We have compiled a list of common security questions below in the event our security whitepaper does not answer all of your questions.

General Security

What are the secure methods of transmission of data between the Customer and Vendor systems and/or personnel?
HTTPS, using TLS 1.2

In what format or medium does your organization store confidential information?
On hard drives only. We don't use removable media.

Has your company ever experienced a security breach involving client data?
No

Does Lookback perform internal penetration tests to avoid potential security threats? Yes, we proactively complete penetration testing (annually, at the minimum) and run continuous processes to identify and test for potential vulnerabilities.

Will you need to access to a customer's network and/or systems?
No

Does your organization use Unencrypted FTP?
No 

Does your organization use Unencrypted HTTP?
No

Is encryption used for all data in storage?
Yes

Do you have policies to ensure your internal network is properly maintained (i.e. vulnerability and patch management)?
Yes

Does your Company Solution(s) or Service(s) require usage, transmission, storage or processing of any PHI (Personal Health Information), PII (Personally Identifiable Information), PCI (Payment Card Industry) or other personal data (collectively, “Data”)?
Yes, only PII (Personally Identifiable Information) - see GDPR FAQ here for a list of what is collected. 

PHI or PCI is not collected.

Will your Company disclose Data in any form to a third party (including but not limited to summarized or de-identified data)?
Yes

Where is data being hosted?
US and Ireland

Is there a SOC report for the hosting data center that can be shared?
Yes, please refer to this

Application Security

Can the Customer manage user access to your software through Role Based Access Controls (RBAC)?
Yes 

Does the software allow the Customer to restrict access via Single Sign On (SAML 2.0)?
Yes, on our Enterprise plan. See here.

Is password transmission and storage encrypted?
Yes

Do you have a formal Change Management process i.e. DEV -> TEST -> PRD & User Acceptance Testing (UAT)?
Yes

Is the Customer allowed to review, test, and accept changes prior to deployment?
No

Are log files protected from unauthorized alteration?
Yes

Will Lookback perform a system scan with specific software (tenable, etc.) for a customer, or allow them to do so?
No 

Security Policy

Do you have a security policy?
Yes, it is based on ISO 27001. Lookback's security policy is: 

  • published internally and available for reference and use
  • approved by senior management
  • reviewed (at least) annually

Organizational Security

Does your organization have a CISO?
Yes, they are responsible for ensuring compliance with security policies.

Employee Security

Are all constituents required, upon hire, to sign a Code of Ethics or any agreement(s) that require non-disclosure and preservation of confidentiality?
Yes

Do you verify employees' identities?
Yes

Do you perform background checks on your employees who have access to client data?
Yes

Do all employees sign NDAs or Confidentiality agreements?
Yes

Does your internal network have 2 Factor Authentication (2FA) for remote access?
Yes

Does your organization have a formal asset return policy governing all company-owned assets from either terminated constituents or constituents who change status?
Yes. It is clearly documented, approved, published, communicated and implemented.

Communications and Operations Security

Do you have a formal change management process?
We use process management tools and our systems are well isolated and operated by a small group of people. We do have daily meetings where changes are discussed and reviewed prior to being modified to avoid code change conflict.

Does your organization require code reviews and approvals of all new or modified applications prior to implementation?
We always code review security related changes and changes for critical systems. Minor changes do not require code reviews though they typically still occur.

Do all workstations have anti malware software?
Yes

Do all servers have anti malware software? If yes, does it do live scanning and/or periodic scans?
Yes, the software performs periodic scans

Do you backup customer data that runs periodically, is it stored separately and is restoration tested regularly?
Our database is backed up daily. Files from recordings are not backed up, we rely on AWS S3's redundancy

Are all network and system devices configured so that system errors and security events are logged?
Yes

Are all network and system devices configured so that logs are protected from alteration by users?
Yes

Are all network and server devices and workstations (that process, store or view customer data) built according to a standard configuration process; and are these devices periodically reviewed for deviations to the standard configuration?
Yes

Are all servers, workstations, applications, and/or network devices (that process, store or view customer data) patched on a regular basis?
Yes

Is your wireless network physically or logically (via VLAN or firewall) segregated from any of your networks where customer data is processed or stored?
Yes

Do you enter into Data Processing Agreements?
Yes, only for Enterprise customers

Are you compliant with GDPR?
Yes, see https://help.lookback.io/security-and-privacy/is-lookback-compliant-with-gdpr for further details.

Is Lookback HIPAA compliant?
There is not a need at this time to be HIPAA (Health Insurance Portability and Accountability Act) compliant and we do not have plans to become compliant. If that changes, we'll be sure to keep you updated. 


If your particular security questions are not answered by this Q&A feel free to reach out to us: support@lookback.io

Did this answer your question?