Security Policy
Last updated: October 24, 2024
Introduction
Data and code security are a top priority for Liminary’s technology and operations veterans. We take every measure to ensure customer data is secure, preventing all unauthorized access. Liminary is committed to a policy of transparency about our security practices and measures and welcomes all inquiries into our policies, methods, and configurations.
Organization
Liminary's security program is led by our CTO and is based on an approach that takes security into consideration in all of our technical and organizational activities. The CTO is supported by all members of the organization, who help ensure that we develop effective defense-in-depth security practices.
Protecting Data
Data in Motion
All Liminary customer data is encrypted at rest and in motion. In motion encryption is provided by the use of TLS 1.2 or 1.3 for all connections to our web servers and from our servers to other servers accessed via APIs. In addition, all communication from our web servers to data stores is encrypted using TLS 1.2 or 1.3. We employ the latest recommended secure cipher suites where possible. TLS 1.3 and TLS 1.2 are enabled on systems where 1.3 is currently available, otherwise only TLS 1.2 is enabled.
Data at Rest
At rest encryption is provided for all data using built-in AWS disk encryption for S3, EBS, and RDS. Additionally, sensitive data that we detect as part of our service is additionally encrypted using AWS Key Management System with the AES-256-GCM algorithm before being persistently stored.
Data Lifecycle
Customer data is retained based on customer preferences. This time period may be modified based on specific customer agreements. We delete customer data from production systems within one day of the request. Backups of this deleted data will age out on a schedule of 30 days. AWS is responsible for ensuring removal of data from physical disks is performed in a responsible manner before they are repurposed.
Data Processing
All customer data is hosted in our AWS production environment in the US. Customer data never leaves this secure AWS production environment. All data operations are required to be conducted within restricted areas of the private cloud and VPN.
Sensitive Data Redaction
As part of our architecture, we trigger a redaction process as soon as your data arrives in our environment. This redaction detects a wide range of sensitive data, including PII, passwords, and credit card numbers. Data that is passed downstream for further processing has had this sensitive data redacted.
In addition to text data, we have a process that provides the same protection for sensitive data in screenshots. This system detects and redacts sections of the image that we determine contain sensitive data as soon as the image enters our system.
We’re componentizing the redaction system and designing the capability to run the redaction on a server supplied by the customer, inside their perimeter, ensuring no sensitive data leaves the customer’s premises or secure cloud environment.
Data Segregation
Each customer's sensitive data is stored logically separate from other customers’ data. Unique data store access credentials and encryption keys are created for each customer.
Security in Depth
Key and Secret Management
Liminary uses AWS Key Management Service and AWS Secrets Manager to manage programmatic encryption keys and secrets, and AWS IAM to manage user and programmatic access keys. Keys and secrets are rotated on a regular basis based on current industry best practice timelines.
Network Security
We maintain separate AWS Organization accounts for our production and development environments. In addition, our production environment is segregated into multiple Virtual Private Clouds (VPCs) to isolate Internet-facing services from internal data stores and data processing services. Only a limited set of personnel have access to the production environment. Direct access to production data servers is protected by a VPN and IP-address firewall rules.
Network access to our production environment is also restricted, with only a small number of front-facing web load balancers accessible from the Internet. Only protocols necessary for the delivery of our service to our users are open at the perimeter.
Access Control
All user access to Liminary systems is subject to the principle of least privilege and requires multi-factor authentication (MFA). We provision AWS IAM groups and roles with only the specific policies required for the user or system to perform its function.
Liminary employees who interact with your data must be specifically screened and authorized to do so.
Vulnerability Management
We perform regular scans of our codebase and our AWS environments for vulnerabilities or misconfigured systems. These scans are performed using a mix of GitHub- and AWS-provided tools as well as third-party tools and internally-developed code. Remediation of discovered vulnerabilities occurs on a regular basis.
Our technical team rapidly investigates all reported security issues.
Monitoring and Compliance
Liminary has comprehensive monitoring and compliance processes in place.We perform monthly reviews of all user service accounts for acceptable password rotation and implementation of MFA. We also monitor accounts for anomalous access patterns.
We employ network monitoring and alerting technologies to detect anomalous network traffic in our AWS environments. Liminary also implements AWS Config for detecting unauthorized configuration changes in AWS.
We perform regular checks for compliance with internal policies such as our Acceptable Use Policy, Change Management Policy, Data Management Policy, and Patch Management Policy. We also conduct regular reviews of these policies to determine if they should be updated.
Employees
Every employee at Liminary undergoes security training as part of their onboarding process. Refresher training is held on a yearly basis for all employees. Technical staff undergo additional training in secure software development practices.
All Liminary employees are required to undergo and pass a security background check.
Physical Security
All Liminary customer data resides in our AWS production environment. Physical protections are entirely provided by AWS. AWS provides detailed information about their data center controls.
Sensor settings & configuration
Liminary utilizes a Chrome browser extension to enable collecting rich browser activity data. You can find details about this extension on our Chrome extension data privacy page.
Contact our security team
If at any time you have questions or concerns regarding the safety of your data, please contact our security team: security@liminary.io.
Data and code security are a top priority for Liminary’s technology and operations veterans. We take every measure to ensure customer data is secure, preventing all unauthorized access. Liminary is committed to a policy of transparency about our security practices and measures and welcomes all inquiries into our policies, methods, and configurations.
Organization
Liminary's security program is led by our CTO and is based on an approach that takes security into consideration in all of our technical and organizational activities. The CTO is supported by all members of the organization, who help ensure that we develop effective defense-in-depth security practices.
Protecting Data
Data in Motion
All Liminary customer data is encrypted at rest and in motion. In motion encryption is provided by the use of TLS 1.2 or 1.3 for all connections to our web servers and from our servers to other servers accessed via APIs. In addition, all communication from our web servers to data stores is encrypted using TLS 1.2 or 1.3. We employ the latest recommended secure cipher suites where possible. TLS 1.3 and TLS 1.2 are enabled on systems where 1.3 is currently available, otherwise only TLS 1.2 is enabled.
Data at Rest
At rest encryption is provided for all data using built-in AWS disk encryption for S3, EBS, and RDS. Additionally, sensitive data that we detect as part of our service is additionally encrypted using AWS Key Management System with the AES-256-GCM algorithm before being persistently stored.
Data Lifecycle
Customer data is retained based on customer preferences. This time period may be modified based on specific customer agreements. We delete customer data from production systems within one day of the request. Backups of this deleted data will age out on a schedule of 30 days. AWS is responsible for ensuring removal of data from physical disks is performed in a responsible manner before they are repurposed.
Data Processing
All customer data is hosted in our AWS production environment in the US. Customer data never leaves this secure AWS production environment. All data operations are required to be conducted within restricted areas of the private cloud and VPN.
Sensitive Data Redaction
As part of our architecture, we trigger a redaction process as soon as your data arrives in our environment. This redaction detects a wide range of sensitive data, including PII, passwords, and credit card numbers. Data that is passed downstream for further processing has had this sensitive data redacted.
In addition to text data, we have a process that provides the same protection for sensitive data in screenshots. This system detects and redacts sections of the image that we determine contain sensitive data as soon as the image enters our system.
We’re componentizing the redaction system and designing the capability to run the redaction on a server supplied by the customer, inside their perimeter, ensuring no sensitive data leaves the customer’s premises or secure cloud environment.
Data Segregation
Each customer's sensitive data is stored logically separate from other customers’ data. Unique data store access credentials and encryption keys are created for each customer.
Security in Depth
Key and Secret Management
Liminary uses AWS Key Management Service and AWS Secrets Manager to manage programmatic encryption keys and secrets, and AWS IAM to manage user and programmatic access keys. Keys and secrets are rotated on a regular basis based on current industry best practice timelines.
Network Security
We maintain separate AWS Organization accounts for our production and development environments. In addition, our production environment is segregated into multiple Virtual Private Clouds (VPCs) to isolate Internet-facing services from internal data stores and data processing services. Only a limited set of personnel have access to the production environment. Direct access to production data servers is protected by a VPN and IP-address firewall rules.
Network access to our production environment is also restricted, with only a small number of front-facing web load balancers accessible from the Internet. Only protocols necessary for the delivery of our service to our users are open at the perimeter.
Access Control
All user access to Liminary systems is subject to the principle of least privilege and requires multi-factor authentication (MFA). We provision AWS IAM groups and roles with only the specific policies required for the user or system to perform its function.
Liminary employees who interact with your data must be specifically screened and authorized to do so.
Vulnerability Management
We perform regular scans of our codebase and our AWS environments for vulnerabilities or misconfigured systems. These scans are performed using a mix of GitHub- and AWS-provided tools as well as third-party tools and internally-developed code. Remediation of discovered vulnerabilities occurs on a regular basis.
Our technical team rapidly investigates all reported security issues.
Monitoring and Compliance
Liminary has comprehensive monitoring and compliance processes in place.We perform monthly reviews of all user service accounts for acceptable password rotation and implementation of MFA. We also monitor accounts for anomalous access patterns.
We employ network monitoring and alerting technologies to detect anomalous network traffic in our AWS environments. Liminary also implements AWS Config for detecting unauthorized configuration changes in AWS.
We perform regular checks for compliance with internal policies such as our Acceptable Use Policy, Change Management Policy, Data Management Policy, and Patch Management Policy. We also conduct regular reviews of these policies to determine if they should be updated.
Employees
Every employee at Liminary undergoes security training as part of their onboarding process. Refresher training is held on a yearly basis for all employees. Technical staff undergo additional training in secure software development practices.
All Liminary employees are required to undergo and pass a security background check.
Physical Security
All Liminary customer data resides in our AWS production environment. Physical protections are entirely provided by AWS. AWS provides detailed information about their data center controls.
Sensor settings & configuration
Liminary utilizes a Chrome browser extension to enable collecting rich browser activity data. You can find details about this extension on our Chrome extension data privacy page.
Contact our security team
If at any time you have questions or concerns regarding the safety of your data, please contact our security team: security@liminary.io.