Security at Livestorm
IN THIS ARTICLE:
Introduction
Livestorm’s mission is to enable business to better communication in an accessible yet secure environment for everyone.
We believe that we need to make your data secure, and that protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.
We have a dedicated Security Portal that you can check for more details as well.
Organizational security
Livestorm is constantly evolving with updated guidance and new industry best practices.
Livestorm’s engineering team, led by our Chief Technical Officer (CTO), is responsible for the implementation and management of our security program.
The CTO focuses on:
- Security Architecture,
- Product Security,
- Security Engineering
- Operations
- and Risk and Compliance.
Protecting customer data
The focus of our security program is to prevent unauthorized access to customer data. To this end, our team take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
Secure by design
Our product team has built a robust secure development lifecycle. We strive to catch all vulnerabilities in the design and testing phases. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.
Streaming security
Livestorm uses the WebRTC protocol to exchange audio and video packages within a browser without any downloads. Please refer to the official documentation to understand why WebTC is secure by design.
Livestorm employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use strong encryption protocol on both ends to encrypt audio and video and verify data integrity.
SSL
Our SSL audit was done with Certification Qualys SSL Labs. Rating was A+.
This mean that the communication between our servers and each browser is secured with high standards of encryption.
👨💻 About Qualys: Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA).
Encryption
Data in transit
All data transmitted between Livestorm clients and the Livestorm service is done using strong encryption protocols.
Livestorm supports the latest recommended secure cipher suites to encrypt all traffic in transit:
- TLS 1.2, 1.3 protocols,
- AES256 encryption,
- and SHA256 with RSA signatures (RSA 2048 bits), whenever supported by the clients.
Payments
Payment processing is done following ISO 27001 certification and SOC-1, SOC-2 attestation. Livestorm’s payment gateway is certified PCI-DSS Level 1. And complies with EU-U.S. Privacy Shield and U.S.- Swiss Privacy Shield by adhering to the principles of protecting the rights of anyone in the EU whose personal data is transferred to the United States and also GDPR Commitment. More information at: https://www.chargebee.com/security/
Data at rest
Data at rest in Livestorm is encrypted using NIST’s best practices regarding salt and pepper cryptography guidelines.
The Livestorm service is hosted in data centers maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure with 99.9% SLA.
Finally, the Livestorm data is located on databases within the EU and backed up every 24h.
Livestorm ensures secure transmission by using:
Secure Connection: sessions established to access the data are secure with secured tokens that are regenerated periodically.
Data Transmission and Encryption: Livestorm employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use strong encryption protocol on both ends to encrypt audio and video and verify data integrity.
Access Control
Provisioning
To minimize the risk of data exposure, Livestorm adheres to the principle of least privilege and role-based permissions when provisioning access.
Our people are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
All production access is reviewed at least quarterly.
Authentication
To further reduce the risk of unauthorized access to data, Livestorm employs multi-factor authentication for all access to systems with highly classified data, including our production environment, which houses our customer data.
Where possible and appropriate, Livestorm uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.
Password Management
Livestorm requires personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks.
System Monitoring, Logging, and Alerting
Livestorm monitors servers to retain and analyze a comprehensive view of its corporate and production infrastructure.
Administrative access, use of privileged commands, and system calls on all servers in Livestorm’s production network are logged and retained for at least two years.
Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel.
Data retention and disposal
Customer data is hard deleted upon request to our customer service. All information is then deleted from our infrastructure.
Livestorm’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.
Disaster Recovery and Business Continuity Plan
Livestorm utilizes services deployed by its hosting provider to distribute production operations across 3 separate physical locations. These 3 locations are within one geographic region, but protect Livestorm’s service from loss of connectivity, power infrastructure, and other common location-specific failures.
Livestorm also retains a full backup copy of production data in a remote location significantly distant from the location of the primary operating environment.
Full backups are saved to this remote location once every 24h. Livestorm tests backups at least quarterly to ensure they can be successfully restored.
Responding to Security Incidents
Livestorm has established policies and procedures for responding to potential security incidents. In the event of an incident, affected customers will be informed via email, chat from our customer service team and via our status page. Incident response procedures are tested and updated at least annually.
Subscribe to https://status.livestorm.co in order to get alerts when a maintenance or an incident is on going.
Vendor Management
To run efficiently, Livestorm relies on sub-service organizations. Where those sub-service organizations may impact the security of Livestorm’s production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to data protection commitments we have made to users.
Application
The web application is split into 4 parts:
- Dashboard is where you manage all your online events. Accessible only for team members.
- Company page lists publicly all your public events. Can be disabled.
- Registration page let visitors to register for a given online event. It is public but it can be disabled.
- Room the event page.
- Before live: Accessible for team members and guest speakers
- During live: Accessible for team members, guest speakers and registrants
- After live: Accessible for team members, guest speakers and registrants. But you can disable it at any time.