Security and Privacy at LemonadeLXP

Security is at the heart of what we do, whether it's helping our customers improve their security posture with LemonadeLXP training and certifications, or focusing on our own.

Governance

LemonadeLXP's security and privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundation principles:

01

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.

02

Security controls should be implemented and layered according to the principle of defence-in-depth.

03

Security controls should be applied consistently across all areas of the enterprise.

04

The implementation of controls should be iterative and continuously maturing, favoring automated audits and decreased friction.

Data Protection

Data at Rest

All storage with customer data, in addition to S3 buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption.

This means the data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.

Data in Transit

LemonadeLXP uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to Maximize the security of our data in transit.

Server keys are managed by AWS, and TLS keys are managed by both AWS and cloudflare.

Secret Management

Encryption keys are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Amazon and LemonadeLXP. The keys stored in HSMs are used for encryption and decryption via Amazon's KMS APIs.

Product Security

Penetration Testing

LemonadeLXP applies cutting edge testing technologies at a very high frequency. A combination of Acunetix (every milestone), Detectify (daily) and AWS Inspector (daily) are used to continuously evaluate LemonadeLXP’s SaaS offerings.

All areas of the LemonadeLXP product and cloud infrastructure are in-scope for these assessments.

Vulnerability Scanning

LemonadeLXP requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):

  • Static analysis (SAST) testing of code during pull requests and on an ongoing basis
  • Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
  • Malicious dependency scanning to prevent the introduction of malware into our software supply chain
  • Dynamic analysis (DAST) of running applications
  • Network vulnerability scanning on a period basis
  • Advanced traffic introspection and automated traffic activity monitoring to examine potential threats in real-time

Enterprise Security

Endpoint Protection

All corporate devices are centrally managed and are equipped with device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use Vanta to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

Secure Remote Access

LemonadeLXP secures remote access to internal resources using AWS VPN, requiring our Identity Provider authentication for the latter, which is armed with 2FA.

Security Education

LemonadeLXP provides comprehensive security training to all employees upon onboarding and annually through educational modules within LemonadeLXP’s own platform. In addition, all new employees attend a mandatory onboarding centered around key security principles. All new engineers also attend a mandatory mentoring and onboarding focused on secure coding principles and practices.

LemonadeLXP’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.

Identity and Access Management

LemonadeLXP uses Google Workspace Enterprise for identity and access management within the organization. We enforce the use of MFA.

Vital cloud-provider accounts are separately managed through AWS IAM.

LemonadeLXP employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Access to vital software is also monitored with Vanta, ensuring that off boarding SLAs are met.

Responsible Disclosure

Looking to Report a Security Concern?

Please visit our Responsible Disclosure page.