General Compliance Program Protocols
LivePinch is built on a secured program with a commitment to compliance — with all laws, regulations, and ethical standards. We hire our resources with screening, background checks, and adherence to our security standards. LivePinch provides its employees with the tools they need to meet the requirements in a secured environment. As the regulatory landscape continues to change, all employees comply with the letter, as well as the spirit of all laws, regulations, and policies affecting business operations. LivePinch’s security program includes:
- Compliance with all applicable Corporate and departmental policies and procedures. Corporate policies cover a gamut of Privacy, Security, and General Compliance topics, while departmental policies and procedural guidance documents are unique to individual groups within LivePinch. We formalize, record and implement policies with regular reviews and updates based on regulatory and operational changes. Employees and other relevant parties must acknowledge understanding of and agreement to abide by all policies and standards.
- LivePinch provides mandatory training to the employees. Training is either assigned based on job function or position, as defined by an employee’s immediate supervisor, or are rolled out company-wide by the security and compliance team. Mandatory training includes online and one-on-one training sessions about the safe handling of data and secure usage.
For LivePinch to secure sensitive data assets, we employ several authentications and authorization controls to prevent unauthorized access.
- Authentication– LivePinch requires the use of a unique user ID for each employee to gain access to the system. Employees can use only their accounts to access the LivePinch environment. Upon hire, LivePinch assigns unique user IDs to every employee and grant permission with the set of privileges as per the role of the employee. At the termination of an employee’s employment, we disable the user ID and the account’s access of that employee to the LivePinch network. Our systems enforce standard password policies, including password expiration, restrictions to reuse, and sufficient password complexity to the LivePinch network access. Where applicable, LivePinch employs and enforces the use of two-factor authentication, which includes access to production environments and resources. Third-party and non-essential application sign-on also use two-factor authentication.
- Authorization– LivePinch grants access rights as per employee job function and roles, adhering to the concepts of ‘least-privileges’ and ‘need-to-know’ to basis to defined responsibilities. LivePinch grants only a limited set of default permissions to access company resources, such as their mailbox and intranet. LivePinch grants employees access to additional resources only based on their specific job duties. Data or system managers, or other executives as described by LivePinch’s security policy, must approve requests for additional resources, and only after following the access request procedure. LivePinch logs administrative access to all production systems and data. LivePinch’s Information Security team then reviews these logs on an as-needed basis.
Data Asset Management
LivePinch’s data assets, which comprise of customers’ Personal Identifiable Information, as well as corporate data, are governed by LivePinch’s security policies and procedures. All LivePinch’s personnel handling the data assets must comply with LivePinch’s policies, and procedures are drafted to align with several regulations, including the General Data Protection Regulation (“GDPR"). Information Assets. Each layer of the LivePinch application and storage stack requires authentication and authorization for the requests coming from other components. We follow security protocol with an x509 certification system for service-to-service authentication and production environment access. Issuance of X509 certificates is, in turn, guarded by multi-factor authentication. All connections to production environments pass through Virtual Private Network (“VPN") proxies; these proxies provide AES 256-bit encryption as well as centralized auditing of connections to production environments.
When a storage device (physical or virtual) reaches the end of its useful life, LivePinch initiates a decommissioning process to prevent any threat of customer data exposure. LivePinch uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual") or NIST 800-88 (“Guidelines for Media Sanitization") to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed following standard industry practices.
Monitoring and Auditing
LivePinch’s compliance monitoring and auditing program analyze the policies and procedural guidance used by departments through interviews, observations, reviews, and adherence to the procedures mentioned above. Through our monitoring and auditing efforts, LivePinch ensures that we train our employees adequately to carry out our external and internal goals while adhering to all required laws, regulations, and guidance documents.
LivePinch’s security monitoring program analyzes information gathered from internal network traffic and employee actions on systems. LivePinch Network inspects internet traffic for suspicious behavior on the internal and production networks to detect the presence of traffic from malicious software or botnets. LivePinch performs this analysis using a combination of open source and commercial tools.
LivePinch utilizes multiple layers of defense (defense-in-depth) to help protect the virtual network from external attacks. Only authorized services and protocols that meet LivePinch’s security requirements are permitted to traverse the corporate and production systems. LivePinch’s network security strategy comprises of the following components:
- Network segregation using industry-standard firewalls and access control technologies.
- Management of network firewall and access control rules that utilize change management and peer review.
- Restricted access to networked devices to unauthorized personnel.
- Routing of all external traffic through custom front-end proxies to help detect and stop malicious traffic.
- LivePinch provides services that make use of Hypertext Transfer Protocol Secure (HTTPS) for more secure browser connections.
Physical and Environmental Security
LivePinch utilizes Hetzner for its Infrastructure hosting needs. As a result, physical security is maintained and enforced by hetzner.com. Please refer the following link to know more about their data protection policy:
Hetzner’s Data Privacy
LivePinch’s Information Security team bears the responsibility of managing vulnerabilities on time. The LivePinch Network team scans for security threats using commercially developed tools, automated and manual penetration efforts, software security reviews, and external audits. The Information Security team is responsible for tracking and following up on detected vulnerabilities.
Trust and Assurance
LivePinch’s Trust and Assurance Program encompasses transparency, due diligence, and accuracy in alignment with SOC 2 and GDPR governance.
- Regulatory Compliance– LivePinch approaches its commitments on data processing globally. Many of our customers have a global presence. We offer a Data Processing Addendum to ensure compliance with regulations such as the General Data Protection Regulation (“GDPR"). If your organization is subject to GDPR, our compliance team can help you opt into the Data Processing Addendum.
- Data Privacy– LivePinch’s customers own their data, not LivePinch. The data that LivePinch’s customers add to the LivePinch Network is theirs; as a part of LivePinch’s privacy commitments, we do not access customer data for advertisements nor sell or share with third parties. Additionally, when customers terminate their relationship with LivePinch, we will commit to deleting the data from our systems. Finally, our customers can easily administer their data using our Application Programming Interface (“API") to ease data portability without additional fees.
- SSAE-16 SOC 2– LivePinch’s customers can expect independent verification of our security, privacy, and compliance controls. As part of our assurance program, we conduct an independent third-party audit regularly. The independent auditor examines our governance program, virtual infrastructure, and operations to certify compliance with audit standards and common criteria as described in SSAE-16 SOC 2.