LoadImpact's security policy
Last updated January 16, 2020.
LoadImpact considers protection of Personal Data and Customer Data a top priority. As further described in this LoadImpact Information Security Policy, LoadImpact uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Personal Data and Customer Data stored on systems under LoadImpact’s control.
LoadImpact limits its personnel’s access to Personal Data and Customer Data as follows:
2.1 Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for cloud infrastructure administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;
2.2 Limits the Personal Data and Customer Data available to LoadImpact personnel on a “need to know” basis;
2.3 Restricts access to LoadImpact’s production environment by LoadImpact personnel on the basis of business need;
2.4 Encrypts user security credentials for production access; and
2.5 Prohibits LoadImpact personnel from storing Personal Data and Customer Data on electronic portable storage devices such as computer laptops, portable drives and other similar devices.
2.6 LoadImpact logically separates each of its customers’ data and maintains measures designed to prevent Personal Data and Customer Data from being exposed to or accessed by other customers.
provides industry-standard encryption for Personal Data and Customer Data as follows:
3.1 Implements encryption in transport.
4.1 LoadImpact uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Personal Data and Customer Data.
4.2 LoadImpact maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.
4.3 The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
LoadImpact becomes aware of unauthorized access or disclosure of Personal Data or Customer Data under its control (a “Breach”), LoadImpact will:
5.1 Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
5.2 Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, LoadImpact is not required to make such notice to the extent prohibited by Laws, and LoadImpact may delay such notice as requested by law enforcement and/or in light of LoadImpact’s legitimate needs to investigate or remediate the matter before providing notice.
5.3 Each notice of a Breach will include:
5.3.1 The extent to which Personal Data or Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach;
5.3.2 A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
5.3.3 The scope of the Breach, to the extent known; and
5.3.4 A description of LoadImpact’s response to the Breach, including steps LoadImpact has taken to mitigate the harm caused by the Breach.
6.1 LoadImpact maintains an appropriate business continuity and disaster recovery plan.
6.2 LoadImpact maintains processes to ensure failover redundancy with its systems, networks and data storage.
7.1 LoadImpact provides training for its personnel who are involved in the processing of the Personal Data and Customer Data to ensure they do not collect, process or use Personal Data or Customer Data without authorization and that they keep Personal Data and Customer Data confidential, including following the termination of any role involving the Personal Data or Customer Data.
7.2 Upon employee termination, whether voluntary or involuntary, LoadImpact immediately disables all access to LoadImpact systems, including LoadImpact’s physical facilities.