Security, Privacy and Control

Limelight Software
Security Compliance

• Limelight has organized its Information Systems Security policies and practices to comply with ISO: 27002:2013 and SOC Type 2 standards, best practices, and recommendations 
• External IT Security consultants regularly perform audits on Security Practices and Policies 
• Limelight Staff is continually trained on the IT Security policies and best practices 

Cloud Infrastructure
Security

• Limelight Software has established a formal Access Policy that strictly access to the Cloud resources
• Limelight Software administrative access to Cloud resources is protected by a combined mandatory two-factor and SSH PKI authentication system and limited to senior technical staff
• Employees access rights are reviewed periodically through a formal process
• Changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems are controlled. All significant changes to in-scope systems are documented and go through a formal approval process
• Regular vulnerability scans and penetration tests are performed to ensure that the infrastructure is securely configured
• Substantial defense systems are in place to protect our services against the broad array of cyber threats. Firewalls block unwanted connections. All customer access to the application is via secure encrypted HTTPS / TLS 1.2 connections.
• Development and staging environments are strictly segregated from production SaaS environments
• Confidential production customer data is not used outside of the Production environment and is governed by a formal Limelight Software Privacy Policy
• Cloud infrastructure is continuously monitored for resources utilization as well as any authorized access attempts. Specific steps are outlined in the formal Incident Management Policy

Client Data
and Backups

• Client data is encrypted at rest and in transit
• At rest, the client data is encrypted by the AES-256 algorithm (including backups)
• Encryption keys are managed by AWS KMS (key management system) in compliance with FIPS 140-2 standards
• In transit, the client data is encrypted by various secure transmission protocols (HTTPS, SFTP, TLS 1.2, SSH)
• Client data is backup daily and can be recovered at the client request
• Client backups are stored on AWS Block Storage system with 99.99% availability and 99.999999999% durability

Application
Security

• Windows Active Directory controls employee network access
• Limelight employees do not have administrative privileges on their laptops
• Employee laptops are encrypted through the Group Policies
• Group Policies strictly enforce password policies
• Hardware and software firewalls protect internal IT resources
• All servers and laptops are patched regularly according to a formal Pathing Policy Patching Policy
• Critical Servers backup daily

Application
Access Control

• Username and password are required to access the application
• Federated access is supported (SAML, 0Auth2.0, Azure, Google, Okta, etc.)
• MFA is supported via AWS Cognito, or client provided service
• User access rights are role-based inside Limelight SaaS

Application Logs

• Application logs retain user logon information, including actions takes by the user
• Application logs are kept for 7 days
• Application logs are protected and encrypted
• User passwords are never exposed in plain text in the logs

Application
Development Security

• Only authorized people have access to the source code
• Source code is regularly reviewed for known vulnerabilities using security methodologies from OWASP, SANS, CWE
• Source code is continuously scanned for known vulnerabilities as part of the Software Development Life Cycle
• Application is tested in the QA environment before release to the Production using detailed testing plans