Security of your data is our primary concern. We are continuously working on protecting your data with enterprise level security while delivering your key business metrics in one place. We apply GDPR rules for all our customers.
User Management, Authentication and Dashboard access
Users can access Dear Lucy dashboards with password authentication, using Google or Azure Active Directory Single Sign-on, or via shared Kiosk links. If SSO federation is not in use, adding new users is limited to users with admin rights.
Dear Lucy dashboards support group based permissions. Groups define which dashboards the group members can access. With password or SSO authentication, the user can be assigned to one or more groups which clearly define what dashboards they can view.
Each Kiosk link can be limited to a subset of dashboards. Link URLs are public but created with a cryptographically secure has making them practically impossible to guess. We also protect against brute force attacks blocking scripted attempts to guess the link hash.
In addition, the access to your company’s dashboard can be further restricted with IP filtering. To enable IP filtering, please contact Dear Lucy customer support.
We log users’ actions, including logins and logouts and failed login attempts. No personal information besides IP addresses and user ids is stored in our logs. Logs are protected from tampering and log archives are encrypted.
Network and Communications Security
All traffic between our users and the service is encrypted using HTTPS and WSS (TLS/SSL). For integrations, HTTPS is the default. Only in special cases, and by explicit request by the customer, do we allow integrations to APIs that don’t support encryption.
We use independent third party auditors to review our software periodically. The latest auditing report is available per request.
Customer data is fully backed up several times per day. We store daily, weekly and monthly backups up to 13 months. After that, backups are fully removed.
Removal of Data
Personal data can be removed from the system by the Customer. Removed data will stay on disaster recovery systems for a while and will be removed automatically according to backup rotation cycles. Data removals are secure and no data can be restored after it has been removed from backups.
Disaster recovery backups of customers’ data are destroyed automatically as soon our data retention obligations are fulfilled (e.g., to protect other data stored in the same backup archives).
Access to Data by the Service Provider
As our customer, we regard all your data as secret and confidential. Access to your dashboard is limited to members of Dear Lucy’s service delivery and security teams using personal credentials. Each access creates a log entry, which can be later audited.
Hosting and Data Storage
All Dear Lucy services are hosted within EU. We currently use AWS, Heroku and MongoDB Atlas for service infrastructure and data storage. Physically application servers, data and backups reside in AWS eu-west-1 data centers in Ireland.
Integrations and Credentials for Third-Party Services
We store the third party service credentials of our customers in encrypted format. Credentials are never transferred unencrypted over the network.
Software and Systems Security
All changes to the applications or infrastructure go through peer review and automated security testing before being accepted in to production. The development team has processes of keeping the software and its dependencies up-to-date. We constantly monitor vulnerability reports of third party software.
People and Processes
Education and Training
All Dear Lucy employees are trained to follow personal security best practices along with GDPR. The product development team is also trained in software and networking security best practices.
Personal Security Best Practices
For all our team members, we require that the computers they use are password protected with encrypted hard drives. Password managers are used to protect personal and shared application credentials and secrets. Access to shared credentials is granted to qualified personnel only. Two factor authentication is required for the services that support them.
Contracts and NDA
When starting a job at Dear Lucy, permanent or contract, each employee is required to sign a non-disclosure agreement protecting our customers’ data to which the employee might have access to based on their role.