SECURITY BULLET POINTS
- Platform is hosted on Amazon’s AWS Cloud platform in the US, available option to be hosted in EU
- Data is “hot replicated” (backed up in realtime).
- Daily snapshots and SQL dumps are also performed for backups
- Sensitive data (PII) is encrypted at rest (db encrypted fields)
- ALL data is encrypted in transit (SSL / TLS1.2 or higher, SFTP)
- ALL data is encrypted at rest using AWS KMS.
- Databases are not directly accessible via the Internet, only through UI
- Server software patching is done quarterly.
- Urgent security patches are done as needed and typically within 24 hours of being released
- Hosted in a LAMP (Linux/Apache/MySQL/php) environment so not prone to Microsoft vulnerabilities
- Vulnerability and Penetration scans are performed monthly by a third party provider
- 99.9% uptime (monthly interval).
- Uptime monitoring is done by Pingdom (third party) http://uptime.sassieshop.com
- Yearly Risk Assessments are performed internally.
- Rate limiting/IP blocking/CSRF token employed on all password fields to prevent scripted attacks
- GDPR / CCPA compliant
SECURITY STATEMENT
LiveShopper underscores our commitment to data security and operational resilience by maintaining ISO 27001 and SOC 2 Type 2 certifications, which include stringent requirements for disaster recovery policies. ISO 27001 is an internationally recognized information security management standard that mandates organizations to systematically examine and mitigate risks to information security. ISO 27001 requires organizations, like LiveShopper, to identify potential threats, assess vulnerabilities, and implement controls that defend against them. A critical component is our Disaster Recovery (DR) policy, which outlines how we ensure business continuity in the face of an unforeseen catastrophe. LiveShopper ensures this through rigorous risk assessments, as we identify critical business functions and the necessary resources to maintain them, while defining roles and responsibilities in the event of a disaster. Our DR plan undergoes regular testing and reviews, aligning it with industry best practices and ensuring its effectiveness in restoring crucial services swiftly and securely.
Further bolstering our data protection framework, LiveShopper's SOC 2 Type 2 certification provides assurance over the operational effectiveness of its controls related to security, availability, processing integrity, confidentiality, and privacy. Part of this includes a thorough evaluation of LiveShopper's disaster recovery protocols over a specified period. SOC 2 Type 2 certification necessitates that we not only have a robust policies and procedures documented but also that we demonstrate the operational efficiency through evidence of regular testing and incident response. By maintaining this certification, LiveShopper proves that its DR plan is not just theoretical but is actively verified and enhanced over time.
The Scope and mission of our DR plan are as follows: This Business Continuity and Disaster Recovery Plan guides our company in the event of a significant business disaster or other disruption to normal service. LiveShopper must respond to business disasters and disruption by safeguarding employees’ lives and company assets, making a financial and operational assessment, securing data, and quickly recovering operations. This plan applies to all our assets utilized by employees and contractors acting on behalf of LiveShopper or accessing our applications, infrastructure, systems, or data. All employees, and contractors, are required to read, accept, and follow all of LiveShopper’s policies and plans. Mission critical services and systems include critical production systems required for immediate recovery, services affecting the engineering team’s ability to support production operations and product development, and the ability to support our customers. All essential data is stored remotely using AWS EC2 cloud providers with proper backup and redundancy processes in place. LiveShopper's network availability SLA is 99.9% and LiveShopper consistently hits that number or better. This is all tracked by a third party at http://uptime.sassieshop.com/711992.
LiveShopper’s RTO for the application is sixty minutes. LS RPO of the data is ninety minutes.
If you need the current Security Documents and Scans for the Sassie system, please see the following articles for detailed documentation: