L10 Security
We’re committed to being transparent about our security practices and helping you understand our approach.
Our mission is to reimagine employee experience with hybrid intelligence so that teams can be more transparent, engaged, productive and successful. We believe that we need to make your data secure, and that protecting it is one of our most important responsibilities.
1. Encryption
L10 Services are hosted on Amazon Web Services (AWS), a leading cloud service provider, with our secure data centres located in Singapore and the United Kingdom.
Inherit the most comprehensive compliance controls with AWS, which supports 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping customers satisfy compliance requirements around the globe. See here for more details.
Data In Transit
All data transmitted between L10 clients and the L10 service is done so using strong encryption protocols.
L10 supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.
Data At Rest
Data at rest in L10’s production network is encrypted with LUKS and ACID-Compliant.
It applies to all types of data at rest within L10’s systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. L10 has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
2. Access Management
Only a selected few senior production staff have access to customer data.
To minimise the risk of data exposure, L10 adheres to the principles of least privilege and role-based permissions when provisioning access—staff are only authorised to access data that they reasonably must handle in order to fulfil their current job responsibilities.. All production access is reviewed at least quarterly.
3. Data Retention And Disposal
After the data is marked for deletion, an internal recovery period of up to 30 days may apply depending on the service or deletion request.
L10 hard deletes all information from currently running production systems (excluding organisation names embedded in URLs in web server access logs) and backups are destroyed within 30 days. L10’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.
4. Data Backup And Recovery
Your data is backed-up at least once per day to ensure maximum safety.
L10 utilises services deployed by its hosting provider to take full backups daily and maintain write-ahead-logs. It allows us to restore to any point-in-time within the previous seven days.
5. Security Incidents
In the event of an incident, affected customers will be informed via email within 48 hours.
Responding to security incidents, L10 has established policies and procedures for responding to potential security incidents. In the event of an incident, affected customers will be informed by our well-prepared response team via email within 48 hours. Incident response procedures are tested and updated at least annually.