Have no account?
Software Licensing
Industries
As a leading product licensing and monetization suite, LicenseSpring is deeply embedded in the products as well as the business workflows of our customers. Given the trust instilled in us for each customer that selects the LicenseSpring service, we view security and data privacy not only as a requisite to our service, but always at the forefront of our internal processes and decision making. Below is a summary of some of the measures we take to ensure an appropriately robust security posture.
Kraken Systems ltd, the R&D Centre developing and maintaining the LicenseSpring service, has continuously obtained ISO certification since January 2020. The certificates can be viewed here: ISO27001 and ISO9001.
The process of obtaining ISO27001 has enabled us to implement policies and controls ensuring security, data confidentiality, integrity and availability of the LicenseSpring service. ISO9001 enabled us to develop and implement a structured approach to managing the quality of our products to increase our velocity and reduce waste and inefficiencies in our development processes. Recertifying both highlights our commitments to the security and quality standards as well as our commitment to continuous improvements, while aligning our development procedures to changing regulatory requirements while ensuring we are following industry best practices.
We maintain and periodically update an Information Security Policy as well as a patch management policy, which is reviewed at least once a year. We organize penetration testing conducted by a trusted third-party provider on critical parts of the LicenseSpring service at least once every calendar year and remediate any findings with priority set based on severity levels. Additionally, internally, as part of our CI/CD process, we conduct vulnerability scans using third-party services and remediate any findings with priority set based on severity levels. Our Operations team is responsible for overseeing all security functions.
In order to stay informed on the current information security threats, risks, vulnerabilities and trends, we follow industry standards, including guidance provided from CVE, ExploitDB, OWASP top 10, Mitre ATT&CK Framework updates; we also follow Gitlab and Snyk and NIST best practices.
All employees must go through security awareness training as part of their orientation as well as at least once per calendar year.
We strictly adhere to least privileges access principles. The separation of duties is enforced via automation of Identity and Access management, which enables us through SSO to control access to all internal systems and tooling. We use Role Based Access Control (RBAC) with Multi-Factor Authentication (MFA) enforced via SSO, making it straightforward to provision and revoke.
Logs are reviewed daily as part of routine Operations tasks. We log and monitor all systems that make up the SaaS environment, including but not limited to the following:
Logs are stored and retained for a defined period of time and are protected from unauthorized modification and deletion.
Any change to a production system or baseline configuration is first validated as having passed our QA process. We use a modern ticketing system to log and track all change requests.
Our Changelogs are published here:
We perform background checks on all employees, contractors and individuals prior to granting access to any systems, network or physical data center facilities. Background checks include Police Reports and extensive background checks for new hires. Vendors and suppliers are not provided access to the SaaS infrastructure, network, or physical data center facilities.
All sensitive data within the LicenseSpring SaaS infrastructure is encrypted with AES-256 encryption at rest (at the time of this writing). In-transit, data is https enforced.
Encryption keys are securely stored and managed by a Key Management System (KMS).
We have a comprehensive data loss prevention strategy in place and is periodically tested.
We have a formalized business continuity plan in place which has been approved by management, and is reviewed and updated at least once every calendar year. Full backups are taken several times a day as well as differential backups, enabling Point in Time Recovery (PITR). Backup testing is performed frequently.
We make best efforts to provide 99.99% uptime on our API, with a 99.9% SLA for all customers, described on our standard service level agreement. A premium SLA is offered to enterprise customers.
we sanitize data input to manage the risk of SQL injections
We perform vulnerability scans monthly on the web application to detect application vulnerabilities. Secure development principles are included in our development lifecycle. Any vulnerability will go through triage to determine our risk exposure and determine the remediation priority.
We install patches that address security vulnerabilities on systems based on criticality. We strive to adhere to the following timelines:
We conduct External Penetration testing on critical parts of our infrastructure at least once every calendar year. Internal vulnerability assessments are part of our CI/CD process and are conducted monthly at a minimum.
We have implemented Endpoint Detection & Response (EDR) as well as Intrusion Detection Systems (IDS), and conduct scans on our codebase as an automation in our CI/CD.
We have internally documented incident response procedures in place, which are tested at least once per calendar year. Customers are notified of any incident on our status page. If a given event impacts a specific user, they will be contacted by email.
There is a formal policy for risk management that outlines a defined risk assessment methodology. This has been approved by management and is reviewed and updated at least once per calendar year. We maintain a risk register which describes potential technical and business risks, estimates their change of occurrence, its potential business impact, and identifies any present and future mitigation actions to be taken.
LicenseSpring uses third parties for some activities to fulfill service requirements. We have a third-party risk management program in place to govern the selection, oversight, and risk assessment of third parties. The assessment is conducted prior to engaging their services, as well as on an ongoing basis as needed. An inventory of all third parties is not published for security and privacy reasons, but can be provided upon request on a case-by-case basis.
