Security and Privacy
LifeLabs Learning has a commitment to data privacy and security; best practices are standard in every part of our business. On this page, you’ll find high-level enumeration of several frameworks, regulations, and certifications that apply to our company and its products.
For questions, comments, or additional documentation, please contact dataprivacy@lifelabslearning.com.
| Domain | Explanation | Documentation |
| Cyber Insurance | Is there an insurance policy that protects against cyber attacks and data breaches? | dataprivacy@lifelabslearning.com |
| DPA | Data Processing Agreement Per GDPR Article 28 | https://home.lifelabslearning.com/data-processing-agreement |
| MSA | Master Services Agreement/Client Contract | dataprivacy@lifelabslearning.com |
| Privacy Policy | How do you protect your customer's privacy and manage data collection and security? | https://lifelabslearning.com/privacy-policy/ |
| Service-Level Agreement | Uptime and support metrics | Not applicable at this time. |
| Website Cookies | Data collected through HTTP cookies to help track, personalize, and save information about user sessions. | Opt-out included as a banner. |
Legal
| Domain | Description | Documentation |
| Data Access | What type of company data will you need to access? | We collect financial information for billing purposes as well as attendance from Zoom workshops (optional with easy opt-out) |
| RTO (Recovery Time Objective) | What is your recovery time objective in case of critical failure? (e.g., your DB is deleted) | Recover RPO data in 4 hour or less |
| RPO (Recovery Point Objective) | What is your recovery point objective in case of critical failure? (e.g., your DB is deleted) | Start of current day |
| Critical Dependence | Will your product be a system that your enterprise customer critically depends on? | No |
| Third-Party Dependence | Are you also using other third-party services to manage or support your customers? | 3rd party vendors include but are not limited to: Hubspot (CRM), Squarespace (website), PandaDoc (contracts), Google Workspace (email and productivity suite) |
| Hosting | Are you hosted only on one of the major cloud providers or do you have any on-premise systems? | No on-premise systems. Cloud-held data resides in AWS. |
Risk Profile
| Domain | Description | Documentation |
| Access Monitoring | Who can access your internal systems? | We use Google Workspace's internal security (see security) |
| Backups Enabled | Where and how and how often are your systems backed up? | AWS native functionality to backup systems and data which is enabled by default. |
| Data Erasure | How do you certify if data is erased/destroyed? | LifeLabs will send a certificate of destruction per request. |
| Encryption-at-rest | Encrypted while held in a local database | Sent through Google Workspace (see encryption for data at rest) |
| Encryption-in-transit | Encrypted while in transit from one data center to another (EDI) | Sent through Google Workspace (see encryption for data in transit) |
| Physical Security | How are you protecting your data center? | Hosted in AWS which maintains robust and industry-standard physical security of their data centers. |
Data Security
| Domain | Description | Documentation |
| Disk Encryption | Are local computer hard disks encrypted? | Internally, we enforce native OS full disk encryption on user endpoints for OSX and Linux. LifeLabs Learning does not use Windows devices. |
| DNS Filtering | Do local computers monitor DNS? | Google Workspace managed Chrome browser monitors DNS traffic for malicious or anomalous activity. |
| Endpoint Detection & Response | Do local computers have onboard EDR? | Managed endpoint detection and response to defend and detect threats across user devices and AWS workloads. |
| Mobile Device Management | Are devices managed through a central system that includes the ability to remote-wipe and locate lost devices? | Management of Apple OSX devices through Mosyle |
| Threat Detection | See Endpoint Detection & Response | See Endpoint Detection & Response |
Endpoint Security
| Domain | Description | Documentation |
| Data Accesss | How is data access controlled across the network and server environment? | Data access is controlled through policy and Google Workspace DLP configuration |
| Logging | How are logs collected, ingested, analyzed, and stored? | Logs are maintained indefinitely |
| Password Security | How secure are passwords and is the policy enforced? | SAMLv2 SSO, Oauth2 and username and password are all supported. All authentication is managed through Google Workspace (IDP). Passwords have the following password complexity requirements: At least 8 characters in length Contain at least 3 of the following 4 types of characters: -lower case letters (a-z) -upper case letters (A-Z) -numbers (i.e. 0-9) -special characters (e.g. !@#$%^&*) |
Access Control
| Domain | Description | Documentation |
| Asset Management Practices | How do you keep track of assets? | Assets are managed through physical inventory and Mosyle, our MDM. |
| Email Protection | What protections do you have against phishing and email hijacking? | SPF/DKIM/DEMARC |
| Employee Training | How are employees kept trained and up to date about cyber security? | LifeLabs Learning utilizes KnowBe4 for Security training. |
| HR Security | How is employee information kept safe? | LifeLabs Learning utilizes Sequoia for our PEO and PrismHR for our benefits platform. |
| Incident Response | Communication internally and externally when a data breach or incident occurs | LifeLabs Learning has an internal process for incident response. |
| Internal Assessments | Audits | Audits are performed with compliance to ISO 27001 (certification pending) |
| Penetration testing | Network and server penetration testing | Not applicable |
| SOC | Proactive security and monitoring | Google Workspace - Cloud Storage and Infrastructure Security |
| IDP | Who is your identity provider and do you use MFA? | Google Workspace, MFA deployed |