Security & Privacy

LifeLabs Learning has a commitment to data privacy and security; best practices are standard in every part of our business. On this page, you’ll find high-level enumeration of several frameworks, regulations, and certifications that apply to our company and its products.

For questions, comments, or additional documentation, please contact dataprivacy@lifelabslearning.com.

DomainExplanationDocumentation
Cyber InsuranceIs there an insurance policy that protects against cyber attacks and data breaches?dataprivacy@lifelabslearning.com
DPAData Processing Agreement Per GDPR Article 28
MSAMaster Services Agreement/Client Contractdataprivacy@lifelabslearning.com
Privacy PolicyHow do you protect your customer’s privacy and manage data collection and security?https://lifelabslearning.com/privacy-policy/
Service-Level AgreementUptime and support metricsNot applicable at this time.
Website CookiesData collected through HTTP cookies to help track, personalize, and save information about user sessions.Opt-out included as a banner.

Legal

DomainDescriptionDocumentation
Data AccessWhat type of company data will you need to access?We collect financial information for billing purposes as well as attendance from Zoom workshops (optional with easy opt-out)
RTO (Recovery Time Objective)What is your recovery time objective in case of critical failure? (e.g., your DB is deleted)Recover RPO data in 4 hour or less
RPO (Recovery Point Objective)What is your recovery point objective in case of critical failure? (e.g., your DB is deleted)Start of current day
Critical DependenceWill your product be a system that your enterprise customer critically depends on?No
Third-Party DependenceAre you also using other third-party services to manage or support your customers?3rd party vendors include but are not limited to: Hubspot (CRM), Squarespace (website), PandaDoc (contracts), Google Workspace (email and productivity suite)
HostingAre you hosted only on one of the major cloud providers or do you have any on-premise systems?No on-premise systems. Cloud-held data resides in AWS.

Risk Profile

DomainDescriptionDocumentation
Access MonitoringWho can access your internal systems?We use Google Workspace’s internal security (see security)
Backups EnabledWhere and how and how often are your systems backed up?AWS native functionality to backup systems and data which is enabled by default.
Data ErasureHow do you certify if data is erased/destroyed?LifeLabs will send a certificate of destruction per request.
Encryption-at-restEncrypted while held in a local databaseSent through Google Workspace (see encryption for data at rest)
Encryption-in-transitEncrypted while in transit from one data center to another (EDI)Sent through Google Workspace (see encryption for data in transit)
Physical SecurityHow are you protecting your data center?Hosted in AWS which maintains robust and industry-standard physical security of their data centers.

Data Security

DomainDescriptionDocumentation
Disk EncryptionAre local computer hard disks encrypted?Internally, we enforce native OS full disk encryption on user endpoints for OSX and Linux. LifeLabs Learning does not use Windows devices.
DNS FilteringDo local computers monitor DNS?Google Workspace managed Chrome browser monitors DNS traffic for malicious or anomalous activity.
Endpoint Detection & ResponseDo local computers have onboard EDR?Managed endpoint detection and response to defend and detect threats across user devices and AWS workloads.
Mobile Device ManagementAre devices managed through a central system that includes the ability to remote-wipe and locate lost devices?Management of Apple OSX devices through Mosyle
Threat DetectionSee Endpoint Detection & ResponseSee Endpoint Detection & Response

Endpoint Security

DomainDescriptionDocumentation
Data AccesssHow is data access controlled across the network and server environment?Data access is controlled through policy and Google Workspace DLP configuration
LoggingHow are logs collected, ingested, analyzed, and stored?Logs are maintained indefinitely
Password SecurityHow secure are passwords and is the policy enforced?SAMLv2 SSO, Oauth2 and username and password are all supported.
All authentication is managed through Google Workspace (IDP).
Passwords have the following password complexity requirements:

At least 8 characters in length
Contain at least 3 of the following 4 types of characters:
-lower case letters (a-z)
-upper case letters (A-Z)
-numbers (i.e. 0-9)
-special characters (e.g. !@#$%^&*)

Access Control

DomainDescriptionDocumentation
Asset Management PracticesHow do you keep track of assets?Assets are managed through physical inventory and Mosyle, our MDM.
Email ProtectionWhat protections do you have against phishing and email hijacking?SPF/DKIM/DEMARC
Employee TrainingHow are employees kept trained and up to date about cyber security?LifeLabs Learning utilizes KnowBe4 for Security training.
HR SecurityHow is employee information kept safe?LifeLabs Learning utilizes Sequoia for our PEO and PrismHR for our benefits platform.
Incident ResponseCommunication internally and externally when a data breach or incident occursLifeLabs Learning has an internal process for incident response.
Internal AssessmentsAuditsAudits are performed with compliance to ISO 27001 (certification pending)
Penetration testingNetwork and server penetration testingNot applicable
SOCProactive security and monitoringGoogle Workspace – Cloud Storage and Infrastructure Security
IDPWho is your identity provider and do you use MFA?Google Workspace, MFA deployed

Corporate Security

Cities

New York City

San Francisco

Seattle

Boston

Los Angeles

Atlanta 

Chicago

Austin

Houston