Security

This Measure constitutes a policy governing the applicable safety measures concerning all products provided by LiveChat, Inc., namely:

Some safety measures may be conditional upon particular product characteristics. Such a distinction in security measures shall be always indicated.

General terms

Data transmission and storage security are imperative in the modern enterprise. That’s why we have taken all measures to keep all information appropriately protected. We use IBM data centers located in various locations such as Texas, USA; Frankfurt or Ireland, Europe (but the availability of European hosting centers is related to our specific products). They are behind several security clearances, and there’s always a security guard on duty in data storage centers. Services provided to us by IBM comply with the SSAE16 standard. Our staff is granted access only in their respective fields and day to day work. They are also required to maintain confidentiality after departure from the company. Our developers treat stored data of customers with the highest level of security and care. Each piece of customer data is treated as personal and in need of standardized protection. We have employed security policies that ensure the safety of the data storage and transmission. There is no expiration date on the stored data. The data will remain on our servers even if a client does not extend his or her license. If you’d like to retrieve chats that you had with our support team, you can contact us via support@livechat.com (or via support e-mail of the Service you use), asking to retrieve all the data that we gathered at LiveChat and other products belonging to LiveChat Inc. Furthermore, when accessing the LiveChat product, you are communicating through Akamai, our Content Delivery Network provider. During this communication, you negotiate through which encryption algorithm will you be routed, before the application protocol transmits or receives its first bytes of data.

Domain used by LiveChat, Inc.

To make sure your firewall is not blocking any LiveChat, ChatBot, HelpDesk or KnowledgeBase requests, please add the following domains to your firewall’s exception list *.livechat.com, *.livechatinc.com, *.livechat-static.com, *.helpdesk.com, *.helpdesk-static.com. *.chatbot.com. Our CDN and anti-DDoS infrastructure is built on tens of thousands edge servers, so we cannot provide a list of all IP addresses on our Network. Note that a firewall with an IP ACL policy has the additional disadvantage that access control based solely on IP addresses is prone to error due to attacks like spoofing, DNS cache poisoning, and BGP hijacking. We recommend that network administrators using IP ACLs for web traffic employ a simple proxy server that filters traffic based on a domain name, for example: *.livechatinc.com in the HTTP request, rather than by the IP address of the remote server.

Webhooks sent by our Products

We give you the possibility to send and receive Webhooks that can carry various information, like additional details about your customers, gathered from your database. To make sure that you know whether the Webhook was sent by LiveChat, ChatBot or by a different provider, our Webhooks identify themselves with the use of the following header: User-Agent: LiveChat webhook/1.0 and chatbot/1.0. If you’d like to learn more about Webhooks for LiveChat, click here.

Security of information

Our Products comply with the following information related security and monitoring procedures:

Documented and defined security standards and procedures
Employee confidentiality agreement
Verification of employees who have access to customer data
Access to information granted only to employees who need to work with customer data or hosting servers
Access to customer data is limited within 24 hours of employee departure or relocation within LiveChat
Training on internal security policies and raising of security awareness as a day-to-day process
Physical security of the data center
Both data storage and backups are being encrypted with 256-bit Advanced Encryption Standard (AES) algorithm
Networks are either connected into a single routed local network or interconnected by VPN

Physical security ensured by data centers and hosting provided to and by our Products meet the following requirements:

Secure rooms with at least two access mechanisms, i.e., key-cards, man traps, security guards, and computer room badge-in
Authorized employees only are allowed physical access to the servers. 24/7 security at the location
Backups of customer data are stored on-site with limited access and at a securely controlled or commercial off-site location
All backups are copied to a geographically separated location
The site guarantees additional protection such as uninterruptible power and fire suppression
Flawed components in the data center undergo DoD-approved “erase” or “wipe” procedure (if functionally possible) before physical destruction

Technical controls

Our Products support technical controls to provide protection to its network, systems, and applications:

Products utilize professional facilities via a top tier hosting provider that protect customer data from external threats
Products maintain individual accountability for employees that can access systems hosting customer data
Products have documented user account/password management systems for employees with access to systems that are hosting customer data
Products ensure that individual access to customer data is controlled, i.e., a diverse user name and password is required for each individual administrator
Customer data is compartmentalized to prevent unauthorized access and separated from the data of other customers
Wireless connectivity to networks or servers hosting customer data is protected using security mechanisms such as EAP, TTLS, TLS, or PEAP
Products’ data center has formal security policies and procedures in place that deal with viruses, other malware, and related threats

Usage

To ensure the protection of confidentiality, integrity, and availability of customer data, all of our Products meet the following usage criteria:

Each user is assigned a unique ID
User IDs and passwords can be edited at any time
Passwords must be at least 6 or at least 8 characters long (depending on the Service)
The application and resulting access to data in the database has based-on-permission controls limiting access to only authorized customers
All logs are treated as confidential information and access to reports is restricted to internal support purposes only
Reporting of this information is available within each instance of Product
If confidential data, personal data (i.e., names, addresses, phone numbers), or authentication information (i.e., passwords) is transmitted, Products ensure security by employing 256bit SSL encryption between each component of the communications path
All security policies assume customer data retention is permanent and is designed to that standard
Furthermore, for LiveChat Product, each change of user login status is logged within each application
Additional security measures may be implemented in terms of personal data processing (see: Data Processing Addendum).