Security

Last updated on December 12, 2022

Our security controls are described below for your convenience, and are also posted and updated from time to time on our website here:   https://localiq.com/legal/security-policy/

LOCALiQ uses a multi-layered approach to protect personal data.  We exercise appropriate security controls and measures to manage and protect personal data in LocaliQ’s possession from unauthorized or unlawful access, use, alteration, disclosure, distribution, loss, destruction or damage.  Our security program is based on a proactive approach and has made investments in people, processes, and technologies. 

Our security program includes:

• Use of Security Orchestration Automation & Response (SOAR) technology to automate security monitoring, alerting, and response capabilities.
• Security Information & Event Management (SIEM) platform 
• Automated, continuous vulnerability scanning using threat intelligence to identify high-risk exploitable vulnerabilities.
• Background checks for all personnel
• Third party pen testing to identify security risks.

• Multi-Factor Authentication (MFA), VPN access, and strong password controls are required for remote administrative access to systems.
• Access Control Lists (ACLs) prevent unauthorized network access.
• Firewalls are configured to deny all network connections and only allow authorized connections by default.
• Customer provided credentials are securely vaulted, and encrypted at rest (AES-256) and in transit (TLS 1.2 and above)
• User passwords are hashed following industry best practices and are encrypted at rest. 
• Role-based access controls ensure that access is restricted to authorized users.
• Access requests and authorizations are logged to review, investigate, and resolve issues.

< /ul>

• Next-Gen Anti-Virus/Anti-Malware (NGAV) with behavioral threat detection 
• Endpoint Detection and Response (EDR) capabilities
• Mobile Device Management (MDM) controls deployed on mobile devices
• Cloud Security Posture Management (CSPM) technology for continuous, automated monitoring of cloud infrastructure for misconfigurations and risky configurations 

• Mandatory security awareness training for all personnel upon hire, and on an annual basis
• Communications to all personnel on security tips and how to report suspicious or unusual activity.
• Scheduled email phishing campaigns to help personnel identify suspicious emails. 
• Specialized training based on role, such as Security Analyst or Developer

• Up-to-date incident response plans are reviewed and updated at least annually.
• Corporate Cybersecurity Incident Response Team (CIRT) provides 24x7x365 coverage to respond quickly to all types of security events.
• Incident response retainers with leading breach response and law firms if needed.

• Change management control and documentation. 
• Peer review practices of source code
• Source code Application Security Testing (SAST) scanning to detect security vulnerabilities in the code base for our most modern apps and services.  
• Next-gen Web Application Firewalls (WAF) for additional real-time protection to meet the most stringent PCI DSS requirements as a Level 1 merchant.
• Agile practices incorporating security updates into releases.

• Use of geographic diverse data centers and leading cloud providers (Amazon Web Services & Google Cloud Platform) 
• Data centers use N+1 UPS and power systems and alternate cooling systems.