Litmus Security: How do we keep your data safe?
Here at Litmus, we maintain the highest levels of confidentiality, privacy, and security for our customers’ data. We dedicate time, money, and resources to safeguard Litmus and our customers from data loss and theft. Periodically, we receive questions from prospects and customers regarding security at Litmus. Here are a few of the most frequently-asked security questions (and their answers):
Where is my data stored?
We leverage Amazon Web Services (AWS), which utilizes several modern security techniques, employs best practices for physical security and maintains several industry security certifications and accreditations (e.g. HIPAA, FedRAMP, ISO 27001, and PCI compliance among several others). Learn more about AWS security and AWS's compliance programs.
Is everything encrypted at Litmus?
Data classified as “Confidential” or “Secret”, such as usernames, passwords, analytics data, and email addresses are encrypted at rest and in transport using a cryptographically strong cipher. Data classified as “Internal Use Only” is encrypted and password-protected and is only accessible to Litmus employees, contractors, and business partners. Data classified as “Public” is not password-protected or encrypted. We recommend that customers with strict data sensitivity concerns omit any PII data from our Email Analytics platform. Litmus should never have any of your sensitive, confidential, or proprietary data.
How does Litmus ensure that nobody untrusted can access customer data?
Litmus enforces several internal security policies and technical access controls to ensure that our customers’ data is secure and accessible only to those with proper authorization. Litmus only allows trained, authorized, and background-checked operations personnel to access customer-specific data. The data is accessed only through secure VPN access which uses two-step verification and elevated privileges.
What additional security controls are available?
Litmus supports the concept of Account Holder, Admin, Full User and Read-Only role permissions on an account. These roles, except for Account Holder, can be assigned at the sub-account/team level to control access and permissions.
Additionally, on Litmus Enterprise plans, Account Holders and Admins have the ability to restrict Email Analytics access for users across three levels of access:
- Full Analytics Access
- Partial (No PII) Analytics Access
- No Analytics Access
Also available exclusively on Litmus Enterprise plans, are advanced and customizable security features, like two-step verification, session lengths, and password settings.