Trust is our top priority
As a leading SaaS provider for the past 15-plus years, we understand that working with cloud-based solutions may raise concerns and require a comprehensive review prior to adoption.
We’ve done a lot during that time to offer best-in-class security as a part of our core service. While there’s no bulletproof solution to data protection, we do everything we can to improve our practices and exceed your expectations.
We believe that transparency is key in earning trust. We’re happy to help you understand what we do to help protect your data, how we manage it, and how we comply with international standards.
LivePerson's security model was developed based on years of experience in SaaS operations, close relationships with Enterprise customers’ security teams, frequent assessments with independent auditors, and active involvement in the security community. We consistently draw upon these to improve our platform and meet the highest standards. As expected the model is based on multiple layers, including physical security, governance, operations, application security, vulnerability assessments, built-in product security features, proactive monitoring and business continuity.
Some of the built-in platform security features include:
- Optional AES encryption for data at rest
- Sensitive data masking and obfuscation
- Customer-controlled log-in policy (password complexity, IP-based access lists)
- Full visibility to actions and operations via audit trail and logs
- Flexibility to restrict LivePerson access to account information and data
The LivePerson International Compliance Program is an important component of our security offering. We strive to meet the most relevant international security and privacy standards, to help our customers obtain reasonable assurance that our operations have been audited and are aligned with industry best practices as well as customer expectations.
SSAE 16 SOC2 (Formerly SAS70)
As of 2008, LivePerson complies with the reporting requirements defined by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all the areas related to service delivery. In addition to that, our Datacenter providers are also SSAE16 SOC2 certified.
LivePerson has been ISO 27001 certified since 2012. This certification provides assurance that the LivePerson’s Information Security Management System is based on an internationally recognized set of policies, controls and practices.
Our ISO27001 certificate of compliance is available here.
PCI DSS 3.2
To help our customers facilitate secure transactions that involve Credit Cards, LivePerson complies with Payment Card Industry Data Security Standards (PCI DSS) 3.2 for it’s Secure Form Widget and the Billing system.
GDPR & EU/US Privacy Shield
As a public company traded in NASDAQ, LivePerson complies with the controls and requirements dictated on the Sarbanes Oxley act. We undergo annual audits across all aspects of our business related to finance and security.
HIPAA Through the Business Associate Agreement (BAA)
Customers from the Health and Medical services industry are required to comply with HIPAA. To support that, LivePerson executes Business Associate Agreements (BAAs) with HIPAA-covered entities, certifying that LivePerson protects personal health information (PHI) in accordance with HIPAA guidelines.
Product & Application Security
LivePerson invests tremendous efforts to help ensure the development and delivery of a secure platform. We follow a comprehensive Secure Software Development Life Cycle that consists on the following concepts:
- Design & Planning: The security team is involved in all major projects and takes an active part in the design process.
- Training & Awareness: Secure coding and ethical hacking training for R&D and QA teams are performed by application security experts from leading third parties specializing in that domain.
- Static Code Analysis: OWASP based reviews as well as automated Static and Dynamic scans are performed performed on the application.
- Routine Security Scans: Vulnerability scans on the platform are performed on a regular basis using industry leading vulnerability scanners.
- Application Vulnerability Assessments: Performed by independent third parties and ethical hackers on regular basis as part of the SSDLC program.
- Customer Independent Tests: Upon appropriate coordination with LivePerson and documented approval, we welcome customers to conduct penetration tests and vulnerability assessments of their own against our platform. We find such tests valuable, as the more tests are performed, we get to improve.
Infrastructure & Data Centers
Confidentiality, integrity, and availability of our customers' information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges. LivePerson ensures that both the technologies selected, along with all aspects of our operations, support our high security regulatory standards.
Some examples are:
- Customer data is stored and partitioned in a manner that ensures each customer can only access their own data.
- Servers and operating systems are hardened according to best practices.
- 24/7 monitoring and incident response by dedicated team
- Full Redundancy, Backup and Disaster Recovery capabilities that are tested regularly
- Comprehensive Business Continuity Plans in place
We maintain 6 Colocation datacenter facilities in the United States, Europe and Australia. Our facilities adhere to the highest security and industry standards, comply with SSAE16 SOC2 and other certifications. The LivePerson infrastructure is hosted in Private LivePerson cages and is operated by LivePerson employees.
Here are some helpful tips and resources to help you protect your LivePerson account.
LiveEngage provides a robust set of security and privacy related capabilities. We encourage our customers to harden their accounts and follow security best practices, for example:
- Set “Minimum number of characters” to 8
- Set “Maximum sequential characters” to 2
- Set “Maximum occurrences of same character” to 2
- Enable alpha, numeric and special character requirement
Enable the IP restriction tool. By using this tool, the access to the Admin and Agent consoles can only be established from an approved list of IP ranges.
Enable “Account lockout after inactive time” to 30 minutes or less.
- Look for a valid LivePerson certificate in the URL
- LivePerson will never ask you to provide your password over the phone, email or chat.