Ligado assesses the security risk of each software development project according to the OWASP Top 10. Based on this analysis, Ligado creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For web applications built by Ligado or third parties developing core components of Ligado continuous automated static analysis using advanced tools and techniques are used.
The focus of Ligado’s security program is to prevent unauthorized access to customer data. To this end we implement best practices and constantly evaluate ways to improve.
Ligado transmits data over public networks using strong encryption. Ligado supports the latest recommended secure cipher suites to encrypt all traffic, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients. Ligado monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients. The Ligado service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Ligado service. These service providers are responsible for restricting physical access to Ligado’s systems to authorized personnel.
Each Ligado customer’s data is hosted in Ligado’s shared infrastructure and segregated logically by the Ligado application. Ligado uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.
To further reduce the risk of unauthorized access to data, Ligado employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Ligado uses private keys for authentication. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements). Ligado requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
Ligado monitors incoming bug reports, prioritizes true vulnerabilities and ensures their timely resolution. Ligado monitors servers and applications to retain and analyze a comprehensive view of the security state of its infrastructure.
Ligado has a dedicated Data Breach Policy (see below) and has reviewed all its suppliers to ensure that their breach notifications are at an acceptable standard.
To run its business efficiently, Ligado relies on sub-service organizations. Where those sub-service organizations may impact the security of Ligado’s production environment, Ligado takes appropriate steps to ensure its security posture is maintained.
Ligado’s most important 3rd party supplier is its hosting provider Platform.sh. Everything about the security of our hosting infrastructure can be found on the Platform.sh security page.
We take security seriously at Ligado, because every person and team using our service expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers.
Ligado holds Personal Data about our users, employees, clients, suppliers and other individuals for a variety of business purposes.
Ligado places a high importance on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
A data breach generally refers to the unauthorised access and retrieval of information that may include corporate and / or personal data. Data breaches are generally recognised as one of the more costly security failures of organisations. They could lead to financial losses, and cause consumers to lose trust in Ligado or our clients.
The regulations across the various jurisdictions in which Ligado operates require Ligado to make reasonable security arrangements to protect the personal data that we possess or control, to prevent unauthorised access, collection, use, disclosure, or similar risks.
This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to security. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
As our Data Protection Officer, Markus Hausammann has overall responsibility for the day-to-day implementation of this policy.
All staff will receive training on this policy. New staff will receive training as part of the onboarding process. Further training will be provided whenever there is a substantial change in the law or our policy and procedure.
Training is provided through online training, and covers the applicable laws relating to data protection, and Ligado’s data protection and related policies and procedures.
Completion of training is compulsory.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the Ligado DPO.
EU GENERAL DATA PROTECTION REGULATION (EU) 2016/679 (GDPR)
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.
Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
According to the European Commission, Personal Data is: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Ligado gathers Personal Data directly as a data controller for internal operations, Ligado also collects data for customer projects as a data processor.
Personal Data we gather for internal operational purposes relates to identifiable individuals such as job applicants, current and former employees, contract and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Personal Data we gather under mandate for users or customers of our customers can vary from case to case. Data gathered may include e-mail addresses, gender, age, educational background as well as self report data from psychometric questionnaires. Getting adequate consent from their users is the responsibility of the respective customer of Ligado. We provide the relevant infrastructure to make consent acquisition easy for our customers.
Data breaches may be caused by employees, parties external to the organisation, or computer system errors.
Human Error causes include:
Malicious causes include:
Computer System Error causes include:
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
Under the GDPR, the DPO is legally obliged to notify the Supervisory Authority within 72 hours of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, Ligado must notify any affected clients without undue delay after becoming aware of a personal data breach (Article 33).
However, Ligado does not have to notify the data subjects if anonymized data is breached. Specifically, the notice to data subjects is not required if the data controller has implemented pseudonymisation techniques like encryption along with adequate technical and organizational protection measures to the personal data affected by the data breach (Article 34).
The Data Breach Team consists of the DPO and Engineering Manager, with the Engineering Manager having the responsibility to make all time-critical decisions on steps taken to contain and manage the incident.
The Data Breach Team should immediately be alerted of any confirmed or suspected data breach via mobile phone:
Markus Hausammann (DPO): +41 (0)79 375 40 48
REPORTING THE INCIDENT TO THE PERSONAL DATA PROTECTION COMMISSION
In the case where affected individuals are in the EU, the relevant supervisory authority must be notified as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals. (Each EU state has its own supervisory authority.)
The notification should include the following information, where available:
Notifications made by organisations or the lack of notification, as well as whether organisations have adequate recovery procedures in place, will affect supervising authorities’ decision(s) on whether an organisation has reasonably protected the personal data under its control or possession.
Upon being notified of a (suspected or confirmed) data breach, the Data Breach Team should immediately activate the data breach & response plan.
Ligado’s data breach management and response plan is:
The Data Breach Team (DBT) should act as soon as it is aware of a data breach. Where possible, it should first confirm that the data breach has occurred. It may make sense for the DBT to proceed Contain the Breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
The DBT should consider the following measures to Contain the Breach, where applicable:
Knowing the risks and impact of data breaches will help Ligado determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individuals affected.
How many people were affected?
A higher number may not mean a higher risk, but assessing this helps overall risk assessment.
Whose personal data had been breached?
Does the personal data belong to employees, customers, or minors? Different people will face varying levels of risk as a result of a loss of personal data.
What types of personal data were involved?
This will help to ascertain if there are risk to reputation, identity theft, safety and/or financial loss of affected individuals.
Any additional measures in place to minimise the impact of a data breach?
Eg: a lost device protected by a strong password or encryption could reduce the impact of a data breach.
What caused the data breach?
Determining how the breach occurred (through theft, accident, unauthorised access, etc.) will help identify immediate steps to take to contain the breach and restore public confidence in a product or service.
When and how often did the breach occur?
Examining this will help Ligado better understand the nature of the breach (e.g. malicious or accidental).
Who might gain access to the compromised personal data?
This will ascertain how the compromised data could be used. In particular, affected individuals must be notified if personal data is acquired by an unauthorised person.
Will compromised data affect transactions with any other third parties?
Determining this will help identify if other organisations need to be notified.
Ligado is legally required to notify affected individuals if their personal data has been breached. This will encourage individuals to take preventive measures to reduce the impact of the data breach, and also help Ligado rebuild consumer trust.
Who to Notify:
When to Notify:
How to Notify:
Use the most effective ways to reach out to affected individuals, taking into consideration the
urgency of the situation and number of individuals affected (e.g. media releases, social media,
mobile messaging, SMS, e-mails, telephone calls).
Notifications should be simple to understand, specific, and provide clear instructions on what individuals can do to protect themselves.
What to Notify:
After steps have been taken to resolve the data breach, Ligado should review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
Operational and Policy Related Issues:
Resource Related Issues:
Employee Related Issues:
Management Related Issues:
Everyone must observe this policy.
The DPO has overall responsibility for this policy. The DPO will review and monitor this policy regularly to make sure it is effective, relevant, and adhered to.