Lucid Software Security Program
Updated: February, 2020
1. GENERAL PROVISION
1.1. Information Security Program. Lucid maintains and implements its Information Security Program which establishes proper policies, procedures, and standards to protect the confidentiality, integrity and availability of all information and data, whether in electronic or tangible form. The Information Security Program protects against anticipated or actual threats or hazards, including Security Breaches. The Information Security Program contains administrative, physical, technical, and organizational safeguards in accordance with industry best practices having regard to the state of the art, the costs of implementation, the likelihood of an incident, and the perceived security risk. Lucid implements and enforces disciplinary measures against employees and contractors for failure to abide by its Information Security Program. “Security Breach” means a breach of security leading to any accidental, unlawful, or unauthorized access, use, disclosure, alteration, destruction, or loss of Customer Data.
1.2. Secure Disposal. Lucid securely disposes of Customer Data in accordance with applicable law, taking into account currently available technology so that Customer Data cannot be reasonably read or reconstructed. “Customer Data” means the data, information, images, and other content that is uploaded to, imported into or created in the Subscription Service by the Users. Customer Data does not include statistical data generated or related to the provision, operation or use of the subscription service, including measurement and usage statistics, configurations, survey responses, and performance results.
1.3. Personnel Training. Lucid provides annual security awareness and privacy and confidentiality training to all personnel who process or may have access to Customer Data. These trainings educate personnel about the importance of information security, laws and contractual obligations that govern personal information and Customer Data, and instructs them on how to safeguard such data against data loss, misuse, or security breaches through physical, logical, and social engineering mechanisms.
1.4. User Access Management. Lucid implements access control policies to support creation, amendment, and deletion of user accounts for systems or applications storing or allowing access to Customer Data. Lucid’s user account and access provisioning process assigns and revokes access rights to systems and applications. Personnel accounts privileges are allocated on a “least privilege” basis. Personnel access to environments and Customer Data are restricted and segregated based on job responsibilities. Personnel access to systems and applications with access to Customer Data are reviewed on at least a quarterly basis.
1.5. Passwords and Multi-factor Authentication. Industry standard password security is implemented for all Lucid employee accounts. Policies include minimum length, complexity, restrictions on password reuse, number of password resets in a given timeframe, and frequency in which passwords must be changed. Lucid has implemented and maintains a multi-factor authentication method required for access to applications and systems containing Customer Data.
1.6. Employee Termination. Lucid maintains an employee termination process that specifies timeframes for termination of logical and physical access, including procedures for Lucid to collect any devices or equipment containing Customer Data from the terminating employee, at the time of termination.
1.7. Secure User Authentication. Lucid ensures proper user authentication for all of its employees and contractors with access to Customer Data, including by assigning each employee and contractor unique access credentials for access to any system on which Customer Data can be accessed and prohibiting employees and contractors from sharing their access credentials. Lucid ensures that all persons having access to Lucid’s systems and Customer Data have appropriately controlled and limited access, access is removed when no longer required or appropriate, and all persons who should not have access (e.g. terminated employees) cannot obtain access.
1.8. Separation of Duties. Lucid maintains separation of duties to prevent end-to-end control of a process by one individual.
1.9. Data Storage. Unless otherwise agreed to in an order, Lucid stores Customer Data in the United States.
2. APPLICATION SECURITY
2.1. Change Control. Lucid maintains policies and procedures for managing changes and updates to production systems, applications, and databases, including processes for documenting security patching, authentication, and the testing and approval of changes into production.
2.2. Secure Communications. Lucid employs industry standard communication security measures to protect data from unauthorized access. The service security measures include server authentication and data encryption. The data processing environment is protected using one or more firewalls that are updated according to industry standards.
2.3. Key Management. Lucid implements key management procedures that include the secure generation, distribution, activation, storage, recovery, and replacement/update of cryptographic keys. Keys are rotated on a regular basis and lost, corrupted, or expired keys are revoked or disabled immediately.
2.4. Logging and Monitoring. Lucid generates administrator and event logs for systems and applications that store, allow access to, or process Customer Data. Logs are archived for a minimum of 180 days. Logs for all applications, systems, or infrastructure that supports, processes, or stores confidential or higher data are archived for at least one year. Logs capture key security event types. Access to modify system logs is restricted. In the event of a confirmed Security Breach, appropriate logs may be shared with Customer upon reasonable request. Lucid reviews system logs regularly to identify system failures, faults, or potential security incidents affecting Customer Data.
2.5. Anti-Virus/Anti-Malware. Lucid implements appropriate anti-virus/anti-malware detection software across all information systems processing Customer Data in its organization that are determined to be at risk, and where an acceptable solution is available, in accordance with NIST 800-83r1. Lucid maintains anti-virus/antimal ware software to ensure it is up-to-date with the most recent virus and malware signatures and definitions. On systems where anti-virus/anti-malware is not implemented, appropriate system hardening procedures are applied to minimize exposure.
2.6. Intrusion Detection. Lucid implements and maintains an intrusion detection monitoring process at the network and/or host level to detect unwanted or hostile network traffic. Lucid updates its intrusion detection software continuously, on a scheduled basis following the availability of updates by the software provider. Lucid implements measures to ensure that Lucid is alerted when the system detects unusual or malicious activity.
2.7. Data Segmentation. To prevent unauthorized access to Customer Data, Lucid implements technical controls to ensure that Customer Data is properly segmented from data belonging to Lucid’s other customers.
2.8. Secure Coding Practices. Secure software engineering and coding practices are established, documented, and integrated in an official Software Development Life Cycle (SDLC). Developers attend secure development training periodically. All new code is peer-reviewed and undergoes full quality assurance and regression testing prior to being introduced into production. Lucid logically or physically separates environments for development, testing, and production. Customer Data is not used in development or testing environments without explicit written consent.
2.9. System Hardening. Lucid maintains system hardening procedures and baseline configurations for systems that store or process Customer Data. Hardening procedures, at a minimum, remove all unnecessary services and applications, any default users and passwords.
2.10. End User Passwords. Lucid only stores hashed passwords, utilizing a salting mechanism. Lucid provides account administrators the ability to set password security requirements, which include password complexity requirements, the number of failed attempts before account lockout, lockout duration, password reset frequency, and password reuse. Passwords are never presented in clear text and password reset emails do not send credentials.
3. PHYSICAL SECURITY
3.1. Facilities. At facilities that Lucid controls, Lucid maintains appropriate physical security measures to ensure the safety and protection of employees, company assets, and Customer Data. Lucid will continually monitor any changes to the physical infrastructure and known threats.
4. DATA SECURITY
4.1. Encryption. Lucid encrypts Customer Data while at rest, when writing to removable devices, and while in transit. Lucid utilizes industry standard platform and data-appropriate encryption in non-deprecated, open/validated formats, and standard algorithms.
4.2. Vulnerability & Patch Management. Lucid maintains a vulnerability management process to identity, report, and remediate vulnerabilities by performing vulnerability scans, implementing vendor patches or fixes, and developing a remediation plan for critical vulnerabilities. Lucid applies security patches on a regular basis to server, firewalls, and systems used to access or process Customer Data.
4.3. Data Segregation. Lucid logically segregates Customer Data from all other Lucid and third-party data.
4.4. Incident Response Plan. Lucid maintains an incident response plan to promptly review, address, and mitigate any Security Breaches of which Lucid becomes aware from an independent third-party, Customer, or through Lucid’s own discovery. The incident response plan includes clearly defined roles and responsibilities, a reporting mechanism for suspected vulnerabilities and events affecting the security of Customer Data.
4.5. Data Transfers and Downloads. Lucid uses commercially reasonable efforts to prevent Customer Data from being taken from Lucid’s premises, copied, or downloaded unless approved by Customer. Customer Data is not replicated to non-production environments without explicit written consent.
4.6. Storage Media. Lucid has implemented industry standard disk-level encryption on all machines that store or otherwise process Customer Data. Lucid will ensure that any storage media within its control (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data will be securely erased or destroyed before repurposing or disposal.
5.1. Vendor Assessments. Prior to engaging new third-party service providers and vendors that will have access to Customer Data, Provider conducts a risk assessment of the data security practices of each third-party. Lucid also conducts periodic reviews of each third-party to ensure their data security practices continue to meet the necessary requirements to protect Customer Data. Lucid bears sole responsibility for its subcontractors.
6. TESTING AND AUDITS
6.1. Penetration Tests. At least once every year, Lucid undertakes an application penetration test by an independent third-party. Lucid remediates all critical and high vulnerabilities identified in the penetration test within 30 days of the date of identification. All other findings are remediated in a timeframe that is commensurate with the identified risks.
6.2. Compliance and Certifications. Lucid engages in security audits on an annual basis and Lucid’s security practices align with the principles of ISO 27001.
6.3. Vulnerability Scanning. Lucid performs regular vulnerability scanning against services and key infrastructure utilizing industry standard tools or well-known external suppliers. Internal scans are performed at least monthly. External scans are performed at least quarterly, utilizing a Payment Card Industry Security Standards Council Approved Scanning Vendor.
7. DISASTER RECOVERY & BUSINESS CONTINUITY
7.1. Risk Assessment. Lucid maintains a risk assessment program to help identify foreseeable internal and external risks to Lucid’s information resources and determine if existing controls, policies, and procedures are adequate.
7.2. Backups. Lucid backs-up its production databases according to a defined schedule and stores back-ups offsite.
7.3. Disaster Recovery Plan. Lucid maintains a disaster recovery plan that is consistent with industry standards. Regular testing of the disaster recovery plan is conducted to ensure its continued effectiveness.
7.4. Business Continuity Plan. Lucid maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural). This plan includes procedures to be followed in the event of an actual or potential business interruption and have a stated goal of resumption of routine services within 48 hours of such event.