we are able to move from response triage into recovery, ensuring that we adjust any controls between both teams to prevent future incidents.
Vulnerability Management & Testing
We understand that the threat landscape is constantly evolving. To ensure that we are evaluating these ever-changing threats, we have established the following methods to identify and remediate risks in our platform:
Vulnerability Disclosure - We appreciate and encourage independent researchers to contact us to report potential vulnerabilities identified in any of LogicGate’s services. If you believe you have discovered a security vulnerability, please share this information via ourVulnerability Disclosure Program.
Vulnerability Scanning - As part of our CI/CD pipeline, LogicGate scans servers, containers, and dependencies for known vulnerabilities. Our pipeline auto-rejects any new vulnerabilities when they are found. These vulnerabilities then go through our vulnerability management process to either be remediated or risk-accepted prior to the change going into production.
Code Scanning - The platform’s custom code is scanned to identify OWASP vulnerabilities, as well as other code flaws prior to being pushed into the production environment.
Third-Party Penetration Testing - LogicGate leverages third parties to periodically assess our platform for vulnerabilities.
Automated Testing - In addition to code scanning, our development team has developed automated tests that are required to pass prior to new features or platform updates being deployed into the production environment.
Data Privacy & Compliance
LogicGate seeks to align our security controls with our various privacy and compliance requirements to ensure you can effectively manage your data and implement controls to meet your compliance needs.
Additionally, LogicGate is a chief user of our own platform, leveraging it to drive our operational processes and to meet our compliance and certification goals.
Privacy - LogicGate complies with applicable data privacy laws, including GDPR, and is Privacy Shield certified. LogicGate treats our customer’s platform data as confidential and we never sell your platform data. Our platform privacy controls and more information on how your data is handled can be found on ourPrivacy Page.
Security Certification and Framework - LogicGate is SOC 2 Type II Certified. We have designed our enterprise and platform security framework using the NIST Cybersecurity Framework as a baseline for information security governance.
Background checks - All LogicGate employees sign written confidentiality agreements, agreeing to maintain the confidentiality of any customer data they may access when providing the platform service to customers, and undergo background checks as a condition of their hire.
Security Awareness Training - All LogicGate employees are required to undergo and participate in information security training during onboarding, and receive additional security training annually, with periodic updates as needed throughout the year.
LogicGate and Third-Party Access - Access to our customer’s Risk Cloud platform and data is aligned to least privilege. In other words, employees may only access customer data or environments if and when needed to enable and support customers’ use of the platform. We do not provide subcontractors access to customer data.
Special Data - LogicGate does not require the use of sensitive or special categories of data that are subject to third-party legal or regulatory requirements (Special Data). Any such requirements surrounding the input or use of Special Data in the LogicGate platform are the sole responsibility of the LogicGate user. However, LogicGate treats all data submitted into the platform by customers as confidential and employs the same high level of security rigor—regardless of whether or not it is considered sensitive.