Trust Center

At LeaseQuery, we realize that security and reliability are very important to our clients.

Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.

LeaseQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to report your concerns.

CATEGORY

TOPIC

DETAILS

Accessibility

Accessibility

LeaseQuery is committed to making our software applications and websites accessible to people with all levels of ability.

We are constantly working towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.

If you have any questions regarding our applications, contact us at
1-800-880-7270 or customersupport@leasequery.com for assistance and feedback.

Asset Security

Baselines

LeaseQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.

Asset Security

Hardening Standards

Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.

Availability and Reliability

Change Management

LeaseQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.

Availability and Reliability

Code Review

LeaseQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.

Availability and Reliability

Segregation of Environments

LeaseQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, LeaseQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.

Business Continuity

Backups

LeaseQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) regions. Backup restores are tested regularly.

Business Continuity

Business Continuity

LeaseQuery’s solutions, including all data stored, are hosted in at least two different geographic regions in the United States.

Business Continuity

Disaster Recovery

LeaseQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of LeaseQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. LeaseQuery’s Disaster Recovery plan is assessed, at minimum, annually.

Compliance

CCPA

LeaseQuery is compliant with the California Consumer Privacy Act (the “CCPA”). California residents may have additional privacy rights under the CCPA. For more information, please see LeaseQuery’s Privacy Statement.

Compliance

GDPR

LeaseQuery maintains a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with the European Union’s (EU) General Data Protection Regulation (GDPR). If a customer needs to share personal data of EU citizens with LeaseQuery in order for LeaseQuery to provide its services, the GDPR may impose privacy-related compliance obligations on the customer with respect to its engagement of LeaseQuery as its subprocessor. In these circumstances, we can support our customers’ compliance needs by entering into a data protection addendum (a DPA) with contractual commitments required by the GDPR. To request a GDPR-compliant DPA, simply contact your LeaseQuery sales or customer support representative.

Compliance

Hardware

LeaseQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Compliance

HIPAA

LeaseQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because LeaseQuery’s service does not involve any protected health information.

Compliance

SOC

LeaseQuery is audited and receives a SOC I Type II report, as defined by the American Institute of Certified Public Accountants, twice per year from a Big 4 accounting firm. LeaseQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@leasequery.com

Data Security

Data Classification

LeaseQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under LeaseQuery’s Information Security Policy.

Data Security

Data Encryption At-Rest

Data stored in LeaseQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.

Data Security

Data Privacy

The personal data LeaseQuery needs to provide its service is limited to the names and business contact information of its users, as well as logfiles reflecting usage of the solution. If LeaseQuery customers choose to upload their contracts to LeaseQuery’s solution, those contracts may include names and business contact information relating to the lease counterparties and any individuals identified by such leases (e.g., an individual identified as a point of contact for receiving notices under the lease). Sensitive personal information is not permitted to be uploaded to LeaseQuery’s solution.

Please see LeaseQuery’s data privacy statement for more information.

Data Security

Data Retention and Disposition

LeaseQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, client data.

Our subscription agreement requires us to retain your data for at least 90 days after the termination or expiration of your subscription agreement (coinciding with your quarterly reporting cycle) to ensure you have sufficient opportunity to retrieve your data; however, you can also always request the exportation of your data during the term of the subscription or within 90 days thereafter.

Data Security

Digital Certificates

LeaseQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of LeaseQuery certificates, including enrollment, distribution, validation, revocation, and renewals.

Data Security

Data Encryption In-Transit

All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.

Data Security

Non-disclosure agreements

All LeaseQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.

Data Security

Secrets Management

LeaseQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.

Data Security

Password

Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.

Identification, Authentication, Authorization, Auditing, and Accountability

Access Control

Internally, LeaseQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. LeaseQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. LeaseQuery does not allow for shared accounts.

For customer-facing solutions, LeaseQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.

Identification, Authentication, Authorization, Auditing, and Accountability

Identification

All LeaseQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access LeaseQuery facilities.

Identification, Authentication, Authorization, Auditing, and Accountability

Job Roles

Responsibilities of staff regarding information security are formally addressed in LeaseQuery’s Information Security policy.

Identification, Authentication, Authorization, Auditing, and Accountability

Passwords

All LeaseQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, LeaseQuery employs credential management/rotation systems to rotate credentials periodically.

Identification, Authentication, Authorization, Auditing, and Accountability

Single-Sign On (SSO)

LeaseQuery can integrate with any single sign-on (SSO) system that supports Security Assertion Markup Language (SAML) 2.0.

Incident Management and Response

Incident Response Plan

LeaseQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.

Incident Management and Response

Monitoring and Logging

LeaseQuery logs are centrally managed and retained according to LeaseQuery’s Data Retention Policy. LeaseQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. LeaseQuery also leverages endpoint monitoring and logs user actions. While LeaseQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to LeaseQuery’s Data Retention Policy.

Infrastructure

Data Center

All LeaseQuery solution platforms run within Amazon Web Service’s (AWS) cloud infrastructure:

Infrastructure

Physical Security

Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into LeaseQuery facilities and all areas within LeaseQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to LeaseQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.

Infrastructure

Cloud Hosting

LeaseQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/

Organizational Security

Acceptable Use

LeaseQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to LeaseQuery systems and networks, and the secure and acceptable use of LeaseQuery-issued equipment.

Organizational Security

Central Contact

LeaseQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.

Organizational Security

Contractor Usage

LeaseQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing LeaseQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. LeaseQuery performs periodic contractor access reviews to limit exposure risk to data and systems.

Organizational Security

Employee Background Checks

LeaseQuery conducts background checks on all new employees prior to commencing work.

Organizational Security

Employee Status Change

Disablement of access for separated employees is conducted promptly following notice from LeaseQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from LeaseQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. LeaseQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.

Organizational Security

Personnel Security

Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates LeaseQuery’s documented Information Security Policy.

Organizational Security

Security Program

LeaseQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. LeaseQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.

Organizational Security

Secure Remote Access

LeaseQuery personnel leverage end-to-end encryption providing a private and secure connection to LeaseQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.

Organizational Security

Separation of Duties

For incompatible or sensitive functions, LeaseQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). LeaseQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.

Organizational Security

Training and Awareness

All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, LeaseQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.

Operational Security

Asset Management

All equipment issued by LeaseQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.

Operational Security

Procurement

All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any LeaseQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.

Threat and Vulnerability Management

Antivirus Antimalware

LeaseQuery deploys sophisticated antivirus/antimalware on all systems, including heuristic and behavioral-based detection methodologies. Full scans run at least weekly on all systems.

Threat and Vulnerability Management

Penetration Testing

LeaseQuery actively performs periodic penetration testing using external partners. When vulnerabilities are detected, LeaseQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. LeaseQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers. In order to protect our customers, LeaseQuery cannot disclose the findings of these penetration tests as that information could be used to compromise LeaseQuery’s systems.

Threat and Vulnerability Management

Responsible Disclosure

LeaseQuery understands that the disclosure of vulnerabilities helps ensure protection and privacy across the internet. LeaseQuery maintains policies and procedures governing the responsible disclosure of known vulnerabilities which present material risk to LeaseQuery customers or partners.

Threat and Vulnerability Management

Risk Mitigation

LeaseQuery engages in ongoing risk analysis and reporting primarily through a cadence of frequent and regularly scheduled meetings with the Chief Information Security Officer and executive management, including the Chief Executive Officer. The Chief Information Security Officer also maintains contact with security forums and other notification agencies to help identify threats and vulnerabilities.

Threat and Vulnerability Management

Vulnerability Management

LeaseQuery actively performs full-stack vulnerability scans using industry-leading tooling. When vulnerabilities are detected or reported, LeaseQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. LeaseQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers.