Table of Contents:
- Where is LeanKit hosted?
- Where does customer data reside?
- Who controls the LeanKit data centers?
- Who is responsible for patching?
- Are privileged actions monitored and controlled?
- How does LeanKit isolate customer data?
- Does the LeanKit service provide in-transit encryption?
- Does Microsoft Azure publish its environmental controls?
- How does LeanKit protect against infrastructure or application intrusion?
- Does the LeanKit product undergo periodic penetration tests or secure code analysis?
Where is LeanKit hosted?
LeanKit is hosted on the Microsoft Azure Cloud platform in the United States. Microsoft Azure provides a reliable platform for software services used by thousands of businesses worldwide, and provides services in accordance with security industry best practices and undergoes industry-recognized certifications and audits (https://azure.microsoft.com/en-us/support/trust-center/).
Where does customer data reside?
Customer data resides in LeanKit databases, which are hosted in Microsoft Azure. The main LeanKit application infrastructure is redundant for failover purposes with sites in both Virginia and Southern-California.
Who controls the LeanKit data centers?
For LeanKit assets deployed in Microsoft Azure all physical components are maintained by Microsoft. This includes the dedicated hardware, storage, network routers and switches, firewalls, etc. Software and operating system components hosted on these devices are controlled by LeanKit.
Who is responsible for patching?
Patching of all physical hardware is maintained by Microsoft Azure. Software, operating system, application, and all host-based services are patched by LeanKit network operations. Patching on LeanKit systems is automated to ensure that the most recent working patches are in place.
Are privileged actions monitored and controlled?
Yes. Application event logs are maintained as well as infrastructure system logs, in a central logging repository. This aggregated log collection is monitored for unauthorized activity, login attempts, excessive network traffic, and other abnormal activity. Activities in these logs include that of privileged users. A host based intrusion detection system (IDS) is in place on infrastructure components, which provides additional monitoring and alerting for LeanKit systems.
How does LeanKit isolate customer data?
LeanKit customer data is logically separated from that of other customers in a multi-tenant database. This allows for proper client segregation as well as an easy way to retrieve said data when a client requests their stored data. LeanKit offers a Private Cloud product for customers who need the added assurance of physically separate their data from other customers.
Does the LeanKit service provide in-transit encryption?
Yes. The LeanKit application forces the user to communicate with TLS encryption for all network communication.
Does Microsoft Azure publish its environmental controls?
Yes. Microsoft Azure documentation can be found here; https://azure.microsoft.com/en-us/support/trust-center/. Additional and more specific documentation can be requested from Microsoft through LeanKit. Send Microsoft Azure security documentation requests to mailto:firstname.lastname@example.org.
How does LeanKit protect against infrastructure or application intrusion?
Infrastructure and application logs are maintained in a central, aggregated system that has search parameters in place for detecting unauthorized activity. Intrusion detection is enabled on infrastructure critical hosts, and provides additional insight and alerting to the LeanKit infrastructure and application.
Does the LeanKit product undergo periodic penetration tests or secure code analysis?
Yes. The LeanKit application undergoes regular manual penetration testing, as well as regular static and dynamic code analysis. These tests are performed in a test/lab environment or by a third-party service, which ensures that the production application and data are not affected by such testing.