Security Measures

Technical and organizational security measures to be implemented by Lattice:

A. Annual Evidence of Compliance

莱迪思是,并将继续每年对SOC 2 II型标准进行审计。审计应由独立的第三方完成。根据客户的书面请求,格子将提供最新结果的核准副本(在机密基础上)最新的年度审计报告,以便客户可以验证格子是否遵守审计标准,以反对其评估和该DPA。虽然该报告每年提供独立审计的莱迪思安全姿势的确认,但下面进一步详述最常见的兴趣点。格子应在书面请求的三十(30)天内的三十(30)天内的符合要求的初始证据中提供客户。

2. Web应用程序渗透测试摘要:
Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Lattice shall provide a summary of the findings to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request.

3.安全意识培训:Lattice shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:
• The importance of information security and proper handling of personal information.
• Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.
• Logical controls related to strong password selection/best practices.
• How to recognize social engineering attacks such as phishing.



一种。Lattice shall implement user termination controls that include access removal / disablement promptly upon termination of staff.
C。Lattice shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.

2. Network Requirements
一种。格子应使用防火墙,安全组/ VPC或类似技术来保护存储客户个人数据的服务器。

一种。Where Lattice handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
湾Cloud Environment Data Segregation: Lattice will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.

湾Lattice shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.
C。Lattice shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.

一种。Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).
湾Lattice shall ensure laptop disk encryption.
d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.

湾Lattice will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs.

7. Compliance Requirements
,晶格,并合法pe程度rmissible, perform criminal background verification checks on all of its employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
湾Lattice will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.


Additional Privacy Resources