Our Commitment to Security

sec-hero

At LogicGate, our commitment to our customers doesn’t end with our GRC automation in Risk Cloud®, it extends to the data we store and manage on their behalf.

We are driven to provide the best possible security and offer our future and current customers insight into our security strategies and tactics. We strive to create a dialogue that highlights our respective roles in our relationship with our customers, offer transparency, and ultimately help make all of us more secure.

Data Protection

We design our systems to treat all customer data as critical, with key data protections around all of the data you choose to upload into Risk Cloud. These data protections include but are not limited to: 

  • Encryption at Rest and in Transit. LogicGate encrypts all data between your end users and your data. Customer data is encrypted at rest and in transit using industry-accepted tools, standards, and best practices for the services we leverage.
  • Fine-Grained Access Controls. LogicGate provides access controls to ensure access is tailored to your process needs, business context, and least privilege.
  • Authentication. LogicGate supports the use of SAML 2.0 for single sign-on (SSO). We are firm believers that SSO and a centralized authentication and identity plan is the best way to design your team’s access to all third-party platforms and services.
  • Cloud-Hosted Services. LogicGate’s Risk Cloud platform leverages Amazon Web Services (AWS) as our hosting provider. LogicGate utilizes AWS’s best-in-class infrastructure to ensure that your data is available and secure.
  • Three-Tier Architecture. All of LogicGate’s infrastructure is built behind firewalls. LogicGate has aligned the platform into three layers (web, application, and data) and aligned both internal and external access with more restricted access as you get closer to where your data is stored.
  • Application Programming Interface (API). LogicGate’s Risk Cloud platform can enable customer and partner interfaces through a secure RESTful API. These API endpoints are designed to require OAuth 2.0 authentication.
Data Protection
Continuous Monitoring & Incident Response

Continuous Monitoring & Incident Response

LogicGate’s Risk Cloud platform is monitored for operational performance, availability, and security events. Examples of the types of security events include abnormal external network interactions, platform behavior abnormalities, and internal user behavior changes. Our InfoSec and DevOps teams employ a security information and event monitoring (SIEM) platform to help ensure that there are no security ramifications based on any alerts we receive.

If a suspected incident is identified, our incident response team has an established plan to investigate and address the situation. Key aspects of our incident response plan include:

  • Critical Escalation Team. For any potential critical incident (e.g., impact on customer data), our Critical Escalation Team will ensure that from the top down, our communication to impacted customers and next steps are quick, direct, and timely.
  • Customer Point of Contact. During a potential critical incident, LogicGate will give you a single point of contact to ensure that your team can get the information you require to verify or take appropriate action on your data.
  • Incident Response Testing. Our team initiates “dry runs” periodically to ensure our team has established procedures that are tested for their role if a critical incident were to occur.
  • Response To Recovery. Our team will work with customers and internally to move from response triage into recovery, ensuring that we adjust any controls between both internal and external teams to prevent future incidents.

Vulnerability Management & Testing

We understand that the threat landscape is constantly evolving. To ensure that we are evaluating these ever-changing threats, we have established the following methods to identify and remediate risks in our platform:

  • Vulnerability Disclosure. We appreciate and encourage independent researchers to contact us to report potential vulnerabilities identified in any of LogicGate’s services. If you believe you have discovered a security vulnerability, please share this information via our Vulnerability Disclosure Program.
  • Vulnerability Scanning. As part of our CI/CD pipeline, LogicGate scans servers, containers, and dependencies for known vulnerabilities. Our pipeline auto-rejects any new vulnerabilities when they are found. These vulnerabilities then go through our vulnerability management process to either be remediated or risk-accepted before the change goes into production.
  • Code Scanning. The platform’s custom code is scanned to identify OWASP vulnerabilities and other code flaws before being pushed into the production environment.
  • Third-Party Penetration Testing. LogicGate leverages third parties to periodically assess our platform for vulnerabilities, including an ongoing “bug bounty” program through BugCrowd.
  • Automated Testing. In addition to code scanning, our development team automatically tests new features or platform updates prior to deployment into production.
Vulnerability Management & Testing
Data Privacy & Compliance

Data Privacy & Compliance

LogicGate seeks to align our security controls with our various privacy and compliance requirements to ensure you can effectively manage your data and implement controls to meet your compliance needs.

Additionally, we are a chief user of our platform, leveraging it to drive our operational processes and meet our compliance and certification goals.

  • Privacy. LogicGate complies with applicable data privacy laws, including GDPR. LogicGate treats our customer’s platform data as confidential and it is never sold. More information on our platform privacy controls and how your data is handled can be found in our Privacy Policy.
  • Background Checks. All LogicGate employees sign written confidentiality agreements, agreeing to maintain the confidentiality of any customer data they may access when providing the platform service to customers, and undergo background checks as a condition of their hire.
  • Security Awareness Training. All LogicGate employees are required to undergo and participate in information security training during onboarding, and receive additional security training annually, with periodic updates as needed throughout the year.
  • LogicGate and Third-Party Access. Access to our customers’ Risk Cloud platform and data is aligned to least privilege. In other words, employees may only access customer data or environments if and when needed to enable and support customers’ use of the platform. We do not provide subcontractors access to customer data.
  • Special Data. LogicGate does not require the use of sensitive or special data categories subject to third-party legal or regulatory requirements (Special Data). Any such requirements surrounding the input or use of Special Data in the LogicGate platform are the sole responsibility of the LogicGate user. However, LogicGate treats all data submitted into the platform by customers as confidential and employs the same high level of security rigor — regardless of whether or not it is considered sensitive.

Proud To Serve The Following Industries

GRC Insights Delivered to your Inbox

cta-subsriber-2