We have compiled a list of common security questions below in the event our security whitepaper does not answer all of your questions.
What are the secure methods of transmission of data between the Customer and Vendor systems and/or personnel?
HTTPS, using TLS 1.2
In what format or medium does your organization store confidential information?
On hard drives only. We don't use removable media.
Has your company ever experienced a security breach involving client data?
Does Lookback perform internal penetration tests to avoid potential security threats? Yes, we proactively complete penetration testing (annually, at the minimum) and run continuous processes to identify and test for potential vulnerabilities.
Will you need to access to a customer's network and/or systems?
Does your organization use Unencrypted FTP?
Does your organization use Unencrypted HTTP?
Is encryption used for all data in storage?
Do you have policies to ensure your internal network is properly maintained (i.e. vulnerability and patch management)?
Does your Company Solution(s) or Service(s) require usage, transmission, storage or processing of any PHI (Personal Health Information), PII (Personally Identifiable Information), PCI (Payment Card Industry) or other personal data (collectively, “Data”)?
Yes, only PII (Personally Identifiable Information) - see GDPR FAQ here for a list of what is collected.
PHI or PCI is not collected.
Will your Company disclose Data in any form to a third party (including but not limited to summarized or de-identified data)?
Where is data being hosted?
US and Ireland
Is there a SOC report for the hosting data center that can be shared?
Yes, please refer to this.
Can the Customer manage user access to your software through Role Based Access Controls (RBAC)?
Does the software allow the Customer to restrict access via Single Sign On (SAML 2.0)?
Yes, on our Enterprise plan. See here.
Is password transmission and storage encrypted?
Do you have a formal Change Management process i.e. DEV -> TEST -> PRD & User Acceptance Testing (UAT)?
Is the Customer allowed to review, test, and accept changes prior to deployment?
Are log files protected from unauthorized alteration?
Will Lookback perform a system scan with specific software (tenable, etc.) for a customer, or allow them to do so?
Do you have a security policy?
Yes, it is based on ISO 27001. Lookback's security policy is:
- published internally and available for reference and use
- approved by senior management
- reviewed (at least) annually
Does your organization have a CISO?
Yes, they are responsible for ensuring compliance with security policies.
Are all constituents required, upon hire, to sign a Code of Ethics or any agreement(s) that require non-disclosure and preservation of confidentiality?
Do you verify employees' identities?
Do you perform background checks on your employees who have access to client data?
Do all employees sign NDAs or Confidentiality agreements?
Does your internal network have 2 Factor Authentication (2FA) for remote access?
Does your organization have a formal asset return policy governing all company-owned assets from either terminated constituents or constituents who change status?
Yes. It is clearly documented, approved, published, communicated and implemented.
Communications and Operations Security
Do you have a formal change management process?
We use process management tools and our systems are well isolated and operated by a small group of people. We do have daily meetings where changes are discussed and reviewed prior to being modified to avoid code change conflict.
Does your organization require code reviews and approvals of all new or modified applications prior to implementation?
We always code review security related changes and changes for critical systems. Minor changes do not require code reviews though they typically still occur.
Do all workstations have anti malware software?
Do all servers have anti malware software? If yes, does it do live scanning and/or periodic scans?
Yes, the software performs periodic scans
Do you backup customer data that runs periodically, is it stored separately and is restoration tested regularly?
Our database is backed up daily. Files from recordings are not backed up, we rely on AWS S3's redundancy
Are all network and system devices configured so that system errors and security events are logged?
Are all network and system devices configured so that logs are protected from alteration by users?
Are all network and server devices and workstations (that process, store or view customer data) built according to a standard configuration process; and are these devices periodically reviewed for deviations to the standard configuration?
Are all servers, workstations, applications, and/or network devices (that process, store or view customer data) patched on a regular basis?
Is your wireless network physically or logically (via VLAN or firewall) segregated from any of your networks where customer data is processed or stored?
Do you enter into Data Processing Agreements?
Yes, only for Enterprise customers
Are you compliant with GDPR?
Yes, see https://help.lookback.io/security-and-privacy/is-lookback-compliant-with-gdpr for further details.
Is Lookback HIPAA compliant?
There is not a need at this time to be HIPAA (Health Insurance Portability and Accountability Act) compliant and we do not have plans to become compliant. If that changes, we'll be sure to keep you updated.
If your particular security questions are not answered by this Q&A feel free to reach out to us: firstname.lastname@example.org