Security Measures

Technical and organizational security measures to be implemented by Lattice: 

A. Annual Evidence of Compliance 

1. Third Party Security Audit:
Lattice is and shall continue to be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Lattice will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Lattice’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Lattice’s security posture annually, the most common points of interest are further detailed below. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request. 

2. Summary of Web Application Penetration Test:
Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Lattice shall provide a summary of the findings to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request. 

3. Security Awareness Training: Lattice shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to: 
• The importance of information security and proper handling of personal information.  
• Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction. 
• Logical controls related to strong password selection/best practices. 
• How to recognize social engineering attacks such as phishing. 

4. Vulnerability Scan: Lattice shall ensure that vulnerability scans are performed on servers continuously and network security scans are completed at a minimum annually, in each case using an industry standard vulnerability scanning tool. 

B. Security 

1. Process-Level Requirements
 a. Lattice shall implement user termination controls that include access removal / disablement promptly upon termination of staff. 
b. Documented change control process will be used to record and approve all major releases in Lattice’s environment. 
c. Lattice shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe. 

2. Network Requirements 
a. Lattice shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data. 

3. Hosting Requirements 
a. Where Lattice handles Customer Personal Data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Salesforce and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
b. Cloud Environment Data Segregation: Lattice will virtually segregate all Customer Personal Data in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances. 

4. Application-Level Requirements 
a. Lattice shall maintain documentation on overall application architecture, process flows, and security features for applications handling Customer Personal Data. 
b. Lattice shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data. 
c. Lattice shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release. 

5. Data-Level Requirements 
a. Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS). 
b. Lattice shall ensure laptop disk encryption. 
c. Lattice shall ensure that access to information and application system functions is restricted to authorized personnel only. 
d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems. 

6. End User Computing Level Requirements 
a. Lattice shall employ an anti-virus solution with daily signature updates for end-user computing devices which connect to the Customer network or handle Customer Personal Data. 
b. Lattice will have a policy to prohibit the use of removable media for storing or carrying Customer Personal Data. Removable media include flash drives, CDs, and DVDs. 

7. Compliance Requirements 
a. Lattice will, when and to the extent legally permissible, perform criminal background verification checks on all of its employees that provide Services to Customer prior to obtaining access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.
 b. Lattice will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level. 

8. Shared Responsibility
Lattice’s Service requires a shared responsibility model. For example, Customer must maintain controls over Customer user accounts (such as disabling/removing access when a Customer employee is terminated, establishing password requirements for Customer users, etc.).

Additional Privacy Resources