Technical and Organizational Measures - Lotame
X
NEW REPORT
The State of Data Collaboration A Global Perspective Download Now

Technical and Organizational Measures

 

  1. Systems’ Access Controls. Lotame maintains appropriate technical and organizational policies, procedures and safeguards to limit access to its Platform and Services to only those individuals that require access, including protection against unauthorized processing, loss, or unauthorized disclosure of or access to Customer Data and Data Partner Data. Access to Customer Data and Data Partner Data within Lotame’s Platform is governed by role-based access control (RBAC) and can be configured to define granular access privileges, including distinct read/write privileges. These privileges are packaged into reusable and customizable roles to support various permission levels for employees and users (owner, admin, agent, end-user, etc.). Individual users are granted any number of roles, thus providing the capability to control specific responsibilities and access levels within Lotame’s organization. Lotame’s information security management system is ISO/IEC 27001:2013 certified and is audited annually by an independent third party. Lotame’s ISO/IEC 27001:2013 certificate is available here.
  2. Physical & Environmental Controls – Hosting Infrastructure. Lotame’s production infrastructure is hosted by Amazon Web Services (AWS). Lotame does not maintain any physical access to the AWS facilities, and remote access is restricted to named operations staff on as needed basis. For more information about AWS security, refer to https://aws.amazon.com/security/.
  3. Physical & Environmental Controls – Corporate Offices. While Customer Data is not hosted at Lotame’s corporate offices, its technical, administrative, and physical controls for its corporate offices are covered by its ISO/IEC 27001:2013 certification and include, but are not limited to, the following:
    1. Physical access to the corporate offices are controlled at office ingress points;
    2. Badge access is required for all personnel and badge privileges are reviewed regularly;
    3. Visitors are required to be escorted by employees; and
    4. Cameras.
  4. Data Transmission and Storage. All Customer Data or Data Partner Data in transit between Business Customers and Data Partners is encrypted using TLS 1.2 or better. Customer Data and Data Partner Data is also encrypted at rest.
  5. Development Practices. Lotame utilizes industry-standard source code, build, and deployment processes and systems to manage the introduction of new code into its Platform and Services. Access to the code repositories is granted on an as needed basis only to employees within Lotame’s technology and engineering organizations.
  6. Configuration Management. Lotame utilizes automated configuration management tools to manage application runtimes and configuration parameters across our infrastructure, with access restricted to employees that support releases and operations. Within the configuration management information architecture, credentials used by automated systems (e.g. database logins) are isolated from general application configuration parameters to further limit access to such credentials
  7. Data Minimization and Pseudonymization. Lotame’s Services do not monitor Customer Data or Data Partner Data to limit what Personal Data is collected and sent to us – our Business Customers and Data Partners generally determine what Personal data is collected. Lotame’s Platform will process all data regardless of its nature as long as it fits the predefined characteristics that allow it to be processed. Lotame does not make any data-based decisions other than following customers’ instructions as they configure Lotame’s data collection tools to perform their desired operations. Customer Data and Data Partner Data is associated with pseudonymous IDs assigned by Lotame. If Customer Data or Data Partner Data includes un-hashed deterministic identifiers (for example, email addresses), Lotame tokenizes such deterministic identifiers and segregates them from all other data, and uses technical and organizational measures and controls to maintain that separation, prevent use of those deterministic identifiers during processing within the Platform, and prevent access and viewing of deterministic identifiers except by limited operations leadership for troubleshooting purposes and compliance with applicable laws.
  8. Confidentiality. All Lotame employees and contractors enter into customary confidentiality agreements that governs the access, use and treatment of all Customer Data or Data Partner Data that we process.
  9. Personal Data Incident Notifications and Mitigation. Lotame maintains data incident management policies and procedures that it tests annually. Lotame will, without undue delay and in accordance with the timelines required by applicable Data Protection and Privacy Laws, notify our Business Customers and Data Partners of any incidents that result in the unauthorized or illegal destruction, loss, alteration, disclosure of, or access to, their Customer Data or Data Partner Data. Lotame will take prompt action to mitigate any harm to data exporter or personal data.
  10. Vulnerability Detection and Management.
    1. Anti-Virus and Vulnerability Detection: Lotame leverages threat detection tools to monitor and alert it to suspicious activities, potential malware, viruses and/or malicious computer code.
    2. Penetration Testing and Vulnerability Detection: Lotame engages an independent third party to conduct penetration tests of the Platform and Services annually.
    3. Vulnerability Management: Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Platform and Services.