Data security

Understanding that data privacy and safety are paramount, we want to assure you that a significant part of our efforts is dedicated to security measures.

This article outlines the multifaceted security measures implemented by Lifecycle Manager, including physical, procedural, and technical defenses designed to maintain your information's integrity and security. Our primary responsibility is to safeguard the data entrusted to us by you.


SOC 2 Compliance and ISO 27001 Certification

ScalePad is SOC 2 Type 1 and ISO 27001 certified.

SOC 2 Compliance

SOC 2 comprises a series of principles that aid in ensuring a company's secure and responsible handling and protection of data. It functions as an assurance seal that the company prioritizes the safety of customers' and partners' information.

ScalePad’s SOC 2 Type 1 security certification is an independent audit carried out to assess ScalePad's compliance with one or more of the five Trust Service Principles (TSPs) pertinent to their specific services.

Trust Principles

ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) within an organization.

ISO 27001 certification is a proactive risk management strategy. By aligning with this standard, we can identify and address potential security risks before they escalate into serious incidents.

What does this mean for MSPs?

By partnering with SOC 2-compliant and/or ISO 27001-certified vendors, MSPs can use this as a selling point to differentiate themselves from competitors and attract clients who value data security and privacy.

Collaborating with vendors who are SOC 2-compliant and/or ISO 27001-certified enhances trust between MSPs and their clients. It enables MSPs to provide reassurance that data security is upheld across the entire supply chain.

By ensuring that your vendors comply with SOC 2 or have obtained ISO 27001 certification, you demonstrate that you have undertaken essential measures to protect the information entrusted to you by your clients.


Data security summary

Our dedication to security standards is crucial for your peace of mind. Here are the main points to note:

  • All accounts have the option of multi-factor authentication

  • We strictly adhere to robust backup procedures and business continuity plans

  • We adhere strictly to both procedural and technical standards for, but not limited to:

    • Credential management and requisite requirements

    • Role-based privileged access control when necessary

    • Firewalls and restricted modern internal systems


Data security standards

When establishing a connection with Lifecycle Manager, we ensure minimal data exposure by accessing only what's necessary for service provisioning.

Frequent data backups are in place to guard against data loss and facilitate recovery. We apply strict access limitations on all systems and servers to bolster your information's protection. All access events, including physical ones, are logged.

Sensitive payment information isn't stored on our end but is managed by our trusted payment gateway, - Stripe.


Data Encryption

Data Protection

Lifecycle Manager uses industry-accepted encryption methods and products to protect customers personal data and communications during transmissions between a customer’s network and our services. This includes encryption for data during transmission over public networks and when data is at rest.

  • Encryption in Transit

    • All data transferred over public networks is encrypted via HTTPS/Transport Layer Security (TLS).

  • Encryption at Rest

    • Sensitive data at rest is encrypted using at least AES-256 or higher levels of encryption.


Credential encryption

We're happy to share these key points of our security standards surrounding credential encryption.

Passwords

  • All passwords are encrypted with AES-256-bit encryption

    • This includes a 2048-bit RSA public key, with unique secure random keys for each password

  • RSA private keys are encrypted with a secure, random RSA key passphrase

    • These are stored in an isolated bucket, locked down to only allow access from our servers as required for decryption

  • The decryption process takes place server-side

    • The private key passphrases (and private keys themselves) are not stored in the database

    • The private keys are stored in a secured bucket that is only accessible via the servers used for decryption

  • Decrypted password data is never written to disk

  • The web servers themselves are also locked down with multiple firewalls, access control lists for incoming/outgoing traffic, and key-based access.

Access to the Lifecycle Manager platform

  • Access to the Lifecycle Manager platform is restricted to strong SSL encryption over HTTPS

Credentials stored in Lifecycle Manager can never be recovered.


Secure Amazon hosting platform

We host data on Amazon Web Services’ (AWS) highly secure platform. The entire infrastructure is PCI-DSS certified and maintains PCI-DSS Level 1, SSAE16 SOC 1, SOC 2 and SOC 3, ISO 27001, 27017, and 27018. These certifications include their:

  • Security governance

  • Physical security

  • Network infrastructure

  • Change management

  • Administration practices

With these established services, Lifecycle Manager offers a secure, robust, and trustworthy application.


Data storage

We house data in secure SSAE 16 / SOC1 certified data centers provided by AWS. More details on AWS's SOC compliance can be found on their AWS SOC FAQ page.


Data stored in the Lifecycle Manager platform

To effectively deliver our services, we store the following hardware asset information on Lifecycle Manager:

  • Asset Name

  • Client and/or Site, Location

  • Asset type

  • Manufacturer

  • Serial number

  • User information

  • Member information per client

  • Software (such as the OS, e.g. Windows 10)

  • Age

  • Purchase date

  • Expiry date

Removing integrations will purge your data - Should you choose to remove an integration from your Lifecycle Manager account, all associated data will be wiped from our systems.

For more information, including GDPR considerations
If you'd like some more information, please read our Privacy Policy, as well as our Terms and Conditions.