LeadSquared Security

At LeadSquared, we understand that securing and protecting your data is the most important responsibility we have.

We have instituted organization wide processes across all our business functions to ensure that we fulfil the responsibility of securing your data.

The following sections will give you a more detailed account on some of the systems we have put in place.

Physical Security

The LeadSquared development center in Bangalore is under 24×7 physical security protection. Only authorized personnel have access to the building and offices. Employees are granted access to the office only after authorization using biometric authentication. Critical locations in the office are accessible only to authorized individuals.

Important documents are stored in cabinets accessible only to authorized persons. The office is equipped with surveillance cameras and its images are regularly monitored by authorized persons. A policy has been implemented to approve and regulate visitor access to the building.

The office is provided with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.

LeadSquared hosts its application and data in industry-leading Amazon Web Services, whose data centers have been thoroughly tested for security, availability and business continuity. For more details, please refer to the AWS Security Whitepaper.

Application Security

LeadSquared applications and services are all hosted in Amazon Web Services across its multiple regions. The infrastructure for databases and application servers is managed and maintained by the cloud service providers.

At LeadSquared, we take an integrated approach to application security, to ensure everything from engineering to deployment, including architecture and quality assurance processes complies with our highest standards of security.

Application Architecture

The application is initially protected by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is a web application firewall (WAF) which monitors against offending IPs,  users and spam.

While the application can be accessed only by users with valid user access, it should be noted that security in cloud-based products is a shared responsibility between the company and the businesses who own those accounts on the cloud. In addition to making it easy for administrators to enforce industry-standard password policies on users, our products also come with features aimed at securing business data on the cloud:

  • Role based access
  • Sales Groups
  • Permission Templates
  • Whitelisting IPs for exclusive access

LeadSquared uses a multi-tenant data model to host all its applications. Each customer has a separate database and we ensure that the code always fetches the data that belongs to only the logged in tenant. Per this design, no customer has access to another customer’s data. Access to the application by the LeadSquared development team is also controlled, managed and audited. Access to the application and the infrastructure are logged for subsequent audits.

Application Engineering and Development

We follow secure software development lifecycle, where security testing is part of development, testing and pre-release acceptance. A security review is a mandatory part of application engineering (development and construction) process at LeadSquared.

Software Changes and Release Management

Changes in our production environment follow a very well-defined, systematic process from development and test environments to verifying the changes finally on staging before production deployment. Production deployments are only done by authorized Devops team members, and nobody else has access to our production environment.

Production Monitoring

We have a dedicated 24×7 NOC team that monitors the application for suspicious activities or attacks.

We conduct regular external third-party audits to certify the state of security in our applications and services.

Data Security

LeadSquared takes the protection and security of its customers’ data very seriously. LeadSquared manages the security of its application and customers’ data.

The LeadSquared development team has no access to data on production servers. Changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.

LeadSquared takes the integrity and protection of customers’ data very seriously. Data at rest is encrypted using AES-256 bit standards (key strength – 1024) with the keys being managed by AWS Key Management Service. All data in transit is encrypted using FIPS-140-2 standard encryption over a secure socket connection for all accounts hosted with us.

Different environments are in use for development and testing purposes, access to systems are strictly managed, based on the principles of need to do/know basis appropriate to the information classification, with Segregation of Duties built in, and reviewed on a quarterly basis.

Data Deletion

When your account with us is terminated, we ensure that all your data is deleted cleanly. The details are listed in our terms of service.

Network Security

The LeadSquared office network where updates are developed, deployed, monitored and managed is secured by industry-grade firewalls and antivirus software, to protect internal information systems from intrusion and to provide active alerts in the event of a threat or an incident. Firewall logs are stored and reviewed periodically. Access to the production environment is via SSH and remote access is possible only via the office network. Audit logs are generated for each remote user session and reviewed. Also, the access to production systems are always through a multi-factor authentication mechanism.

Our data centers are hosted in AWS are ISO 27001, SSAE-16 and HIPAA compliant.

Reporting issues and threats

At LeadSquared we take the protection of our customer’s data very seriously. If you have found any issues or flaws impacting the data security or privacy of LeadSquared users, please write to security@leadsquared.com with the relevant information so we can get working on it right away.

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you submit a vulnerability report, the LeadSquared security team and associated development teams will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • Investigate the reported issue and provide an estimated time frame for addressing the vulnerability report. We might ask for your guidance in identifying or replicating the issue and understanding any means to resolving the threat right away
  • Notify you when the vulnerability has been fixed

We sincerely appreciate your help in detecting and fixing flaws in our platform, and will acknowledge your contribution to the world once the threat is resolved.

Public Disclosure Policy

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. LeadSquared/MarketXpander employees and their family members are not eligible for bounties.

We encourage individuals outside our organization to help us find security vulnerabilities in our platform.  Such individuals may use these guidelines to responsibly disclose issues:

  • Please write to security@leadsquared.com with details of any potential vulnerability in our products, meeting all the below mentioned criteria. We will get back within 48 hours of your submission.
  • Please refrain from doing security testing in existing customer accounts.
  • While doing your tests, please ensure that you do not violate our privacy policies, modify/delete unauthenticated user data, disrupt production servers, or degrade user experience.
  • If your finding is valid and unique, we would be happy to acknowledge your efforts in our Hall of Fame page.

The following domains are in scope:

  • run.leadsquared.com
  • api.leadsquared.com

Please exclude the following test cases while conducting your tests:

  • Denial of Service attacks and Distributed Denial of Service attacks
  • Rate limiting, brute force attack
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Clickjacking / UI Redressing attack
  • Self-XSS and XSS that affects only outdated browsers
  • Host header and banner grabbing issues
  • Automated tool scan reports. Example: Web, SSL/TLS Scan, Nmap scan results etc.,
  • Login/logout/low-business impact CSRF
  • Unrestricted file uploads
  • Open redirects – unless they can be used for actively stealing tokens
  • User enumeration such as User email, User ID etc.,
  • Session fixation and session timeout
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)

 

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

We sincerely thank the following individuals who have responsibly disclosed one or more of security vulnerabilities in LeadSquared platform. This has enabled us to serve our customers better.

John Steven Bullecer

Amal Jacob