Cloud Security Checklist| Laserfiche

See Why Fortune 500 Companies Trust Laserfiche Cloud with Their Data

Laserfiche Cloud helps secure data, improves regulatory compliance and provides a scalable platform for process automation and content management.

Security

Provide advanced data protection for your content with Laserfiche Cloud's robust security controls and advanced audit trail capabilities.

Current

Encryption in transit

All data sent between Laserfiche customers and applications is encrypted in transit using Transport Layer Security (TLS) with Perfect Forward Secrecy (PFS).

Encryption at rest

Data volumes on servers storing customer data and attachments in Laserfiche Cloud are encrypted at rest using industry-standard full-disk AES-256 encryption.

Multi-factor authentication

Multi-factor authentication can be enabled for a Laserfiche Cloud user account.

Single sign-on

Laserfiche Cloud supports single sign-on with Active Directory Federation Services (AD FS) and Security Assertion Markup Language (SAML).

Password policies

Laserfiche Cloud supports industry-standard password controls, such as password minimum length, complexity and history.

Vulnerability scanning

Laserfiche performs a vulnerability scan of backend servers that run in the Laserfiche Cloud hosting environment.

Penetration testing

Laserfiche engages third-party vendors to conduct external penetration testing of the Laserfiche Cloud system.

Intrusion detection

Laserfiche Cloud utilizes host-based intrusion detection systems to reduce the risk of data theft by individuals or organizations attempting to gain unauthorized access.

Firewalls

Laserfiche Cloud's firewall configuration settings are regularly reviewed based on industry standards.

Repository application auditing

Laserfiche Cloud supports auditing of both access to, and modification of, objects in repositories.

Access rights

Administrators can configure access rights and privileges to limit actions that users can perform across the repository based upon role assignments or group memberships.

Fine-grained access control

Administrators can use access rights to limit and control access to individual documents and objects. For example, security tags restrict access to documents on a document-by-document basis.

Repository audit log

The Laserfiche Cloud repository audit log includes details of user actions, including viewing, modifying, creating and deleting documents, and similar operations on metadata and other repository objects.

Upcoming

User provisioning and de-provisioning

Create, update and delete user accounts across applications and systems.

System for cross-domain identity management support for Laserfiche Cloud

Automate the creation, maintenance and deletion of user accounts to reduce the cost and complexity of user management operations and improve security.

Compliance

Laserfiche addresses several international data privacy and security standards and frameworks.

Current

SOC 2 Type 2

This report details the controls for Laserfiche Cloud related to the criteria for the security, availability and confidentiality principles set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

Privacy regulatory compliance

Laserfiche addresses privacy regulatory requirements in Laserfiche Cloud and as part of our business operations. This includes the California Consumer Privacy Act (CCPA) as well as leading international privacy standards such as the General Data Privacy Regulation (GDPR) of the European Economic Area. For more information, see: https://www.laserfiche.com/legal/privacy/.

Data processing agreement

Laserfiche's Cloud Subscription Agreement incorporates, by reference, a standard data processing agreement for customers with operations in the European Economic Area.

WORM Compliance for SEC 17a-4

Laserfiche Vault is a solution package of services and cloud-based features that supports stringent non-alterable record archival requirements such as WORM (write once, read many) compliance required by SEC Rule 17a-4 for broker dealers. Beyond financial services, Laserfiche Vault’s strict compliance mode can also be applied to support rigorous records management practices for electronically stored information (ESI) requiring prevention of any unauthorized alternations or deletions of digital records.

Voluntary Product Accessibility Section 508 Compliance

Laserfiche has published VPATs available for the web client, Public Portal, Import Agent, Connector, Laserfiche Microsoft Office Plug-in, the Laserfiche home page and its tabs including the task listing page and submitting forms, the process automation dashboard, listing pages and each process automation design tool, and custom reports.

Technical support documentation

Laserfiche provides detailed technical documentation that describes the functionality and architecture of the product to help support and streamline implementation.

Upcoming

CSA-CAIQ

Laserfiche has completed the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CSA-CAIQ) and it will be available soon.

HECVAT

Laserfiche has completed the Higher Education Community Vendor Assessment Toolkit (HECVAT) and it will be available soon.

SOC 2 Type 2 Plus (HIPAA)

Laserfiche's upcoming SOC 2 Type 2 for 2020 will cover the security requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), provided within Title 45 Code of Federal Regulations Sections 164.308 – 312 (45 CFR Sections 164.308-312) (the Security Requirements).

Voluntary Product Accessibility Section 508 Compliance

Laserfiche will publish a VPAT for mobile app.

ISO 27001:2015

Laserfiche is currently working on the ISO 27001 certification for Laserfiche Cloud.

Controls and Reliability

Controls And Reliability

Laserfiche's preventative, detective and corrective controls reduce risk while increasing uptime and availability.

Current

Business continuity and disaster recovery programs

Laserfiche Cloud SaaS services are hosted in multiple regions. Regions consist of multiple availability zones that are comprised of multiple data centers. These data centers are housed in separate facilities with redundant power, networking and connectivity.

Laserfiche Cloud service levels

Laserfiche publishes a status page that displays the current status of Laserfiche Cloud applications, maintenance notices and outage reports.

Automated backups

Customer data is backed up several times each day. The backups are encrypted, replicated and stored in geographically separate data centers.

Cloud migration tools

Laserfiche provides tools for migrating repositories in self-hosted environments to Laserfiche Cloud.

Upcoming

Sandbox instances

Laserfiche will provide sandbox environments for developers and administrators to test applications and extensions, and preview new features without impacting the production environment.

Learn about Laserfiche Cloud in the Forrester New Wave™ Report

Discover how the Laserfiche Cloud multi-tenant (SaaS) content platform stacks up against the competition.

Get Your eBook