6/15/2023 | MOVEit notice: LeaseQuery is aware of the SQL injection vulnerability identified within the MOVEit transfer web application and we have determined that LeaseQuery’s software is not directly affected. LeaseQuery continues to work with all third-party partners and/or service providers to gather information and assess the potential threat. We will continue to update this page as more information is made available.

Trust Center

At LeaseQuery, we realize that security and reliability are very important to our clients.

Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.

LeaseQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.

Trust Center

At LeaseQuery, we realize that security and reliability are very important to our clients.

LeaseQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.

CATEGORY

TOPIC

DETAILS

Accessibility

LeaseQuery is committed to making our software applications and websites accessible to people with all levels of ability.

We are constantly working towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.

If you have any questions regarding our applications, contact us at
1-800-880-7270 or customersupport@leasequery.com for assistance and feedback.

Artificial Intelligence/Machine Learning

AI/ML

LeaseQuery leverages an internal, proprietary AI/ML technology to aid our customers in entering the details of their leases as easily, quickly, and accurately as possible. LeaseQuery’s AI-assisted lease entry only uses artificial intelligence and models developed and hosted in-house.

With permission from select customers, we trained our model to recognize various types of leases to better detect where information is located in an individual lease. The output of the AI/ML system consists of predictions for each relevant field, which are then verified by the customer’s end users. All data is handled to the same security standards for all LeaseQuery solutions.

Asset Security

Baselines

LeaseQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.

Asset Security

Hardening Standards

Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.

Availability and Reliability

Change Management

LeaseQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.

Availability and Reliability

Code Review

LeaseQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.

Availability and Reliability

Segregation of Environments

LeaseQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, LeaseQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.

Business Continuity

Backups

LeaseQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) regions. Backup restores are tested regularly.

Business Continuity

LeaseQuery’s solutions, including all data stored, are hosted in at least two different geographic regions in the United States.

Business Continuity

Disaster Recovery

LeaseQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of LeaseQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. LeaseQuery’s Disaster Recovery plan is assessed, at minimum, annually.

Compliance

CCPA

LeaseQuery is compliant with the California Consumer Privacy Act (the “CCPA”). California residents may have additional privacy rights under the CCPA. For more information, please see LeaseQuery’s Privacy Statement.

Compliance

GDPR

LeaseQuery maintains a strong commitment to privacy, security, compliance and transparency. This approach includes supporting our customers’ compliance with the European Union’s (EU) General Data Protection Regulation (GDPR). If a customer needs to share personal data of EU citizens with LeaseQuery in order for LeaseQuery to provide its services, the GDPR may impose privacy-related compliance obligations on the customer with respect to its engagement of LeaseQuery as its subprocessor. In these circumstances, we can support our customers’ compliance needs by entering into a data protection addendum (a DPA) with contractual commitments required by the GDPR. To request a GDPR-compliant DPA, simply contact your LeaseQuery sales or customer support representative.

Compliance

Hardware

LeaseQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):

Huawei Technologies Company
ZTE Corporation
Hytera Communications Corporation
Hangzhou Hikvision Digital Technology Company
Dahua Technology Company

Compliance

HIPAA

LeaseQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because LeaseQuery’s service does not involve any protected health information.

Compliance

SOC

LeaseQuery is audited and receives a SOC I Type II report, as defined by the American Institute of Certified Public Accountants, twice per year from a Big 4 accounting firm. LeaseQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@leasequery.com

Data Security

Data Classification

LeaseQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under LeaseQuery’s Information Security Policy.

Data Security

Data Encryption At-Rest

Data stored in LeaseQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.

Data Security

Data Privacy

The personal data LeaseQuery needs to provide its service is limited to the names and business contact information of its users, as well as logfiles reflecting usage of the solution. If LeaseQuery customers choose to upload their contracts to LeaseQuery’s solution, those contracts may include names and business contact information relating to the lease counterparties and any individuals identified by such leases (e.g., an individual identified as a point of contact for receiving notices under the lease). Sensitive personal information is not permitted to be uploaded to LeaseQuery’s solution.

Please see LeaseQuery’s data privacy statement for more information.

Data Security

Data Retention and Disposition

LeaseQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, client data.

Our subscription agreement requires us to retain your data for at least 90 days after the termination or expiration of your subscription agreement (coinciding with your quarterly reporting cycle) to ensure you have sufficient opportunity to retrieve your data; however, you can also always request the exportation of your data during the term of the subscription or within 90 days thereafter.

Data Security

Digital Certificates

LeaseQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of LeaseQuery certificates, including enrollment, distribution, validation, revocation, and renewals.

Data Security

Data Encryption In-Transit

All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.

Data Security

Non-disclosure agreements

All LeaseQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.

Data Security

Secrets Management

LeaseQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.

Data Security

Password

Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.

Identification, Authentication, Authorization, Auditing, and Accountability

Access Control

Internally, LeaseQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. LeaseQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. LeaseQuery does not allow for shared accounts.

For customer-facing solutions, LeaseQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.

Identification, Authentication, Authorization, Auditing, and Accountability

Identification

All LeaseQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access LeaseQuery facilities.

Identification, Authentication, Authorization, Auditing, and Accountability

Job Roles

Responsibilities of staff regarding information security are formally addressed in LeaseQuery’s Information Security policy.

Identification, Authentication, Authorization, Auditing, and Accountability

Passwords

All LeaseQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, LeaseQuery employs credential management/rotation systems to rotate credentials periodically.

Identification, Authentication, Authorization, Auditing, and Accountability

Single-Sign On (SSO)

LeaseQuery can integrate with any single sign-on (SSO) system that supports Security Assertion Markup Language (SAML) 2.0.

Incident Management and Response

Incident Response Plan

LeaseQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.

Incident Management and Response

Monitoring and Logging

LeaseQuery logs are centrally managed and retained according to LeaseQuery’s Data Retention Policy. LeaseQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. LeaseQuery also leverages endpoint monitoring and logs user actions. While LeaseQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to LeaseQuery’s Data Retention Policy.

Infrastructure

Data Center

All LeaseQuery web-based solutions run within Amazon Web Service’s (AWS) cloud infrastructure:

AWS datacenter compliance controls: https://aws.amazon.com/compliance/data-center/controls/
AWS datacenter SOC reports: https://aws.amazon.com/compliance/soc-faqs

Infrastructure

Physical Security

Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into LeaseQuery facilities and all areas within LeaseQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to LeaseQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.

Infrastructure

Cloud Hosting

LeaseQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/

Organizational Security

Acceptable Use

LeaseQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to LeaseQuery systems and networks, and the secure and acceptable use of LeaseQuery-issued equipment.

Organizational Security

Central Contact

LeaseQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.

Organizational Security

Contractor Usage

LeaseQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing LeaseQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. LeaseQuery performs periodic contractor access reviews to limit exposure risk to data and systems.

Organizational Security

Employee Background Checks

LeaseQuery conducts background checks on all new employees prior to commencing work.

Organizational Security

Employee Status Change

Disablement of access for separated employees is conducted promptly following notice from LeaseQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from LeaseQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. LeaseQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.

Organizational Security

Personnel Security

Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates LeaseQuery’s documented Information Security Policy.

Organizational Security

Security Program

LeaseQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. LeaseQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.

Organizational Security

Secure Remote Access

LeaseQuery personnel leverage end-to-end encryption providing a private and secure connection to LeaseQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.

Organizational Security

Separation of Duties

For incompatible or sensitive functions, LeaseQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). LeaseQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.

Organizational Security

Training and Awareness

All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, LeaseQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.

Operational Security

Asset Management

All equipment issued by LeaseQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.

Operational Security

Procurement

All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any LeaseQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.