IT & Data Security Measures in the LoyJoy Platform
Introduction
This document describes the IT security measures implemented at LoyJoy to meet information security, privacy and compliance requirements.
Risk Management
Certification according to an ISMS standard such as ISO 27001 or PCI DSS is in place with our infrastructure provider, Google Cloud EMEA. LoyJoy is guided by the information security standards according to BSI IT-Grundschutz. In the long term, we are striving for ISO 27001 certification based on BSI IT-Grundschutz.
Requirements Management
Requirements management at LoyJoy is implemented based on SCRUM, which enables the cloud service provider to quickly and effectively capture, prioritize, and implement customer requirements. Scrum offers an iterative and incremental approach that allows the team to quickly respond to changes and continuously create value for the customer. Requirements are documented as SCRUM items in a product backlog or sprint backlog based on a SCRUM tool.
Personnel Security
Regular mandatory training and information events on IT security are conducted for employees.
Encryption
In LoyJoy Cloud Platform both data at rest as well as data in transit both are encrypted with state of the art encryption. We follow industry best practices and standards such as AES and TLS.
Data at rest
Data at rest is encrypted with the integrated Google encryption and then again with our own AES encryption. This also applies to data in vector databases. We have our own AES key, which is deliberately not in the Google Cloud configuration.
Data at rest can be minimized on behalf of the tenant, as on request the LoyJoy customer success team can disable specific or all data backends. Disabling all data backends effectively configures the LoyJoy Cloud Platform as a transient data processing environment for the tenant.
For any data at rest, there are automated expiration dates ranging from 7 days to 720 days maximum. The tenant owner decides which data is to be stored and for how long.
Data in transit
Data in transit is encrypted with point-to-point encryption to ensure confidentiality and integrity during data transfer. This also applies to data transfer with Azure OpenAI services, OpenAI, and other third-party services. Point-to-point encryption is implemented at the protocol level with TLS for HTTPS and SMTPS. All keys are automatically managed by Google Cloud Run. Additionally, email bodies can be encrypted by attaching an encrypted PDF for emailing.
Development
Development Process
The development of LoyJoy Cloud Platform is based on SCRUM methodology. New features and code adaptations are developed in sprints of approximately 2 weeks. According to test-driven development (TDD) and continuous integration (CI) the development process is based on an automated test suite, which is executed after each push into version control by Git push. Version control is based on Git. Access to the Git repository relies on two-factor authentication (2FA).
Development of features and code adaptations is done by developers on branches. Branches are merged into the main branch via pull requests. Each pull request is peer reviewed, before being merged into the main branch.
Release Process
A new release may be deployed once or twice a month. Releases are packaged by development lead, mostly CTO. Only the CTO and one additional developer have access to the production environment and thus can deploy releases. Access to the production environment relies on two-factor authentication (2FA).
LoyJoy Infrastructure
LoyJoy has basic security measures such as change management, protection against malware, data backup and restore, hardening, patch management, vulnerability management, and encryption in place. Policies and procedures are defined for these processes.
IT Emergency Management
To guarantee the continuation of service delivery, the vast majority of LoyJoy’s operations are implemented through managed services (PaaS) in the Google Cloud Platform. In the event of software and hardware failures beyond change requests, a reaction by the Google Cloud Platform usually occurs automatically. Failures in the context of change requests are monitored by management.
Physical Protection and Environment-related Security for IT Equipment
LoyJoy utilizes the infrastructure of the Google Cloud Platform, which provides physical protection and environment-related security for IT equipment. This includes securing supply facilities such as power and climate.
LoyJoy uses Apple Business Essentials in conjunction with JAMF Now for asset management. (Mobile) device management uses the interfaces provided by Apple for remote device management.
Access Management
LoyJoy uses a role-based security system and two-factor authentication (2FA) for logical access and access to the platform. The office spaces are lockable and visitors are only allowed in the company of employees.
IT Operating Process
IT operating processes at LoyJoy are based on ITIL. These include capacity management, availability management, change management, release and deployment management, incident management, and problem management.
Procurement, Development, and Maintenance of Systems
Systems are used in the following areas:
- Servers (hardware and software): The hardware used for the production of LoyJoy is fully managed by the Google Cloud Platform. The software used, including operating systems, is also fully managed by the Google Cloud Platform. Only LoyJoy’s own code for the LoyJoy cloud platform is primarily managed by the DevOps team in the form of Docker containers.
- Workstations (hardware and software): Macs serve as workstations, and their software is managed by MDM. The hardware is procured from Apple or Apple-certified vendors.
Vulnerability and Threat Management
LoyJoy has a vulnerability and threat management system on multiple levels. On the development side, dependencies are continually monitored for vulnerabilities and reported to the development team via email. On the operational side, data access in tenants is logged, and if there is an unusual concentration of data access, an email is sent.
Zero Trust
LoyJoy Cloud Platform does not rely on VPN or IP address access control, but instead applies a Zero Trust Strategy (cf. M-22-09 Federal Zero Trust Strategy). Thus all endpoints of LoyJoy Cloud Platform have to be hardened so that only authorized users can access data and services.
Logical Separation
The development environment is strictly separated from the production environment. Thus, developers with exception of the CTO and one further developer cannot access the production environment. Instead, all developers can access a staging environment, which however does not contain production data.
Password Policy
For applications used at LoyJoy, we enforce strong passwords. Initial passwords must be changed in order to use the application.
Anti-Virus / Malware Protection
Company devices are Macs only. All Macs are provided with XProtect Malware Protection.
Bring Your Own Device
Employees who potentially or actually deal with customer data must only use company hardware.
Mobile Device Management (MDM)
All company devices are equipped with mobile device management software (MDM). Access to the devices requires a PIN or password entry.
Device Encryption
All company devices have mandatory device encryption provided by the operating system.
Secure WIFI
Only encrypted WIFI networks (at least WPA2) are used.
Firewall
Cloud production servers are protected by a cloud firewall system.
SPAM Filter
Mandatory Integrated SPAM filter for all company inboxes.
Patch Management
Patches and updates are applied automatically for the LoyJoy infrastructure. Automated updates are enabled on employee devices. The effectiveness is reviewed regularly.
Mobile Data Carrier (hard drives, USB devices)
Hard drive encryption is enabled on all employee devices. Employees are instructed to not use data carriers like USB sticks or external hard drives.
Admin Audit Logs
Admin activity in the infrastructure systems is stored and archived.
Deletion concept for data deletion and disposal of data carriers and devices
For any data at rest, there are automated expiration dates ranging from 7 days to 720 days maximum. The tenant owner decides which data is to be stored and for how long. Customer data is encrypted with AES encryption. Offsite backups are stored on selected encrypted devices, which are under management supervision.
Process to ensure compliance with storage and deletion periods
The deletion is performed by an automated process. The deletion date (expires_at) is already obligatory set at creation.
Penetration Testing
The most recent external pen test was conducted and successfully passed in the year 2024. The certificate is available on request.
Access Authorization
Access Authorization for employees is handled by the principle of least privilege. This is enabled by roles and a limited group of personnel with access rights to LoyJoy infrastructure. Access rights for the LoyJoy platform are managed by the tenant owners. Employee access authorizations are checked for necessity at regular intervals.
Remote Access
There is no software for remote access in place.
Emergency and Recovery Plans
For security reasons, LoyJoy solely relies on managed cloud environments (PaaS). Remaining risks are mitigated by always having at least one employee with the qualification and authorization for recovery on standby.
LoyJoy Platform
Role-based security
With LoyJoy Cloud Platform each tenant can have one or multiple users, and each user can be assigned as a member to one or multiple tenants. Each membership of a user in a tenant is specified with one user role in that specific tenant. Possible user roles as provided by LoyJoy Cloud Platform are Editor, Knowledge, Owner, Revision, Support, Translator, and Viewer.
- Editor: Can edit experiences, Home Views and knowledge data.
- Knowledge: Can add and edit knowledge data that is used for search and AI.
- Owner: Can do all an editor can, as well as administrate the tenant, including user management.
- Revision: Can view everything, but not apply changes.
- Support: Can access the live chat.
- Translator: Can only view and edit texts of experiences.
- Viewer: Can view analytics data only.
User Access
LoyJoy Cloud Platform provides users with two modes of authentication. (1) Users can sign into the LoyJoy Cloud Manager with a magic link sent via email to the user email address. (2) Users can sign into the LoyJoy Cloud Manager with a FIDO2 hardware token (e.g. YubiKey). The latter approach is heavily recommended and at the current state of technology represents the most secure industry approach for securing user accounts.
Logging, Monitoring, Alerting
With LoyJoy Cloud Platform there are two types of logs. (1) On the one hand a system-wide logging system is in place, which is monitored by LoyJoy staff with access to the production environment. (2) On the other hand, each tenant is provided with its own logging system, which can be accessed by user roles owner and editor.
With the system-wide logging system in case of technical incidents LoyJoy staff is alerted automatically via email. In contrast, the tenant-wide logging system optionally can inform users about incidents such as API errors if they choose to subscribe to such notifications.
Incident Management
LoyJoy uses an incident management process based on Git tooling for capturing, reporting, and resolving issues.
Password Policy
For the LoyJoy Platform, we do not use passwords.