Information Security

Data Security

All of Lung Logic’s services are hosted in Amazon Web Services (AWS) facilities in the United States. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

You can find more information about AWS security practices on their cloud security page.

Data classification

Lung Logic classifies the data they own, use, create, and maintain into the following categories:

• Public Data - Information that can be disclosed publicly without issue. Examples: press releases, public website content, social media posts.

• Internal Data - Information meant for internal use only. Unauthorized disclosure could pose a moderate risk. Examples: unpublished memos, and internal procedures.

• Confidential Data - Sensitive information that requires protection from unauthorized access. Unauthorized disclosure could cause harm. Examples: employee info, customer data, and contracts.

• Restricted Data - Highly sensitive info with legal/regulatory obligations for protection. Unauthorized access poses a significant risk. Examples: codebase, IP, credentials, PHI.

Encryption at rest

Lung Logic uses the AWS-managed data stores RDS, ElastiCache, and S3 to store customer data, including backups. All these AWS services have been configured to use encryption at rest using AES with 256-bit keys.

Secrets and encryption key management

Lung Logic uses AWS Parameter Store for securely storing and managing secrets that are used by services. Lung Logic uses AWS Key Management Service (KMS) to encrypt and decrypt these secrets as well as manage all encryption keys in use by Lung Logic services. Access to secrets and encryption keys are restricted to the services on a least privilege basis and are managed by the Lung Logic infrastructure team.

Separation of environments

Lung Logic fully separates and isolates their production, staging, and development networks and environments.

Product security

Secure development

Lung Logic practices continuous delivery. We have processes and automation in place that allow us to safely and reliably roll out changes to our cloud infrastructure and web-based applications in a rapid fashion. We deploy new changes to production dozens of times a day.

- All code changes are requested through pull requests and are subjected to code reviews and approval prior to being merged into the main and production branches.

- Lung Logic uses GitHub Enterprise and Dependabot to automatically create pull requests to update outdated dependencies.

- Lung Logic uses static source code analysis tools like Code Climate to analyze any source code changes in order to identify any potential code quality issues or security weaknesses.

- Lung Logic uses Sentry to track errors in the web and desktop applications.

- Lung Logic’s security team works closely with the engineering teams to resolve any potential security concerns that may arise during design or development.

External security testing

In addition to our internal security scanning and testing program, Lung Logic employs third-party firms to conduct extensive penetration tests of all application and cloud infrastructure on a regular basis. Findings from these penetration tests are prioritized, triaged, and remediated by the Lung Logic security team.

Bug bounty program

Lung Logic operates a private security bug bounty program that allows security researchers around the world to continuously test the security of Lung Logic’s applications and services. Security engineers who identify valid issues are paid via the program. If you would like to be invited into our bug bounty program, please report a security vulnerability by following our vulnerability disclosure guidelines as outlined below. Based on that we will consider inviting you into our program, which will be determined at our discretion.

Infrastructure and network security

Transport security

Lung Logic requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the Lung Logic applications and the Lung Logic cloud infrastructure. Lung Logic’s TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which supports important security features such as Forward Secrecy. To defend against downgrade attacks Lung Logic has implemented HTTP Strict Transport Security, and has all their production domain names included on the HSTS Preload List.

Network segmentation

Network segmentation is a foundational aspect of Lung Logic’s cloud security strategy. Lung Logic achieves segmentation boundaries at various layers of their cloud infrastructure. Lung Logic uses a multi-account strategy within AWS to isolate production, development, and test environments. Within AWS, Lung Logic uses VPCs, security groups, network access control lists, and subnets to further isolate services.

Intrusion detection and prevention

Lung Logic maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. Lung Logic has also enabled detailed audit trails with critical service providers like Google G Suite, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior. These systems will generate monitored events.

Organizational security

Security training

All new hires are required to attend the security awareness training as part of their onboarding. All employees are required to attend the annual security awareness training. Lung Logic engineers are required to attend an annual security training designed specifically for engineers.

Asset inventory

Lung Logic maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to customer data Access to Lung Logic customer data is provided on an explicit need-to-know basis and follows the principle of least privilege. Customer data is audited and monitored by the security team. Lung Logic support and customer employees are only granted access after explicit approval of the respective customer. All Lung Logic employees have signed a non-disclosure agreement.

Security incident management

The security team at Lung Logic aggregates logs and audit trails from various sources at a central location and uses tools to analyze, monitor and flag anomalous or suspicious activity. Lung Logic’s internal processes define how alerts are triaged, investigated, and, if needed, escalated. Both customers and non-customers are encouraged to disclose any potential security weaknesses or suspected incidents to Lung Logic Security. In case of a serious security incident, Lung Logic the security expertise to investigate security incidents and resolving them to closure. If needed, Lung Logic has also access to external subject matter experts.

Information security policies

Lung Logic maintains a number of information security policies that form the basis of our information security program. All Lung Logic employees are required to review relevant policies as part of their onboarding. These security policies cover the following topics and are available to Enterprise customers upon request:

• Configuration and Asset Management Policy

• Change Management Policy

• Code of Conduct

• Vendor Management Policy

• Performance Review Policy

• Physical Security Policy

• Business Continuity and Disaster Recovery Plan

• Internal Control Policy

• Security Incident Response Plan

• Data Retention and Disposal Policy

• Information Security Policy

• Access Control and Termination Policy

• Encryption and Key Management Policy

• Secure Development Policy

• Data Classification Policy

• Risk Assessment and Treatment Policy

• Vulnerability and Patch Management Policy

• Acceptable Use Policy

• Network Security Policy

Operational security

Backups and disaster recovery

All Lung Logic customer data is stored redundantly at multiple AWS data centers (availability zones) to ensure availability. Lung Logic has well-tested backup and restoration procedures in place, which allow for quick recovery in the case of single data center failures and disasters. Customer data is continuously backed up and stored off-site. The restoration of backups are fully tested regularly to ensure that our processes and tools work as expected.

Endpoint security

Lung Logic exclusively uses a mix of Apple MacBook and Windows devices. These devices are all centrally managed through the internal mobile device management solution, which allows us to enforce security settings such as full disk encryption, network and application firewall, automatic updates, screen time-outs, and anti-malware solutions.

Risk management and assessment

Lung Logic performs periodic risk analysis and assessment to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.

Enterprise security

Lung Logic Enterprise includes all our general security measures, plus additional features and enhancements to provide even more customization and privacy.

Single sign-on (SSO)

Lung Logic supports single sign-on (SSO) for Enterprise customers. By using the customer’s existing identity management solution, Lung Logic provides an easy and secure way for companies to manage their team members’ access. Lung Logic supports identity providers like Google G Suite, Azure Active Directory, OneLogin, and Okta. Lung Logic also supports both SAML and OAuth-based OpenID Connect.

Role-based access control (RBAC)

Lung Logic supports role-based access control, which means the access of team members within an organization is dictated by their role (i.e. viewer, collaborator, editor, or administrator). Administrators can assign team members specific roles or revoke access using the Lung Logic account dashboard.

Security vulnerability disclosure

If you would like to disclose a potential security vulnerability or have security concerns about a Lung Logic product, please reach out to security@lunglogic.com. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have.