Data & Security
As a cloud service, the security of your data is our top priority. Based on the legal framework of the European General Data Protection Regulation (EU GDPR) as well as common standards and guidelines such as ISO/IEC 27001, we have implemented and continue to develop technical and organizational measures to ensure secure processing of information.
Some of the most important measures are explained below. In addition to these, we have implemented further safeguards on which we provide further information if required.
Hosting
Our application is hosted on servers provided by Amazon Web Services in its European data centers. It provides best-in-class security infrastructure, takes care of back-ups, logging, auditing and other infrastructure-related services.
We leverage all capabilities including physical security and environmental controls to secure our infrastructure from physical threat or impact.
Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry.
Amazon Web Services is constantly auditing its services and has approved to be compliant with the following standards, among others:
- ISO 27001
- ISO 27017
- ISO 27018
- SOC 2
- SOC 3
Passwords & SSO
Your passwords are always encrypted (hashed, with salts) and never saved in plain text. When a user tries to log in, her password is encrypted in the same way and the platform compares the encrypted versions to check if they match. This also means that we cannot recover a password for you (we only hold the encrypted version) and you have to reset your password in case you lose it. For additional security, we enforce a minimum password length when a user signs up.
If your company uses Google, Okta, Active Directory or other SSO providers you can also sign in via a secure connection. In that case, your passwords are not stored on our servers at all. Instead, your users are redirected to a page where they authenticate Localyze as a trusted service and a token gets generated which we can use to identify your users. You can revoke that token at any time via your identity provider account settings.
Encryption & Pseudonymisation
Localyze is compliant with the latest security standards for data transmission. All communication between your users and our servers is encrypted via TLS (Transport Layer Security). SSL is an industry standard which establishes an encrypted link between a web server and a browser.
Additionally, we employ encryption-at-rest to encrypt all data in our database with the industry-standard AES-256 algorithm. This means that your data is encrypted before and after accessing the database and never lies there in plain text.
Procedure for Verifying Security
We have implemented a security policy that allows us to track, manage and improve the security of our software over time. Additionally to on-demand penetration testing, we made automated penetration testing and vulnerability scans part of our whole delivery circle. This way we can ensure compliance with various standards, among others:ISO/IEC 27001 and OWASP Top Ten.
Additionally to this black-box approach, we also deployed an In-App Web Application Firewall (WAF) as well as Runtime Application Self-protection (RASP) for interactive application security testing.
The In-App WAF is a protection layer that operates as a firewall from inside the app using its full context to narrowly apply the most efficient set of inspection rules to incoming traffic.
The RASP is a protection layer that works from within the app's own runtime environment to detect anomalies and protect our app against real-time attacks.