DATA SECURITY POLICY
Protecting your data and information is extremely important to us. This Data Security Policy (the “Policy”) explains details and policies regarding Lithero’s data and information security.
This Policy refers to all data that Lithero collects from users, customers, vendors, or other parties that provide information to Lithero. Lithero employees, contractors, consultants, partners and any other external entity working with Lithero and granted access to its data also must follow this Policy.
Lithero collects data and information only for lawful purposes. This data and information is collected in a transparent way and only with the full cooperation and knowledge of the entity from which we gather the data or information. Once this data or information becomes available to us, the following rules apply.
Definition of Protected Data and Information
- Customer materials, along with customer or company comments to those materials;
- User account information, including passwords;
- Personally Identifiable Information: information that can be used to identify individuals, including:
- Company addresses;
- Telephone numbers;
- Product and department names;
- Job titles;
- Email addresses.
The Lithero platform is hosted in secure data centers. Various security technologies, such as firewalls, are used to restrict access to systems from external networks and between systems internally. Lithero databases are further secured by built-in network and application firewalls.
Application and Network Security
We engage in the following methods to ensure your data is safe:
- Encrypt data in transit with AES-256, 2048-bit keys and secure HTTP access (HTTPS) using TLS/SSL;
- Salt and hash passwords, so that no one (not even a Lithero employee) can read them;
- Run independent penetration tests regularly on Lithero’s environments;
- Restrict and monitor access to our systems and your data;
- Limit the number of employees who have access to protected data;
- Require use of multi-factor authentication for employees who have access to protected data;
- Build secure networks to protect online data from cyber attacks;
- Include contract clauses or communicate statements on how we handle data;
- Process your data within the company’s legal and moral boundaries;
- Protect against any unauthorized or illegal access by internal or external parties;
- Support a disclosure process. If you identify a vulnerability in our site or services, you can report it to firstname.lastname@example.org.
The data will not be:
- Stored for more than the amount of time specified in our customer contracts or other binding agreements;
- Transferred to organizations, states, or countries that do not have adequate data protection policies;
- Referenced publicly or via systems or communication channels not controlled by Lithero;
- Distributed to any parties other than the ones agreed upon by the owner of the data (exempting legitimate requests from law enforcement authorities).
In addition to handling the data safely, Lithero assumes other direct obligations toward the entities to which data belongs. Specifically, in our contracting with data sources, we:
- Inform entities about:
- Which of their data is collected
- How we will process their data
- Who has access to their information
- Allow entities to request that we modify, erase, reduce, or correct data contained in our databases within legal guidelines specified by our customer contracts or other binding agreements, or company policies or law-enforcement agencies.
Data Breach Response Procedure
Lithero has established a Data Breach Response Procedure (the “Procedure”) to handle cases of lost, corrupted, or compromised data. Lithero’s intentions for this Procedure are to focus significant attention on data security and data security breaches and how Lithero’s established culture of openness, trust, and integrity should respond to such activity. Lithero is committed to protecting its customers, employees, and partners from illegal or damaging actions taken by individuals either knowingly or unknowingly.
- Lithero employees who suspect that a theft, breach, or exposure of protected data has occurred must provide a description of the events involved directly to Lithero’s CEO. Any other individual who suspects that a theft, breach, or exposure of protected data has occurred may provide a description of the events involved to email@example.com. This e-mail address is monitored by Lithero Operations and will be escalated to the CEO on receipt of a valid report.
- Lithero’s CEO will oversee the investigation of all reported thefts, data breaches, and exposures to confirm if a theft, breach, or exposure has occurred. If a theft, breach, or exposure has occurred, Lithero will follow this Procedure.
- As soon as a theft, breach, or exposure containing Lithero-protected data is identified, Lithero will begin the process of removing all access to that resource.
- Lithero will work with experts to determine:
- The types of data involved;
- The internal or external individuals and organizations impacted;
- How the theft, breach, or exposure occurred, including analysis of the root cause.
- Lithero’s communications and human resources departments will work to communicate the theft, breach, or exposure to those directly affected and internal employees.
Operational Security and Enforcement
At Lithero, we believe security is the responsibility of everyone who works for us. We train our employees so they can identify security risks and empower them to take action to prevent bad things from happening. Any Lithero personnel found violating any provision of this Policy may be subject to disciplinary action, up to and including termination of employment. Our employees have signed confidentiality agreements, and we have the ability to shut off access to information and oversee the return of data in case of data security breach.
Further, access to our systems and your data is restricted to those who need access to provide support or deliver services to you. We sign restrictive agreements with all third parties that work with us and may have access to your data, requiring them to understand and follow the terms of this Policy. Lithero may terminate the network connection of any third-party partner company or subcontractor found violating any provision of this Policy.
Further Questions and Responsibility
Any questions regarding this policy should be referred to Lithero’s CEO (firstname.lastname@example.org). It is the CEO’s responsibility to ensure this policy is followed.
Current as of: April 2, 2018