Information Security at Lentune
An overview of the security policies we have established to protect your data, keep our service reliable and secure our business.
Last updated 08/05/23
Introduction
At Lentune, we are committed to the security and integrity of our customers’ data. We have built a comprehensive security program that is guided by the relevant ISO27001 international standards.
On this webpage, we share the various policies and security measures we have taken to ensure the Lentune database, applications and files are secure from unauthorized access.
1. How we protect your data
The Lentune infrastructure runs purely on Microsoft Azure. This infrastructure as a service helps us to deliver security capabilities we are confident in and can steadily rely upon.
1.1 ISO 27001 compliant data centres
Azure design and manage their data centres to meet specific compliance standards, such as ISO 27001. This standard details requirements for an information security management system (ISMS) within an organization, that is Azure, to ensure they have procedures in place to effectively manage risks, threats and vulnerabilities to their information security.
1.2 Data storage and encryption at rest
Your files and data are encrypted at rest in Azure Blob storage by default, and your database records are encrypted at rest in Azure SQL database, while key management is handled by Microsoft. This encryption at rest ensures your information is safe from unauthorized disclosure or modification.
1.3 Encryption in transit
Any customer data in Lentune cloud products travel the internet via encrypted HTTPS traffic using TLS. This encryption in transit ensures your information cannot be intercepted or manipulated by unauthorized third parties.
1.4 Penetration testing
Our infrastructure, web applications and APIs are penetration tested every 6 months by external parties. Any vulnerabilities found become a top priority and are fixed by our internal development team.
1.5 Backups
All our data is replicated between multiple regions thanks to the use of Azure. Our backup data is also encrypted at rest in Azure.
1.6 Physical security
The physical security of our servers and your data is administered by Azure and governed by their datacentre security policy. Physical security at our offices is governed by our internal security program.
1.7 Data retention policy
All files on our servers are backed up and kept for 30 days after deletion. Database data is backed up with point-in-time backup for the last 7 days, weekly backup is kept for 8 weeks, monthly backup is kept for 52 weeks and yearly backup is kept for 10 years.
2. How we keep our service reliable
2.1 Azure
Our infrastructure runs in Azure, where all components are Geo redundant across multiple data centres. This helps to minimise disruptions caused by any failure and keep our services constantly available.
2.2 Distributed denial of service (DDOS) protection
Our APIs and web application are protected against denial-of-service attacks in multiple ways. Firstly, Azure provides volumetric denial of service protection through Azure defender. Our security CDN also performs application-layer denial of service protection alongside web application firewall protection.
2.3 Business continuity and disaster recovery
Lentune implements database replication architectures to achieve high availability and data resiliency. Encrypted backups are executed regularly and stored both onsite at the data centre and replicated to an offsite storage location. Each key service layer has redundant components, such as multiple servers that provide the same services and data, eliminating the risk of a single point of failure. Azure Data centres also maintain controls to enforce physical security and protection against environmental hazards.
3. How we secure our business
3.1 Security awareness training
All Lentune employees and contracted third parties are required to undergo security awareness training during the onboarding process and then on a regular basis. Our standard work contract includes confidentiality clauses.
3.2 Security policies
Lentune has multiple internal policies relating to the details of data privacy, security and acceptable use. The most widely distributed and referenced is that of our employee handbook, which outlines policies on data protection, security and related measures. Lentune also has a public-facing privacy policy which you can view on our website.
3.3 Password policy
To maintain password security within our organisation, we do not allow the use of too generic passwords, and we strongly advise the use of individual passwords for each website. To support this policy, we provide every employee with a password manager to help them store their credentials easily and securely.
3.4 Multi-factor authentication
Multi-factor authentication (MFA) is supported when accessing the main services Lentune relies on. The use of MFA provides an additional level of security and identification beyond just entering a password.
3.5 Single Sign-On
Lentune provides Single Sign-On (SSO) capabilities via Azure B2C. This means you have full control over who has access to the use of our product and how authentication takes place when users are connected to your corporate network. You have the capabilities to create your own password policies and multi-factor authentication implementations.
3.6 API keys - key rotation
Your data is protected behind access tokens assigned individually to each user and follow the user's privileges. These keys are rotated Daily. Lentune’s application enforces authorization for every API call.
3.7 How to report a vulnerability
You can report a bug or vulnerability to us via email (support@lentune.com). Our support team are readily available and will seek advice from the relevant department where required. However, we do advise abstaining from publicly disclosing the vulnerability or bug before we can get in touch with you and work to fix it.