As of the date of this agreement, Level’s technical and organizational measures, including technical and organizational measures to ensure the security of the data, include the following:
User Access Management. Level maintains proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing information relating to an identified or identifiable natural person (“Personal Information”) and where applicable, utilizes commercially available and industry-standard encryption technologies. Personal information includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA.
Level restricts access to Personal Information to employees with a defined need-to-know or a role requiring such access. Access is reviewed on a regular basis for continued business needs.
Passwords. Level enforces password complexity and ensures that applications containing sensitive data are password protected.
Level uses an entropy-based password strength meter to prevent users from choosing weak passwords that would leave their account vulnerable to brute force attacks.
Awareness & Training. Level has developed a culture of security and data protection awareness and ensures that employees know the legal requirements and what is expected of them. As such, Level requires all employees to undergo security and anti-fraud awareness training upon hire and annually thereafter. We also require that employees certify their compliance with Level’s ethical business conduct, confidentiality, and security policies annually.
Security Policies. Level maintains and follows security policies and procedures that are integral to Level’s business. Adhering to these policies and procedures are mandatory for all Level employees, including vendors/contractors. Level security policies are reviewed periodically and amended as Level deems reasonable.
Level provides additional policy and process training to employees granted administrative access to security components that are specific to their role, and as required to maintain compliance and certifications.
Physical Security. Level maintains physical access controls to authenticate and restrict unauthorized access to the Level workplace. Individually issued electronic badges are required to enter the Level workspace. Access is recorded by the security system. Upon termination, an employee’s badge access is deactivated to ensure they no longer have access to the Level workplace.
Audit. Level will maintain its SSAE 18 SOC 2 certification, PCI-DSS certification, and HIPAA/HITECH certification, for the term of the Underlying Agreement. These certifications will be renewed on an annual basis.
Upon Customer’s request, Level will provide a summary of its most recent SOC 2 report, PCI AOC, and HIPAA/HITECH certification once every 12 months of the term of the Underlying Agreement.
Level also follows guidelines from ISO 27001, National Institute of Standards and Technology (NIST) and other industry-standard practices.
Business Continuity.Level maintains business continuity, backup and disaster recovery procedures (BC/DR) that are designed to maintain service and/or recover from foreseeable emergency situations or disasters. BC/DR testing is performed at least annually.
Security Incidents. Level maintains an incident response plan and follows documented incident response policies including data breach notification without undue delay where a breach is known or reasonably suspected to affect Personal Information.
Change Management. Level’s change management process is enforced as part of our Continuous Integration pipelines.
Level maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.
Data Security. Level maintains technical safeguards and other security measures to ensure the security and confidentiality of Personal Information.
Level logically segregates Personal Information in the production environment.
Encryption and Key Management. Level maintains policies and procedures for the management of encryption mechanisms.
Level encrypts data at rest and in transit (both internally and externally), as applicable, according to industry standard practice.
i. Data in transit. All data transmitted uses encrypted protocols:
ii. Data at rest. All database instances in AWS RDS are encrypted using AES-256, the standard option for RDS. Having this option enabled also encrypts the data at rest including the underlying storage for database instances, automated backups, read replicas, and snapshots. Additionally, we perform field level encryption for certain sensitive data fields.
Governance and Risk Management. Level maintains an information security program that is reviewed at least annually.
Level maintains a risk management program and performs periodic assessments of the potential risks to the confidentiality, integrity, and availability (CIA) of PHI held by Level, and the security of our production environment.
These risk analyses and assessments conform to NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems.”
Infrastructure Security. Level uses a secure network architecture with network segments designed to protect sensitive data. Private network segments use NAT Gateways, which prevents outsiders from initiating a connection with servers residing in the private network.
Level uses a variety of firewalls to restrict the type and source of data and provide robust network security. These firewalls include AWS Security Groups, Network ACLs, Web Application Firewalls, and AWS Network Firewall.
Level maintains an environment for testing and development separate from the production environment.
Vendor Management. Level has developed a Vendor Management program, which includes vendor security reviews for critical vendors to ensure that all Level services and sensitive data are protected in addition to compliance with Level Information Security Policies and Applicable Law.
Vulnerability Management. Level performs weekly scans of its network and also undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with Level’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of Level’s Risk Management Framework.
Level will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Level network and environments. Security measures include:
Last updated: November 23, 2022
