Labster Security

Last Updated: June 2024

Labster Data Security Statement

At Labster, the security of our network, data, and infrastructure is of utmost importance. We have implemented various measures to safeguard against unauthorized access, protect personal data, and ensure the integrity of our systems. Our commitment to cybersecurity and data protection is demonstrated through relevant compliance frameworks and ongoing security testing.

Labster Security Principles

  • Labster commits to protect the Confidentiality-Integrity-Availability (C-I-A) of our information assets. We continue to improve and adapt to changes in technology, security standards, and the evolving regulatory landscape.
  • Labster sets the tone at the top regarding information security and compliance. All team members are responsible for these aspects within their roles.

Compliance

Labster achieved SOC 2 Type 2 compliance in May 2024. Achieving SOC 2 attestation has demonstrated our commitment to cybersecurity and data protection. Ongoing security testing and compliance audits are part of our efforts to maintain and build trust with clients and partners regarding our security posture.

Labster has five (5) data centers (US, DE, UK, CA, AU) globally that provide us with the capability to meet customer geographical data tenancy requirements. We also have data privacy processes that enable us to best align with the GDPR and US Data Privacy Laws.

Certification

Labster has obtained relevant compliance certification:

  • Certification - Level 2 from the Texas Risk and Authorization Management Program (TX-RAMP).
  • TX-DIR Online Portal: Labster is a certified vendor.

Data Security Framework Adoption

Labster continues to implement policies, processes, and procedures to align with the following security frameworks: 

  • Service Organization Control Type 2 (SOC 2)
  • General Data Protection Regulation (GDPR)
  • Information security management systems (ISO/IEC 27001)
  • National Institute of Standards and Technology (NIST SP 800-171

Network Security

We take network security seriously and have implemented the following measures:

  • Multi-Factor Authentication (MFA) to prevent unauthorized access.
  • Firewalls, operations performance and security monitoring, and other security solutions to protect against potential threats.
  • Security testing is conducted on a regular basis to assess the effectiveness of our network security controls.

Data Protection

To protect sensitive data, we employ the following practices:

  • Access and permissions audits are performed on a regular basis.
  • Daily data backups are performed, and backups are retained according to predefined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements.
  • Data de-identification and deletion are handled securely to prevent data leakage and unauthorized recovery.

Encryption 

Data submitted to Labster is encrypted in transit using Transport Layer Security (TLS)  and encrypted at rest using military-grade AES-256 encryption, ensuring the confidentiality of sensitive information.

Labster’s infrastructure is continually monitored for security vulnerabilities, and updates are applied automatically to maintain a secure environment.

Physical Security (Data Center)

Labster hosts customer data within cloud-based data centers. The data centers are ISO 27001 certified. Physical security is managed by the cloud provider, which includes 24/7 on-site physical security and camera surveillance.

Infrastructure Security

Our infrastructure, including servers, databases, and cloud services, is secured through:

  • Continuous monitoring and logging to detect and respond to security threats.
  • Regular vulnerability assessments to identify weaknesses in our infrastructure.
  • Vendor assessments and contractual agreements to ensure the security of cloud-based infrastructure and services.

Employee Awareness and Training

We prioritize employee awareness and training to strengthen our security posture:

  • Employees receive cybersecurity education, including best practices and recognizing potential threats.
  • Regular communication of security updates and reminders through various internal communication channels.
  • Security policies and procedures are regularly communicated, updated, and readily accessible.
  • A training program is in place to raise awareness about social engineering and phishing attacks.
  • Security awareness training is conducted during onboarding and at least annually.

Privacy Policy

Labster has a comprehensive Privacy Policy that outlines how we handle prospective and current customer, vendor, and employee data: https://www.labster.com/privacy-policy/.

Accessibility

We are committed to accessibility and have an Accessibility Conformance Report (VPAT 2022). The report and additional information about our accessibility efforts are available: https://www.labster.com/accessibility/.

Policies

Labster has the following Policies in effect:

  • Information Security Policy
  • IT Hardware Policy
  • IT Acceptable Use Policy
  • Password Protection Policy
  • Information Classification Policy
  • Incident Response Standard
  • Incident Response Overview
  • Security Awareness and Training Policy
  • Information Storage and Retention Policy
  • Major Incident Management Procedure
  • Human Resources Information Security Policy
  • Change Management Policy
  • Remote Access Management Policy
  • Risk Management Policy
  • Third Party Security Management Policy
  • Third Party/Vendor Security Management Policy
  • Physical Security Policy
  • Log Management and Monitoring Policy
  • Identification and Authentication Policy
  • Physical and Fire Safety Policy
  • Acceptable Encryption Policy
  • Labster Asset Management Policy
  • Labster Backup and Recovery Policy
  • Labster Access Control Policy
  • Emergency Evacuation Plan Policy
  • Software Development Security Policy
  • Labster Wireless Security Management Policy

Security Roadmap 

Labster continually strives to improve and align our security posture with ISO 27001 and NIST 800-171 and GDPR. Ongoing security testing and compliance audits are part of our efforts to maintain and build trust with customers, partners and prospects.

Data Subject Request: Your Rights

You have the right to free information about your Personal Data processed and stored by us, its origin, recipient, and the purpose of data processing, as well as a right to correction, blocking, or deletion of such Personal Data. You also have the right to limit the processing and to object to the processing.

To assert your rights, please contact us via [email protected] or you can perform your right to data access and deletion directly by reaching out to us via our online form here.

Bug Bounty Program

Labster does not offer a “Rewards for Bug Bounty”, or similar, program.

Vulnerability Disclosure Program

Security researchers are prohibited from publicly disclosing vulnerabilities without the prior written consent of Labster’s Security team. You are encouraged to contact Labster’s Security team for clarification before engaging in conduct that may be inconsistent with, or unaddressed by, Labster’s policies. Labster encourages customers, users, and vendors who might find vulnerabilities in or on Labster’s information assets, and would like to report in good faith, to contact Labster’s Security team at [email protected].

Report a Security Incident or System Outage

Labster requests that any customer, security researcher, or other individual who finds a flaw, system outage, or vulnerability in our platform report them in a responsible and ethical manner to [email protected] or our Live Support at help.labster.com.

Additional Information

For any additional questions or concerns regarding Labster’s data security, please reach out to us at [email protected].

Review/Update Frequency

This statement will be reviewed at least annually, or when there are significant security roadmap or framework changes.