1. Lime CRM
  2. Sikkerhet

How we protect your data

At Lime, we understand the importance of protecting our customers’ data from threats present in today’s digital landscape.

In addition, we believe that trust is the foundation of any successful partnership, and we are committed to earning and maintaining yours. Below you will find some general information about how we have integrated information security into everything we do.

På denne siden kan du lese om:

Ankerkobling til security-compliance-1

Security Compliance

ISO 27001 is an internationally recognized standard for information security management systems. Lime Technologies is certified according to ISO 27001:2013.

This means that we have implemented comprehensive security measures and processes to protect sensitive data, mitigate risks, and ensure the confidentiality, integrity and availability of information.

Lime CRM is developed, implemented and supported under our management system for information security, as certified by Bureau Veritas against ISO 27001:2013. Bureau Veritas Certification certificate number: FIHSK27043F.

Download our certificate
Ankerkobling til cloud-security-2

Cloud Security

The information in this section is only applies to Lime CRM cloud customers. For self-hosted installations, the customer has full responsibility for the operating environment.

Providers

Lime CRM is primarily hosted with Amazon Web Services (AWS). AWS data centers have been certified as ISO 27001 compliant, among many other certifications. For more information, refer to AWS documentation.

Facilities

AWS data centers have a number of infrastructure controls including redundant power systems, fire suppression systems and climate control. For more information, refer to AWS documentation.

On-site security

AWS data center security include features such as intrusion detection systems, fences and security guards. For more information, refer to AWS documentation.

Locations

Lime CRM is hosted in AWS data centers located in Ireland, Europe.

Segmentation

Services are placed in different trust zones based on sensitivity. Allowed traffic between zones is kept to a minimum.

Logical access

Access to production environments is restricted to authorized personnel only on a strict need-to-use basis. Access is audited and requires multi-factor authentication.

WAF

Incoming traffic is protected by a Web Application Firewall that protects against common threats such as SQL injection and cross-site scripting (XSS).

DDoS protection

Procedures for managing denial of service attacks are in place.

Data in transit

All communication between Lime CRM client applications and backend APIs are encrypted with industry standard HTTPS/TLS (version 1.2 or higher), as supported by clients.

Data at rest

All data at rest is encrypted using AES encryption with a 256 bit key size.

Monitoring

Our operations team monitors key service metrics and logs to predict, prevent and act on disruptive events.

Service status

Lime provides a public status page where information about scheduled maintenance and disruptions is posted.

Backup

Data is backed up every 24 hours and retained for 365 days. Backups are protected from ransomware attacks by being immutable - they cannot be modified or deleted after creation.

Business continuity

Lime has established a Business Continuity Plan that describes how the company will act during catastrophic events. The plan is tested regularly.

Ankerkobling til application-security-3

Application Security

Secure development process

Our development process takes information security into account and mandates risk assessments and structured change control procedures to be followed.

Training

Developers participate in role specific training focused on secure development. The training covers the OWASP Top 10 list of common vulnerabilities.

Automated code analysis

Source code is automatically scanned for vulnerablities and may not be deployed until issues are fixed.

Code reviews

All code is peer reviewed. Security critical code always receives extra attention.

Separate environments

Development and testing is always performed in isolated environments using non-production data.

Dependencies

Third-party libraries are vetted, managed, and continually scanned for vulnerabilities.

Logical access

Access to production environments is restricted to authorized personnel only on a strict need-to-use basis. Access is audited and requires multi-factor authentication.

Penetration testing

External security experts performed detailed penetration testing of the Lime CRM platform on a regular basis.

Ankerkobling til product-security-4

Product Security

Authentication

Lime CRM supports local (username/password) authentication and integration with OpenID Connect (OIDC) compliant identity providers such as Azure AD, Okta and Auth0. Multi-factor authentication is only supported through integration with an identity provider.

User provisioning

Creation and updating of users can be automated using the SCIM protocol, including disabling of users who are no longer active in the source system (e.g., Azure AD).

Role based access

Granular access permissions can be set on entity and attribute level and associated with groups/roles in a flexible manner.

Object access

Dynamic access permissions, evaluated at runtime, may be defined on object level for complex authorization scenarios.

Ankerkobling til organisational-security-5

Organisational Security

Access to IT services

Access to all key IT services used by Lime is centrally managed and protected by multi-factor authentication. Services may only be accessed using compliant company devices.

Device security

All company devices are managed and must have storage encryption, up-to-date anti-malware software and an enabled firewall to be compliant.

Policies

All employees are trained in how to follow relevant information security policies and procedures.

Relevant teams are trained on security incident response procedures, including communication channels and escalation paths. In case of a major incident, responders are backed by the Major Incident Response Team.

Lime maintains an inventory of all suppliers involved in service delivery. Critical suppliers go through regular security reviews.

Security awareness

All new employees attend a comprehensive introduction to information security that covers basic security principles, current threats, how to work securely with customer data, physical security, and other relevant topics.

Recruitment

As part of our rigourous recruitment process, a number of background checks are performed.

Legal agreements

All Lime employees have non-disclosure and confidentiality clauses in their employment contracts.

Ankerkobling til more-about-security-at-lime-6

More about security at Lime

Interested in our philosophy on information security?

Have a look at our 2022 Annual Report which contains an interview with our CISO and further information on our work with information security.

 

2022 Annual Report
Ankerkobling til privacy-7

Privacy

Overview

Under the GDPR, the terms "data controller" and "data processor" refer to different roles in the handling of personal data:

  • Data Controller: An organisation that determines the purposes and means of processing personal data. In simple terms, they decide why and how personal data is processed. The data controller has the primary responsibility for ensuring compliance with data protection regulations.
  • Data Processor: An organisation that processes personal data on behalf of the data controller. They act under the authority of the data controller and handle the personal data as per the controller's instructions. Data processors could be external service providers or entities within the same organisation. They have a contractual obligation to process personal data securely and in accordance with the data controller's instructions.

Specific legal obligations are placed on both data controllers and data processors. Data controllers have more extensive responsibilities for ensuring compliance, while data processors have a duty to assist the data controller in meeting their obligations and maintain appropriate security measures for data processing. If you are a Lime cloud customer, we will act both as a data controller and as a data processor.

Lime as a data controller

We are a data controller for the overall cloud service and in particular when we have a direct relationship with data subjects (our customers) who are explicitly the users of our services. The minimal personal data we collect is processed in our account systems and used for support and marketing purposes. For more information about personal data processing, refer to our Privacy Statement.

Lime as a data processor

We are a data processor for our cloud customers' Lime CRM applications/addons. While we provide the application environment to the customer (who is the data controller) and store the data that the customer enters into their application, we don't know whether it includes personal data, nor are we responsible for the controller's obligations as it relates to the processing of any such personal data. We operate under the assumption that the controller's application includes personal data (possibly even sensitive personal data) and we treat it accordingly, for example by applying appropriate security and data protection measures.

Consent

All customer communication for marketing purposes is opt-in.

Security

You may read about all the measures we take to secure information above.

Sub-processors

All suppliers involved in providing Lime cloud services undergo a compliance and security review. We have signed Data Processing Agreements (DPAs) with all suppliers that process personal data. Moreover, we establish and enforce appropriate Standard Contractual Clauses (SCCs) to ensure compliance with GDPR obligations concerning international data transfers. A complete list of sub-processors is available.

Privacy by design

All employees undergo training, and guidelines exist to make sure that data protection is considered early in both product and business development initiatives.

Breach reporting

Our incident management policies and procedures describe how we handle a data breach involving personal data. We commit to notifying customers within 24 hours of our knowledge of an incident that involves personal data.

Data subject requests

Contact our support team if you want to exercise your rights as a data subject under the GDPR.

Did you know that using a CRM system can make it much easier for your organisation to become compliant with the GDPR? Lime CRM has a number of features to support you, including a dedicated GDPR self-service portal. Read more here.

Our subprocessors
Ankerkobling til any-questions-8

Any questions?

If you have any security-related questions or if you have found a security issue in one of our products, contact our support team at support@lime.tech.

Privacy statement