Security, data and privacy

Last updated 7 December, 2023

Given that automation via systems and data integration is one of LivePreso’s core benefits, we take security and privacy extremely seriously. We have successfully completed security assessments for some of the world’s largest companies, with the strictest requirements.

Over the years, we have collected the most common and important questions we’ve been asked, and compiled the following Q&A repository. If you have questions for us, they’re very likely covered below. But if you don’t find what you’re looking for, just let us know and we’d be happy to answer your specific questions.

Information classification 

Does your organisation store, process or manage payment information?

No, we use Stripe for all direct credit card payments. We don’t process or store the payment details.

Does your organisation store, process or manage customer information?

Yes. Full name, address, email address, identification numbers, usage information.

Does your organisation store, process or manage financial information?

For LivePreso Advice, we store the data retrieved from Xplan for any document (preso) created by an adviser or paraplanner.

Does your organisation store, process or manage other information?

As a presentation tool, LivePreso only requires basic name-and-address contact information for the recipients of the material. However, the content which it delivers can contain dynamic data sourced from any number of locations. As above, for LivePreso Advice this does include client data from Xplan.

Does your organisation have a data classification matrix?

Yes.

Do you share customer data with, or enable direct access by, any third-party?

We may provide customer data to LivePreso’s related bodies corporate where necessary to carry out our business functions. We may also provide some scrubbed customer data to service providers who assist us with operational matters.

Do you seek a right to use or own customer derived data for your own purposes?

No.

Describe the circumstances in which customer data is allowed to leave your production systems?

Scrubbed data leaves production systems for error reporting and diagnostics purposes.

System classification

Is your system internet-facing?

Yes.

Is your system multi-tenanted?

For the off-the-shelf version of LivePreso Advice, yes.

However, LivePreso Advice can be deployed in a single-tenant configuration on dedicated virtual hardware for custom use-cases (subject to licensing minimums). The dedicated virtual hardware may itself be multi-tenant within the AWS platform depending on scale.

Is your system regulatory impacted?

LivePreso stores the names, email addresses, and optionally street addresses of contacts that can receive presentations. While these are personally identifying types of data, LivePreso complies with both the Australian Privacy Act 1988 and the New Zealand Privacy Act 1993.

Application security

Privacy and access control

Is the Application protected by an authentication mechanism using a unique username and password for each individual user?

All LivePreso users have unique usernames and individual passwords. In LivePreso Advice, Xplan’s single sign-on is used for authentication, in which case users cannot also log in with username and password.

Does the Application support role based access control by allowing creation of roles and inheritance of rights to users based on specific roles?

LivePreso allows users to be members of one or more groups, each with its own set of permissions. Users may also be granted permissions directly. Users may be assigned to common groups via the “HQ” management interface.

Are passwords always hidden from the user when entering into the authentication mechanism? Are passwords encrypted in transmission and storage (hashing with SHA-2 and unique salt or equivalent strength)?

As above, LivePreso Advice (currently) requires SSO login via Xplan. The answer below pertains to the LivePreso platform more broadly.

LivePreso never displays user passwords. However, when used on a mobile device, that device’s operating system may briefly display password characters as they are typed. LivePreso never transmits passwords in plaintext. Passwords (and, in fact, all communications) are always encrypted. 

Passwords are combined with a random salt and processed using 4,096 iterations of the BCrypt key derivation function before storage. The plaintext password is never stored on the server.

Application security and logging

When developing the application(s) does the third party detect and remediate security vulnerabilities? If so, how is this conducted and how often does this run? Do you use secure coding standards such as OWASP Secure Coding Practices?

The LivePreso developer team uses the OWASP secure coding practices to evaluate application security and provide guidance when considering architecture decisions. The continuous integration suite includes both static analysis and dependency vulnerability checks. 

LivePreso deployments are a set of custom modules built on a common code-base. For this reason security audits, penetration testing, fuzzing etc. cannot be conducted until a development relationship formally begins.

Do you do static code analysis?

LivePreso performs static code analysis and dependency analysis on every code commit.

Do you have a standard of how fast you should fix identified security vulnerabilities, especially high risk ones?

Security vulnerabilities are taken seriously. After the report or discovery of a vulnerability, it is classified and corrected as soon as reasonably possible. 

Security vulnerabilities cover a spectrum from trivial to subtle and complex. For this reason, it is difficult to provide realistic timeframes to fix arbitrary vulnerabilities. Instead, LivePreso deals with high-risk vulnerabilities in a two stage mitigation / correction process. 

In the event of a serious vulnerability, a mitigating adjustment will be put in place within 2 business hours of acknowledgement of the issue. This may result in a partial degradation of the application. A complete fix can then be investigated carefully and thoroughly, as is appropriate for security issues.

Does the Application capture sufficient and accurate information such as user unique identification, IP, date and time of login, failed login attempts, security related configuration changes in security logs to assist in future investigations of hacking, fraud, access control monitoring and compliance?

All authentication attempts, whether successful or not, are logged by the application server. This log includes a timestamp, request IP address and user agent, and the username involved. Several additional types of log are kept, including those for the application and its asynchronous workers, access and error logs for the webserver, and a range of system logs such as syslog and auth.log. These logs are archived indefinitely on a central logging server. All developer interactions with the application’s maintenance console are also logged, and administrator actions against all database objects are stored in a history identifying the originating user.

What percentage of your production code is covered by automated tests?

Across all production-facing projects, LivePreso currently has 67% code coverage for automated testing, with measures in place to increase this over time. Systems responsible for storing sensitive data have 79% coverage.

Does your application provide customer administrators with direct access to verbose audit logs (API, export, viewer etc)?

A subset of auditable information is available through LivePreso APIs and reports.

Mobile application security

Does the application avoid storing sensitive information such as passwords, personal data and financial data locally in the mobile device?

The mobile client does not store user passwords. It does write presentation assets such as CSS and images onto the device storage for performance reasons; however, these are generally not sensitive. The mobile client also caches some API requests using the browser “local storage” capability. These caches can contain potentially sensitive data, such as financial figures from recent presentations given using the device, or customer contact details. This feature is required for the application to remain usable over an unreliable mobile internet connection. 

Can we enforce to automatically log users out after a defined inactive period?

Yes.

Does the application(s) use HTTP basic authentication? If yes, how is the password protected during transmission?

LivePreso does not use HTTP basic authentication in any capacity. Depending on configuration, users may log in using a username and password which is encrypted in transit.

Does the application(s) use token-based authentication? If yes, what is the lifespan of the token?  Can we revoke the access token remotely when we need to (e.g. when the user changes the password or if they have lost the phone)?

LivePreso web and mobile client applications use token authentication. Tokens have a configurable default expiry, as well as an optional per-token expiry. The “remember me” feature works by requesting tokens with longer lifespans. User tokens can be deleted by application administrators.

Can we control user management functions ourselves?

User management derives from groupings defined by the Xplan SSO.

Hosting service

Are data centres outsourced to third parties?

Customer-facing LivePreso infrastructure is hosted using Amazon Web Services.

Where are data centres physically located?

LivePreso's Australian customers are assigned to data centres in AWS’s Sydney region.

What level of data centre redundancy is provided?

All LivePreso staging and production infrastructure is located across multiple availability sets and is therefore tolerant of power or networking disruption within a region.

Information security governance and management

Do you have an information security program? Does this include a regularly reviewed information security policy that is reasonably designed to provide protection of information and the hosting service?

LivePreso maintains information security policies which cover both application and infrastructure level concerns.

If your business partners/associates need to handle information or are part of the hosting service, are agreements in place that provide at least the same amount of risk mitigation as the agreement with you?

LivePreso evaluates security concerns rigorously when dealing with its own third parties, as well as seeking to keep the number of such third parties to a minimum. 

LivePreso uses Amazon Web Services for all production hosting and storage concerns. 

AWS security information can be found at https://aws.amazon.com/security/​

LivePreso also optionally makes last-line-of-defence backups of all data and assets using Google Cloud Platform. Cloud Platform security information can be found at https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf  

LivePreso does not currently store any information with any other third parties.

Are employees and contractors required to acknowledge and accept policies?

Yes.

Are employees and contractors required to sign confidentiality agreements?

Yes. However, contractors are generally not granted access to information to which confidentiality agreements could apply.

Are criminal records and/or background checks undertaken during recruitment and/or employment processes?

LivePreso requires that recruitment agencies provide background checks for any candidates being considered.

Are all personnel required to sign an Acceptable Use policy?

LivePreso does not have a specific Acceptable Use Policy, but all rules that govern use of the network and systems are covered in the employee contract.

Are documented procedures followed to govern change in employment and/or termination including for timely revocation of access and return of assets?

LivePreso has documented procedures to govern change in employment and/or termination. These procedures are actioned immediately.

Access control and data transmission

Is information transmitted in an encrypted (with at least AES-128 encryption or equivalent strength) format from endpoint-to-endpoint and only to authenticated and authorised individuals?

LivePreso uses end-to-end HTTPS for all communications. The exact encryption strength depends on the ciphersuite negotiated between server and client. Our client applications rely on their host browser for this negotiation. All modern browsers will use TLS1.2 with elliptic curve key exchange, RSA authentication, AES-128 encryption and SHA256 hashing. 

Other than the authentication attempt itself, LivePreso web and mobile client applications require authentication for all requests.

Qualys SSL Labs’ SSL Report awards an A+ grade to LivePreso’s SSL configuration.

Is information encrypted at rest (storage)?

LivePreso's data classification policy requires that data must be encrypted at rest, either AES-256 or better (symmetrical) or RSA-4096 or better (asymmetrical) must be used. Where symmetrical encryption is used, approval must be sought if the AES-256 key is controlled by a third party (e.g. a "cloud" service).

Do you have effective controls to restrict access to information from other customers (e.g. there are dedicated servers to segregate data from other customer data)? If yes, please specify these controls.

LivePreso generates separate database and administration credentials for each deployment, meaning each is logically isolated. Additionally, all LivePreso application and database servers exist within mutually unroutable private subnets isolated into their own ‘virtual private clouds’, such that data is thoroughly isolated.

How do operational personnel authenticate to production networks?

A minimal, reviewed and historically logged set of users are allowed access to production machines. Access is via interactive shell over the SSH2 protocol. The only authentication method allowed is key-based, and employees are required to use passphrased keys.

Is the provisioning process of system access and privileges (addition, modification and removal) approved by responsible and authorised persons in a timely and auditable manner?

System access is controlled by a central machine-configuration service, whose configuration directives are stored in a version control system. This VCS history, in addition to logs kept by the configuration service, maintains a full history of all server account creations, updates and deletions. 

Only authorised employees are able to push changes to the configuration service, and any such changes are reviewed by those employees.

Are system access and privileges reviewed at least half yearly for appropriateness?

Systems accounts are reviewed whenever an account configuration change is deployed, in addition to quarterly reviews. 

Application accounts with access to administrative areas are reviewed on a schedule agreed upon with our customer, as this typically depends on customer security policies, the volume and turnover of accounts with such access, and the sensitivity of data those accounts can access.

Do you use separate physical and logical development, test and production environments and databases?

Production, staging, testing and development environments are all completely isolated. They do not share any resources, including database servers, application servers, and storage areas. They use separate credentials for access to all services. The production and staging environments are additionally separated into their own ‘virtual private clouds’.

Do you have capabilities to anonymise data?

LivePreso is able to anonymise data at user request in accordance with the GDPR.

How is this data used within the organisation?

After anonymisation, non-identifying data continues to be used for reporting and other purposes.

Do you support secure deletion (e.g. degaussing/cryptographic wiping) of archived or backed-up data?

LivePreso has a secure destruction policy for print and digital media.

Network and operation security

Do you have the following Network security controls:

Networks are segregated based on assessed risks into different logical network zones with suitable security gateway arrangements

Demilitarised zones for Internet or public facing systems

Separate Internet facing applications from backend databases. If yes, how? Are they separated physically or logically?

Internet facing applications are protected by web application firewall

Each deployment is separated into its own ‘virtual private cloud’. Within this, database and application servers sit in private subnets, unroutable from the public internet. The application servers can only be accessed on ports 80 and 443 via an Elastic Load Balancer, and on port 22 via two “Bastion Hosts” deployed in routable subnets. The database server is completely inaccessible from the outside world. Shared infrastructure such as our machine configuration server, package repository, and logging server are only accessible with a whitelisted set of IP addresses.

Do you ensure that remote access is only possible over secure connections?

All application communication is encrypted. Any attempts to communicate over HTTP are met with redirects to HTTPS addresses. In addition, Strict Transport Security headers are delivered. All remote system access is over public-key authenticated SSH. All public keys are required to be passphrase protected, and SSH password and “challenge” authentication is disabled on all machines.

Do you obfuscate internal IP addresses to the internet and public facing networks?

The LivePreso platform is a managed service which communicates via the internet. It has no access to internal networks, and should any application clients be used on internal networks, only the public-facing IP address would be subject to logging.

Do you have a procedure to keep track of announcements of vulnerability patches for your networking devices?

Networking devices are centrally managed and updates are applied automatically.

Do you ensure default passwords are changed on networking devices?

Yes.

Do you review audit logs at least daily for possible intrusion attempts and indications of compromise?

Suspicious log entries are automatically raised as possible security issues.

Do you regularly backup information? If yes, how often is the backup and how long is the restoration process taken?

LivePreso has two primary data sources: a database, and a collection of static assets.

Within the Amazon Web Services ecosystem, the database has automatic failover and 30 days of transaction logs allowing restoration to any five-minute point in that period. 

Static assets are stored using a versioning feature of the storage container, making accidental or unauthorised deletions revocable. The container itself offers extremely high reliability. 

Additionally, LivePreso optionally makes last-line-of-defence backups of critical data whenever deployments occur, which are stored externally to AWS. 

The majority of our failure recovery scenarios see full functionality and data restored within hours. More extreme scenarios restore full functionality within hours, but may require longer to fully recover all data.

Is information encrypted in backup media? Are all backup media storage devices stored securely and ​Securely Destructed​ to an unrecoverable state when no longer required?

All backups are asymmetrically encrypted using a passphrased key whose decrypting half is never present on the backup system. Backup media are subject to the thorough Google Compute Cloud information security policies. See section “Hardware tracking and disposal” at https://cloud.google.com/docs/security/overview/whitepaper

Do all systems managing or supporting the hosting service adhere to industry system hardening standards?

LivePreso security and hardening processes are based on a range of sources and collectively decades of experience with BSD and Linux systems. The NSA's Guide to the Secure Configuration of Red Hat Enterprise Linux 5 is a particular influence. 

Amazon Web Services provides a comprehensive description of their security policies and compliance with various standards at https://aws.amazon.com/security/ and ​https://aws.amazon.com/compliance/

Do you have a program to manage enterprise patch management to make sure that patches are regularly applied on Third Party systems. If yes, what is the time window for critical patches?

All LivePreso systems automatically apply security patches as soon as they are available. Systems check for patches every half hour. Non-security updates are never automatically applied - packages are pinned, and updates are promoted through the machine configuration system.

What tools do you use for vulnerability management?

LivePreso uses AWS Systems Manager, automated container scanning and automated dependency scanning.

Do you have a disaster recovery program? If yes, please specify recovery time objective (RTO) and recovery point object (RPO) for related applications/infrastructure?

LivePreso has procedures and objectives for a range of recovery and disaster scenarios. In the event of a complete failure of production and first-line backup and redundancy systems, the secondary backup schedule is designed for a recovery point objective 48 hours prior to disaster, and the recovery time objective is within 24 hours.

When was your disaster recovery process last tested?

An unannounced recovery exercise was last conducted in March 2023.

Have data restorations been successfully tested?

Data restorations are successfully tested in trial runs at least once a month and have been proven in real-world situations.

Do you provide high availability of the services? If yes, what is the service-level agreement (SLA)?

LivePreso systems have been designed with high availability in mind at all stages. The service level agreement is based on an uptime of 99.95%.

Do you have an enterprise Incident Response Plan to make sure that business impacts are minimised and all affected business processes are quickly resumed?

LivePreso has a two-hour objective to address and mitigate critical security issues. Informing of any identified issue is part of this process. Issues with lower severities have correspondingly greater response times.

Do you have a written business continuity plan for the systems supporting your key services?

LivePreso has a business continuity plan to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

Do you have an enterprise Change Management policy and process so that only tested and approved versions of hardware and software can be promoted into the production environment?

All production hardware configuration and software must pass through, at minimum, a fixed period in a staging environment. In addition, software is regularly tested both by developers and by a continuous integration system on a per-commit basis. Only approved employees have the authorisation to promote changes into staging and production environments.

Physical security

Are areas that contain data or support the hosting service physically protected through the establishment of the following security controls?

Is physical access to rooms or cages that host information or the provided hosting service restricted to Third Party’s designated personnel only?

Are servers located inside a locked rack? Are the rack access doors and panels kept closed and locked when personnel are not actively working inside the rack?

No entries or openings on the rack will be large enough to allow a media device or cable connection to be passed through and attached to the hardware stored in the rack

Does the Third Party hosting facility have monitored environmental controls such as CCTV, fire protection, power protection and HVAC (Heat, Ventilation and Air-conditioning) systems that meet Tier 3 specifications of the Uptime Institute?

LivePreso uses Amazon Web Services for all production hosting and storage concerns. 

LivePreso also makes last-line-of-defence backups of all data and assets using Google Cloud Platform. Cloud Platform security information can be found in the section “Hardware tracking and disposal” at https://cloud.google.com/docs/security/overview/whitepaper

Organisation of information security

Does your organisation have a management framework for controlling the implementation of information security across the organisation?

A trustworthy record of information security is critical to the success of LivePreso as a business; information security decisions are reviewed by technical leads, and the design of our software and systems are regularly improved as a consequence. Security learnings are shared with teams through development review and retrospective processes, and management decisions always take into account information security considerations.

Does your organisation implement a mechanism to ensure: 

• management commitment to information security 

• regular review & approval of security policy 

• adequate resources for information security 

• information security roles and responsibilities are assigned 

• that the implementation of security controls is coordinated across the organisation

LivePreso has adequate staff with direct security and information security responsibilities. Policies and responsibilities are reviewed biannually. LivePreso could not succeed without the trust of customers, and so the business takes information security seriously at all levels.

Is your organisation’s information security control environment (policy, standards, control objectives, processes and procedures) reviewed at regular intervals?

The LivePreso information security environment and objectives are reviewed biannually.

Communications and operations security

Do you have a formal, documented production change control process?

LivePreso follows a formal procedure for all production-facing changes. A limited and reviewed set of employees can make these changes, the history of all such changes are logged and recorded, and all changes must first succeed in a staging environment which is a mirror of the production environment.

What types of security infrastructure do you use?

A combination of isolation, application, operating system and network-level security mechanisms are used to ensure the security of the LivePreso platform.

How are network devices monitored, logged and alerted?

LivePreso uses a variety of logging and alerting mechanisms; all network devices log to a central logging server for later analysis. Additionally, machine–level metrics are reported and alarmed, and application– and OS–level metrics and events through the services Sentry and NewRelic.

Are regular network penetration and/or vulnerability scans performed?

Security scans and penetration testing are typically commissioned on a per-instance basis.

LivePreso customers that have performed penetration tests have commented on both the low number of issues identified and the proactive response in fixing those that are identified.

How are production networks segregated from other networks?

Each LivePreso customer is isolated in its own privately-addressed “Virtual Private Cloud” or “VNet”, with its own application and database servers. Production networks are therefore separated from other LivePreso networks and from one another. 

Some data are temporarily stored in caching, queue synchronisation and other infrastructure servers shared between LivePreso customers; however, these are also isolated from other networks. Data are never stored long–term on these machines.

How is system access logged, monitored and alerted?

Employee access to production machines is strictly controlled. Access by these developers is monitored and logged; all authentication attempts, whether successful or not, are relayed to central logging for analysis. Further, systems are in place to automatically block repeatedly failed login attempts. 

At an application level, auth attempts and any modifications to production data are permanently logged.

What anti-malware protection is deployed onto hosts?

LivePreso does not run Windows servers. Employee systems must meet with security policy, for example by the installation of antivirus software. Using a variety of Windows, Mac and Linux desktops, as well as a variety of mobile devices, a corresponding variety of software products are used.

How often are anti-malware definitions updated?

The update frequency of definition databases depends on the software in question; however, automatic updates are always configured.

Describe system patching processes, including testing, deployment and frequency.

Critical security patches are automatically applied to all systems every 24 hours. Non-critical patches are released through staging and production as part of the formal deployment process.

Are standard hardened system build images used?

Automated machine configuration software is used to apply security policy to all production machines. This includes automated detection and blocking of invalid login attempts, rigorous configuration of the cryptographics behind login sessions, and a minimal set of installed packages, in addition to general hardening steps. Additionally, sensitive machines are configured behind bastion hosts and load balancers which expose a bare minimum attack surface to the public internet.

What hardening processes or standards are these based on?

LivePreso security and hardening processes are based on a range of sources and collectively decades of experience with BSD and Linux systems. The NSA's Guide to the Secure Configuration of Red Hat Enterprise Linux 5 is a particular influence.

How is data securely transferred between client systems and the service?

This depends on the types of integration used and the capabilities of the services involved; however, at a minimum, LivePreso conducts all data transfer over encrypted connections, and can further require certificate verification, request signing, asymmetric payload encryption, etc.

What systems do you have in place that mitigate classes of web application vulnerabilities? (e.g.: WAF, proxies, etc)

LivePreso utilises tools to mitigate a variety of web application vulnerabilities, including SQL injection and cross-site scripting.

How are cryptographic keys (key management system, etc) managed within your system?

LivePreso uses a tiered approach to cryptographic material with a dedicated KMS used wherever possible and keys stored in tight isolation otherwise.