Trust is our top priority
We keep an eye open to protect your data
As a leading SaaS provider for the past 15‐plus years, we get that cloud-based solutions may make you raise your eyebrows. Well, this should give you some peace of mind: We’ve done a lot during that time to offer best-in-class security as a part of our core service. While there’s no bulletproof solution to data protection, every day we do everything we can to even exceed your expectations.
We believe that transparency is a key in earning your trust. So, we're more than happy to help you understand how we, as your security team, have figured out some of the best ways to protect your data, how we manage it, and how we comply with international regulations. Read on to learn all about our security models and what they can do for you. Thanks for stopping by!
Security in Everything We Do
LivePerson's security model goes way back. It was developed based on years of experience in SaaS operations, close relationships with Enterprise customers’ security teams, frequent assessments with auditors, and deep roots in the security community. We consistently draw upon these to improve our platform and meet the highest standards of security. Our model gives you assurance across multiple fronts, including physical security, governance, operations, application security, built‐in security features, and business continuity.
Some of the built-in platform security features include:
- Optional AES encryption for data at rest
- Sensitive data masking and obfuscation
- Customer-controlled log‐in policy (password complexity, IP‐based access lists)
- Full visibility to actions and operations via audit trail and logs
- Flexibility to restrict LivePerson access to account information and data
Following the Rules
Now to the nitty-gritty. The compliance program is an important component of our security offering and lets you confirm the status of information security in relation to the data that LivePerson provides. It’s both broad and ever-expanding to support your personal needs, as LivePerson customers come from different verticals and are required to meet various standards.
SSAE 16 SOC2 (Formerly SAS70)
As of 2008, LivePerson complies with the reporting requirements defined by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our business and production operations, including our data centers.
LivePerson has been ISO 27001 certified since 2012. This is the highest level of global information security assurance available today and provides our customers the assurance that LivePerson meets stringent international standards on security. You can find the certificate here.
PCI DSS 2.0
As part of our efforts to help you get credit card data from your customers in a reliable and trusted manner, LivePerson complies with PCI DSS 2.0 for the Secure Chat Form and the Billing system, which certifies the safe and secure handling of cardholder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), LivePerson places tough controls around cardholder data as both a service provider and merchant.
Since we are a global company that serves customers in the United States and the European Union, LivePerson is Safe Harbor-certified under the US Department of Commerce Safe Harbor program for the EU.
As a company traded in NASDAQ, LivePerson complies with the SOX certificate. We undergo yearly audits across all aspects of our business related to finance and security and have sustained and even surpassed all requirements.
HIPAA Through the Business Associate Agreement (BAA)
Customers from the medical services industry need to comply with HIPAA, and, as a service provider, LivePerson enters into business associate agreements (BAAs) with HIPAA-covered entities, certifying that LivePerson protects personal health information (PHI) in accordance with HIPAA guidelines.
SkyHigh Enterprise Ready
Lastly, LivePerson complies with SkyHigh Enterprise Ready. The certificate assures customers that we offer the best security as a cloud provider.
Penetration Testing 101
LivePerson works around the clock to give you the best and most secure application. As part of this commitment, LivePerson developed a comprehensive SSDLC (Secure Software Development Life Cycle).
This program contains several components:
- Design & Planning: The security team is involved in all major projects and takes an active part in the design process.
- Training & Awareness: Secure coding and ethical hacking training for R&D and QA teams are performed by application security experts from a leading third party specializing in that domain.
- Static Code Analysis: Code reviews are performed by senior R&D leaders based on OWASP recommendations, and an automated static code analysis/scan is performed upon the build check-in process, which is done using the Checkmarx tool.
- Dynamic Analysis: Various scenarios are also tested with a set of dynamic tools (like PortSwigger BurpSuite).
- Routine Security Scans: Vulnerability scans on the platform are performed on a regular basis using McAfee Secure scanning service
- Application Pen-Tests: These are performed by an independent third party on every major release (usually twice a year). The executive summary letter of opinion is available for review here.
- Customer Independent Tests: Upon appropriate coordination with LivePerson and documented approval, we welcome customers to conduct penetration tests and vulnerability assessments of their own as part of our secure software development lifecycle. As a reference, in the last year alone, LivePerson underwent 30 pen-tests originating from Enterprise customers and more than 300 customers’ due diligence and assessment processes.
- View the case study: 10 Steps to Agile Development without Compromising Enterprise Security
Basically, we are always looking to be better, and it shows.
Secure, Stable, & Reliable Infrastructure
As a leading SaaS provider, LivePerson recognizes the importance of securing the infrastructure at all levels — state of the art, best of breed.
- Data is stored and partitioned in a manner that ensures each customer can only access their own data
- Hardened servers
- 24/7 monitoring and incident response by dedicated team
- Full redundancy and backup
- Comprehensive business continuity plans in place
Secured Physical Premises
LivePerson’s datacenter facilities adhere to the highest security standards.
- Four top-notch US and EU based datacenters
- Two primary sites
- Two disaster recovery sites
- Private LivePerson cages
- Operated by LivePerson (datacenter staff do not have permissions or access to information)
- Two-factor biometric access control
- Unmarked locations
- 24/7 CCTV and guards
Tips & Resources
Here are some helpful tips and resources to help you protect your LivePerson account:
- Account Configuration Tips: LivePerson recommends to use the comprehensive set of security tools provided in your account
- Password Policy
- Set “Minimum number of characters” to 8
- Set “Maximum sequential characters” to 2
- Set “Maximum occurrences of same character” to 2
- Enable alpha character requirement
- Enable number character requirement
- Enable special character requirement
- Enable restriction of commonly used password phrases.
- IP Policy
- Enable the IP restriction tool. By using this tool the access to the Admin console and the Agent console can be done only from approved locations.
- Login Policy
- Enable “disabling after failed login”; LivePerson recommend to set the number to 5
- Enable “Account lockout after inactive time”; LivePerson recommend to set the number to 30 min.
- Avoid Fraud
- Look for a valid LivePerson certificate in the URL
- LivePerson will never ask you to provide your password over the phone, email or chat.