Litmus data security
Here at Litmus, we maintain the highest levels of confidentiality, privacy, and security for our customers’ data. We dedicate time, money, and resources to safeguard Litmus and our customers from data loss and theft. Periodically, we receive questions from prospects and customers regarding security at Litmus. Here are a few of the most frequently asked security questions (and their answers):
Where is my data stored?
We leverage Amazon Web Services (AWS), which utilizes several modern security techniques, employs best practices for physical security and maintains several industry security certifications and accreditations (e.g. HIPAA, FedRAMP, ISO 27001, and PCI compliance among several others). Learn more about AWS security and AWS's compliance programs.
Is everything encrypted at Litmus?
All data is encrypted using a cryptographically strong cipher:
- AES-256 bit or higher
- SHA-256 bit with RSA Encryption or higher
- TLS 1.2 or higher
How does Litmus ensure that nobody untrusted can access customer data?
Litmus enforces several internal security policies and technical access controls to ensure that our customers’ data is secure and accessible only to those with proper authorization. Litmus only allows trained, authorized, and background-checked operations personnel to access customer-specific data. The data is accessed only through secure VPN access which uses two-step verification and elevated privileges.
What additional security controls are available?
Litmus supports the concept of Account Holder, Admin, Full User and Read-Only role permissions on an account. These roles, except for Account Holder, can be assigned at the sub-account/team level to control access and permissions.
Additionally, on Litmus Enterprise plans, Account Holders and Admins have the ability to restrict Email Analytics access for users across three levels of access:
- Full Analytics Access
- Partial (No PII) Analytics Access
- No Analytics Access
Also available exclusively on Litmus Enterprise plans, are advanced and customizable security features, like two-step verification, session lengths, and password settings.