Security is a top priority for Linkfire. We understand that your Linkfire account may contain data regarding your visitors and marketing operations, which we are very protective of. This page describes the various security measures we take to protect your data.
Technical and organizational security measures
This document describes the technical and organizational security measures and controls implemented by Linkfire to protect the data our customers entrust to us as part of the Linkfire services.
Organization of Information Security
Objective: To outline Linkfire’s information security structure.
Measures:
- Linkfire employs full-time dedicated Personnel responsible for information security.
- The information security function reports directly to the Linkfire senior leadership team.
- Linkfire has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
- All Linkfire Personnel have signed legally reviewed confidentiality agreements.
- All Linkfire Personnel are given training in information security.
- Linkfire has a central, secure repository of product source code, which is accessible only to authorized Personnel.
- Linkfire has a formal application security program and employs a robust, secure Software Development Lifecycle (SDL).
- All changes to software on the Linkfire Service are via a controlled, approved release mechanism within a formal change control program.
Access: Physical Security
Objective: Linkfire uses certified cloud provider data centers to protect the physical assets that contain Customer Data. Physical access is strictly controlled both at the perimeter and at building entrance points by professional security staff using video surveillance, state-of-the-art intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.
Measures:
- The Linkfire Service operates from certified third-party production cloud providers with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, surveillance, and security guards.
- Each Data Center is audited for compliance with Linkfire security controls.
- Each cloud provider has a zero-access policy towards physical access to facilities.
- Power and telecommunications cabling carrying Customer Data or supporting information services at the production cloud providers are protected from interception, interference, and damage.
- The production data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents.
- Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities and is appropriately maintained.
For more information, please contact security@linkfire.com.
Access: System and Data Access
Objective: To ensure systems containing Customer Data are used only by approved, authenticated users and that the Customer Data that they are authorized to access is done so securely.
Measures:
- Access to Linkfire systems is granted only to Linkfire Personnel and/or to permitted employees of Linkfire and access is strictly limited as required for those persons to fulfill their function.
- All users access Linkfire systems with a unique identifier (UID).
- Linkfire has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form.
- Access to systems containing Customer Data is only possible through a secure office network or VPN tunnel.
- Linkfire has a comprehensive process to deactivate users and their access when Personnel leaves the company or a function.
- All access or attempted access to systems is logged and monitored.
- Linkfire restricts Personnel access to Customer Data on a “need-to-know” role basis based on this justification.
- Personnel training covers access rights to and general guidelines on definition and use of Customer Data.
Handling
Objective: To ensure Customer Data remains confidential throughout the processing and remains intact, complete and current while protecting from accidental destruction or loss.
Measures:
- Customer access to the Linkfire Service portals is protected by the most current version of Transport Layer Security (TLS).
- Linkfire uses Strong Encryption in the transmission of Customer Data within our production data centers.
- Linkfire uses proactive security measures that identify at-risk data and implement effective data protection for data in transit and at rest.
- Data at rest is encrypted with industry-standard AES-256
- Linkfire uses a high level of redundancy when storing Customer Data. Customer Data is stored across two geographically separate data centers using multiple separate cross connections.
- Linkfire maintains a robust Business Continuity/Disaster Recovery program including:
- Well defined and updated plans.
- Regular Testing and retrospectives.
- Linkfire employs Network Level and host-based firewalls to block unauthorized system access.
- Networks are continuously scanned to immediately detect any potential misconfiguration with our infrastructure.
- All infrastructure is built to be replaced or rebuilt at a moment’s notice with 0 data loss.
- Operating systems are patched and managed and tested strictly through configuration management systems.
Incident management
Objective: In the event of any security breach of Customer Data, the effect of the breach is minimized and the Customer is promptly informed.
Measures:
- Linkfire maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
- Linkfire regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
- In the event of a security breach, Linkfire will notify Customers without undue delay after becoming aware of the security breach.
Review
Objective:
To ensure Linkfire regularly test, assess, and evaluates the effectiveness of the technical and organizational measures outlined above.
Measures:
- Linkfire conducts regular audits of its security policies and practices.
- Linkfire ensures that Personnel is aware of and comply with the technical and organizational measures set forth in the Information Security Policy.
Additional information
Any further questions can be sent to security@linkfire.com.
Responsible disclosure
Linkfire is serious about security. We encourage anyone to privately and responsibly report possible vulnerabilities and incidents to us so that we can address these issues quickly. If you have discovered a security incident or wish to report a vulnerability in our product, please send us an email at security@linkfire.com (use Keybase.io or our PGP key to encrypt any sensitive data). We request that you do not disclose any risks publicly until we have been able to understand the incident and develop a mitigation plan. We’ll be sure to keep all information confidential and work with you to make sure we understand the issue and address it as quickly as possible. All issues reported to the Linkfire Security Team will promptly be addressed.
- We will acknowledge any submission in a timely fashion (usually within 72 hours).
- We will assess the issue fully. (We may keep this information from the public until the issue is fully addressed to prevent any further risk to Linkfire products.)
- Once the issue is fully addressed and resolved, we will alert any affected customers.
If possible, please send the following information:
- Steps to reproduce, preferably in txt format.
- Demonstration of the risk, this includes URLs and any parameters.
- Any relevant details of your system’s configuration, such as any browser or user-agent information.
- In order to coordinate with our logs, please share your Linkfire account.
- Please do not send any binary/executable attachments.
- If the information is sensitive, please encrypt your communication with Keybase or our PGP key.
We ask that you use common sense when seeking out security bugs. Do not attempt to compromise other users or accounts on Linkfire or attempt to impact the stability of our infrastructure (Denial of Service attacks, etc). Vulnerabilities should be disclosed to us privately and we should be given reasonable time to respond. Running security scanning tools tends to create more noise than useful information. While we appreciate research and disclosure, we kindly ask that you do not use scanners to find vulnerabilities. Thank you for working with us. We respect the talented people who locate security issues and appreciate all efforts to disclose responsibly.