Security Practices

Platform controls

• Architecture and data segregation

The LayerFive services are operated on a multi-tenant architecture at both the platform and infrastructure layers, designed to segregate and restrict access to the data. The architecture provides logical data separation for each customer via a unique ID and can also provide physical separation.

• Public cloud infrastructure

The LayerFive services are hosted over the Internet on a ‘Public Cloud,’ which are computing services offered by third-party providers to anyone who wants to use or purchase them. Like all cloud services, a public cloud service runs on remote servers that a provider manages.

• Audits

Internal personnel and external security tools/firms assess the security of the LayerFive services. These tools/firms perform audits periodically to verify that our security practices are sound and monitor the LayerFive services for new vulnerabilities discovered by the security research community.

• Security controls

LayerFive will implement and maintain appropriate technical and organizational measures to protect your Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to the Customer’s data that is processed or transmitted through the LayerFive services. The LayerFive services have several security controls, including but not limited to:

• Access logging. Detailed access logs are available 
• Access management. Administrators can remotely terminate all connections and sign out all devices authenticated to the LayerFive services at any time, on demand.
• Network protection. In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices using AWS security groups.
• Product security practices. The security team facilitates a security review process for new features, significant functionality, and design changes. In addition, our code is audited with automated static analysis software, tested, and manually peer reviewed prior to being deployed to production. 
• Team-wide two-factor authentication. Team administrators can require all users to set up two-factor authentication on their accounts. 

• Reliability, backup, and business continuity

We understand that you rely on the LayerFive services to work. We’re committed to making the LayerFive services a highly available service that you can rely on. Our infrastructure runs on fault-tolerant systems for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and has a 24-hour on-call team to resolve unexpected incidents quickly. Industry-standard best practices for reliability and backup helped to shape the design of the LayerFive services. LayerFive performs regular backups, facilitates rollbacks of software and system changes when necessary, and replicates data as needed. Where possible, LayerFive will assist the Customer with data recovery for Major Catastrophic Events, as limited by data residency requirements of the locality and capabilities within the region. ‘Major Catastrophic Event’ means three broad types of occurrences: (1) natural events such as floods, hurricanes, tornadoes, earthquakes and epidemics; (2) technological events such as failures of systems and structures such as pipeline explosions, transportation accidents, utility disruptions, dam failures and accidental hazardous material releases; and (3) human-caused events such as active assailant attacks, chemical or biological attacks, cyberattacks against data or infrastructure, and sabotage. Major Catastrophic Events do not include bugs, operational issues, or other common software-related errors.

We have well-tested backup and restoration procedures that allow recovery from a major disaster. Customer Data and our source code are automatically backed up every night. The operations team is alerted in the event of a system failure. Backups are fully tested every 90 days to confirm that our processes and tools work as expected.

• Data at rest

LayerFive will store Customer Data at rest within certain major geographic areas except as otherwise provided in your order form.

• Confidentiality

We place strict controls over our employees’ access to Customer Data. The operation of the LayerFive services requires that some employees have access to the systems that store and process Customer Data. For example, to diagnose a problem that you are having with the LayerFive services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies to ensure that access to Customer Data is logged.

All our employees and contract personnel are bound by our policies regarding customer data, and we treat these issues as matters of the highest importance within our company.

• Personnel practices

LayerFive conducts background checks on all employees before employment. Employees receive privacy and security training during onboarding and on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the LayerFive services.

Infrastructure

LayerFive uses infrastructure provided by Amazon Web Services, Inc. (‘AWS’) to host or process Customer Data submitted to the LayerFive services. Information about security provided by AWS is available from the AWS Security website.

Security Policies

Our security practices are guided by the following security policies:

1. Risk Governance Policy

Purpose:

Identify, assess, and manage risks to LayerFive’s information assets and business operations.

Scope:

Applies to all employees, contractors, and third-party vendors.

Policy:

• Regularly conduct risk assessments to identify potential threats.
• Implement controls to mitigate identified risks.
• Monitor and review the effectiveness of risk management activities.
• Maintain a risk register documenting identified risks and mitigation strategies.

2. Acceptable Use Policy

Purpose:

To outline the acceptable use of LayerFive’s IT resources to protect the company and its clients from risks, including data breaches, cyber-attacks, and inappropriate use.

Scope:

Applies to all users of LayerFive’s IT resources.

Policy:

• IT resources should be used for business purposes only.
• Prohibited activities include unauthorized access, malicious software distribution, and confidential information sharing.
• Users must follow guidelines for secure internet usage and email practices.

3. Data Classification Policy

Purpose:

To classify and manage data based on its level of sensitivity and importance.

Scope:

Applies to all data handled by LayerFive.

Policy:

• Classify data: Public, Internal, Confidential, and Restricted.
• Apply appropriate security controls based on the data classification.
• Regularly review data classifications and update as necessary.

4. Data Deletion Policy

Purpose:

To ensure the secure and complete deletion of data that is no longer required.

Scope:

Applies to all data stored on LayerFive’s systems and by third-party vendors.

Policy:

• Data should be deleted per data retention schedules.
• Use secure deletion methods to ensure data cannot be recovered.
• Maintain records of data deletions for compliance purposes.

5. Disaster Recovery Policy

Purpose:

To ensure the continuity of LayerFive’s operations in the event of a disaster.

Scope:

Applies to all critical business functions and IT systems.

Policy:

• Develop and maintain a disaster recovery plan.
• Regularly test the disaster recovery plan to ensure effectiveness.
• Identify critical systems and data that require priority recovery.
• Establish recovery time objectives (RTO) and recovery point objectives (RPO).

6. Incident Response Policy

Purpose:

To provide a structured approach for responding to security incidents.

Scope:

Applies to all security incidents involving LayerFive’s IT resources.

Policy:

• Define roles and responsibilities for incident response.
• Establish procedures for identifying, reporting, and responding to incidents.
• Document and analyze incidents to improve response efforts.
• Communicate incidents to affected parties as required.

7. Information Security Policy

Purpose:

To protect LayerFive’s information assets from unauthorized access, disclosure, alteration, and destruction.

Scope:

Applies to all employees, contractors, and third-party vendors.

Policy:

• Implement security controls such as firewalls, encryption, and access controls.
• Conduct regular security training for employees.
• Monitor and audit IT systems for security compliance.
• Regularly update security policies to address new threats.

8. Password Policy

Purpose:

To establish requirements for creating, managing, and protecting passwords.

Scope:

Applies to all accounts and systems within LayerFive.

Policy:

• Require strong passwords (minimum length, complexity requirements).
• Implement multi-factor authentication where possible.
• Enforce regular password changes.
• Prohibit the sharing of passwords and use of the same password across multiple systems.

9. Logical Access Control Policy

Purpose:

To ensure that access to LayerFive’s information systems is granted based on business needs and user roles.

Scope:

Applies to all users and systems requiring access to LayerFive’s resources.

Policy:

• Implement role-based access controls.
• Regularly review and update access permissions.
• Enforce the principle of least privilege.
• Use automated tools for access management and monitoring.