Information Security Exhibit
Our Legal office is at your service. Here you can find legal documents regarding the usability of our website and our products.
LutinX.com Information Security Exhibit
June 14, 2022
LutinX has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Client Data (“Information Security Program”) and against accidental loss or destruction of, or damage to, Client Data. LutinX’s Information Security Program shall include specific security requirements for its personnel and all subcontractors, LutinX, or agents who have access to Client Data (“Data Personnel”). LutinX’s security requirements shall cover the below areas.
1. Information Security Policies and Standards. LutinX will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Client Data. These policies, standards, and procedures shall be designed and implemented to:
- Prevent unauthorized persons from gaining physical access to Client Data;
- Prevent Client Data from being used without authorization;
- Ensure that Data Personnel gain access only to such Client Data as they are entitled to access and that, in the course of Processing or use and after storage, Client Data cannot be read, copied, modified or deleted without authorization;
- Ensure that Client Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Client Data by means of data transmission facilities can be established and verified;
- Ensure the establishment of an audit trail to document whether and by whom Client Data has been entered into, modified in, or removed from Client Data Processing;
- Ensure that Client Data is Processed solely in accordance with Client’s Instructions;
- Ensure that Client Data is protected against accidental destruction or loss;
- Ensure that Client Data collected for different purposes can be Processed separately;
- Ensure that Client Data maintained or processed for different customers is Processed in logically separate locations;
- Ensure that all systems that Process Client Data are subject to a secure software developmental lifecycle; and
- Ensure that all systems that Process Client Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
2. Physical Security
- Physical Access Controls. The LutinX Services are hosted in a datacenter located at nondescript facilities owned and operated by a third-party hosting provider (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation or validation by human security personnel. Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
- Limited Employee and Contractor Access. LutinX’s hosting provider provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to them, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of LutinX’s hosting provider or its Affiliates.
- Physical Security Protections. All access points are maintained in a secured state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. LutinX’s hosting provider also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the All physical access to the Facilities by employees and contractors is logged and routinely audited.
3. Organizational Security. LutinX will maintain information security policies and procedures addressing:
- Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Client Data stored on media before they are withdrawn from the LutinX’s inventory or control.
- Data Minimization.Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Client Data stored on media.
- Data Classification.Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
- Incident Response.All Client Data security incidents are managed in accordance with appropriate incident response procedures.
- Encryption.All Client Data is stored and transmitted using industry standard encryption mechanisms and strong cipher suites, such as AES-512.
4. Network Security. LutinX System is hosted in a datacenter located at nondescript facilities owned and operated by a third-party hosting provider. LutinX does not maintain an internal network. The LutinX engineering team makes use of industry standard virtual private networks (“VPN”) to manage infrastructure resources and access the LutinX System.
5. Access Control (Governance)
- LutinX governs access to information systems that Process Client Data.
- LutinX System is hosted in a datacenter located at nondescript facilities owned and operated by a third-party hosting provider. LutinX does not maintain an internal network. The LutinX engineering team makes use of industry standard virtual private networks (“VPN”) to manage infrastructure resources and access the LutinX System.
- Only authorized LutinX staff can grant, modify or revoke access to an information system that Processes Client Data.
- User administration procedures are used by LutinX to: (i) define user roles and their privileges; (ii) govern how access is granted, changed, and terminated; (iii) address appropriate segregation of duties; and (iv) define the requirements and mechanisms for logging/monitoring.
- All Data Personnel are assigned unique User IDs.
- Access rights are implemented adhering to the “least privilege” approach.
- LutinX implements commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. LutinX protects Client Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Client Data.
- LutinX has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
- LutinX has clearly defined roles and responsibilities for employees.
- Prospective employees are screened, including background checks for Data Personnel or individuals supporting Client’s technical environment or infrastructure, before employment and the terms and conditions of employment are applied appropriately.
- Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
- LutinX shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Client Data.
8. Business Continuity. LutinX implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.