LogMeIn JOIN.ME OPERATIONAL Manual

JOIN.ME
SECURITY AND PRIVACY OPERATIONAL CONTROLS
V1 October 2020
LogMeIn join.me Security and Privacy Organizational Controls
Publication Date: 6/2/2020
This document covers the security and privacy controls for join.me.
join.me is an online meeting and screen sharing service that gives users the ability to quickly and securely host an online meeting with other people. These services can be initiated through a visit to the https://join.me website, through a small downloadable desktop application or through mobile applications (iOS and Android). It is available in a Lite version as well as a “Pro” premium version for individuals and small teams and a premium “Business” version for larger teams and company-wide use.
2 Product Architecture
LogMeIn join.me is a SaaS-based application hosted on multi-tier architecture located in secure and reliable data centers in key locations around the globe. A multi-layer security approach is utilized at all levels from the physical layer through the application layer.
The join.me architecture includes components such as web servers, application servers, media servers, databases, media controllers and media engines. The application has built-in redundancies, designed to increase the availability and reliability of the service, so that if an application server or data center goes off-line or become unreachable, the session should quickly migrate to a different application server. Load balancers are utilized in order to geographically maintain availability. Both access to the application website and the information that travels between components is encrypted in transit utilizing Transport Layer Security (TLS) protocol. Customers have the flexibility to elect specified types of data that are stored on their behalf -- session data, for example, such as screens, video, or chat logs, are not, by default stored on LogMeIn servers. [1]
Services provided by join.me rely on third-party telecommunication companies to provide the audio-based conference infrastructure that allows audio participants to connect to each other regardless of which endpoint device they use to join. WebRTC technology is utilized to deliver video conferencing on platforms such as Windows, Mac OS X, HTML5, iOS and Android. The MP4 video format is used to save video recordings and can be stored in the Azure storage region closest to the presenter’s location.
Web server – User registration, account and meeting settings, meeting launch
Application Server – Maintains meetings, distributes data among appropriate viewers
Media server – Distributes media streams among appropriate viewers
Database – Stores user profiles and meeting settings
Media controller – Controls media sessions and PSTN connections
Media engine – Post-processes media elements in order to provide recorded meeting video
3 join.me Service Technical Security Controls
LogMeIn employs industry standard technical controls appropriate to the nature and scope of the Services (as the term is defined in the Terms of Service [2]) designed to safeguard the Service infrastructure and data residing therein.
3.1 Logical Access Control
Logical access control procedures are in place, designed to prevent or mitigate the threats of unauthorized application access and data loss in corporate and production environments.
V1 October 2020
Employees are granted minimum (or “least privilege”) access to specified LogMeIn systems, applications, networks, and devices as needed. Further, user privileges are segregated based on functional role and environment.
3.2 Perimeter Defense
LogMeIn employs industry standard perimeter protection tools, techniques and services that are designed to prevent unauthorized network traffic from entering our product infrastructure. The LogMeIn network features externally facing firewalls and internal network segmentation. Cloud resources also utilize host-based firewalls. In addition, a third party, cloud-based distributed denial of service (DDoS) prevention service is used to protect against volumetric DDoS attacks. Critical system files are protected against malicious and unintended infection or destruction.
3.3 Data Segregation
LogMeIn leverages a multi-tenant architecture, logically separated at the database level, based on a user’s or organization’s LogMeIn account. Only authenticated parties are granted access to relevant accounts.
3.4 Physical Security
Datacenter Physical Security
LogMeIn contracts with co-location data centers to provide physical security and environmental controls for server rooms that house production servers. These controls include:
Video surveillance and recording
Multi-factor authentication to highly sensitive areas
Heating, ventilation, and air conditioning temperature control
Fire suppression and smoke detectors
Uninterruptible power supply (UPS)
Raised floors or comprehensive cable management
Continuous monitoring and alerting
Protections against common natural and man-made disasters, as required by the
geography and location of the relevant data center
Scheduled maintenance and validation of all critical security and environmental controls
LogMeIn limits physical access to production datacenters to authorized individuals only. Access to a hosting facility requires the submission of a request through the relevant ticketing system and approval by the appropriate manager, as well as review and approval by Technical Operations. LogMeIn management reviews physical access logs to datacenters and server rooms on at least a quarterly basis. Additionally, physical access to datacenters is removed upon termination of previously authorized personnel.
3.5 Data Backup, Disaster Recovery and Availability
LogMeIn’s architecture is generally designed to perform replication in near-real-time to geographically diverse locations. Databases are backed up using a rolling incremental backup strategy. In the event of a disaster or total site failure in any one of the multiple active locations, the remaining locations are designed to balance the application load. Disaster recovery related to the system is tested periodically.
3.6 Malware Protection
Malware protection software with audit logging is deployed on all join.me Servers. Alerts indicating potential malicious activity are sent to the appropriate response team.
3.7 Encryption
LogMeIn maintains a cryptographic standard that aligns with recommendations from industry groups, government publications, and other relevant standards groups. The cryptographic standard is periodically reviewed, and selected technologies and ciphers may be updated in accordance with the assessed risk and market acceptance of new standards.
3.7.1 In-Transit Encryption
At the protocol level, join.me uses TLS for communications security. The key exchange protocol is ECDHE, while data encryption in transit utilizes the Advanced Encryption Standard (AES) (preferably at AES256-SHA384). Every session is secured using the Application Server’s TLS certificate. The Application Server terminates the SSL connections that are established by the viewer and the presenter -- while a single viewer/presenter pair could potentially employ end­to-end encryption and use the Application Server as a simple networking relay, this becomes unfeasible when multiple viewers are present. As designed, the system supports multiple viewers without placing bandwidth constraints on the presenter. All join.me communications are secured using TLS, including access to the website itself.
3.8 Vulnerability Management
Internal and external system and network vulnerability scanning is conducted monthly. Dynamic and static application vulnerability testing, as well as penetration testing activities for targeted environments, are also performed periodically. These scanning and testing results are reported into network monitoring tools and, where appropriate and predicated on the criticality of any identified vulnerabilities, remediation action is taken.
Vulnerabilities are also communicated and managed with monthly and quarterly reports provided to development teams, as well as management.
3.9 Logging and Alerting
LogMeIn collects identified anomalous or suspicious traffic into relevant security logs in applicable production systems.
V1 October 2020
4 Organizational Controls
LogMeIn operates a comprehensive set of organizational and administrative controls to protect the security and privacy posture of join.me.
4.1 Security Policies and Procedures
LogMeIn maintains and implements a comprehensive set of security policies and procedures, aligned with business goals, compliance programs, and overall corporate governance. These policies and procedures are periodically reviewed and updated as necessary to ensure ongoing compliance.
4.2 Standards Compliance
LogMeIn complies with applicable legal, financial, data privacy, and regulatory requirements, and conforms with the following compliance certifications and external audit reports:
American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 2 Type II attestation report incl. BSI Cloud Computing Catalogue (C5)
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS) Compliance for LogMeIn’s
eCommerce and Payment Environments
4.3 Security Operations and Incident Management
LogMeIn’s Security Operations Center (SOC) is staffed by the Security Operations team and is responsible for detecting and responding to security events. The SOC uses security sensors and analysis systems to identify potential issues and has developed an Incident Response Plan that dictates appropriate responses.
The Incident Response Plan is aligned with LogMeIn’s critical communication processes, the Information Security Incident Management Policy, as well as associated standard operating procedures. It is designed to manage, identify and resolve suspected or identified security events across its systems and Services, including the join.me Services. Per the Incident Response Plan, technical personnel are in place to identify potential information security­related events and vulnerabilities and to escalate any suspected or confirmed events to management when appropriate. Employees can report security incidents via email, phone and/or ticket, according to the process documented on the LogMeIn intranet site. All identified or suspected events are documented and escalated via standardized event tickets and triaged based upon criticality.
4.4 Application Security
LogMeIn's application security program is based on the Microsoft Security Development Lifecycle (SDL) to secure product code. The core elements of this program are manual code reviews, threat modeling, static code analysis, dynamic analysis, and system hardening.
4.5 Personnel Security
Background checks, to the extent permitted by applicable law and as appropriate for the position, are performed globally on new employees prior to the date of hire. Results are maintained within an employee's job record. Background check criteria will vary depending upon the laws, job responsibility and leadership level of the potential employee and are subject to the common and acceptable practices of the applicable country.
4.6 Security Awareness and Training Programs
New hires are informed of security policies and the LogMeIn Code of Conduct and Business Ethics at orientation. This mandatory annual security and privacy training is provided to relevant personnel and managed by Talent Development with support from the Security Team.
LogMeIn employees and temporary workers are informed regularly about security and privacy guidelines, procedures, policies and standards through various mediums including new hire on­boarding kits, awareness campaigns, webinars with the CISO, a security champion program, and the display of posters and other collateral, rotated at least bi-annually, that illustrate methods for securing data, devices, and facilities.
5 Privacy Practices
LogMeIn takes the privacy of its Customers and end users very seriously and is committed to disclosing relevant data handling and management practices in an open and transparent manner.
5.1 Data Protection and Privacy Policy
LogMeIn is pleased to offer a comprehensive, global Data Processing Addendum (DPA), available in English and German, to meet the requirements of the GDPR, CCPA, and beyond and which governs LogMeIn’s processing of Personal Data as may be located within Customer Content.
Specifically, our DPA incorporates several GDPR-focused data privacy protections, including: (a) data processing details, sub-processor disclosures, etc. as required under Article 28; (b) EU Standard Contractual Clauses (also known as the EU Model Clauses); and (c) inclusion of LogMeIn's technical and organizational measures. Additionally, to account for CCPA coming into force, we have updated our global DPA to include: (a) revised definitions which are mapped to CCPA; (b) access and deletion rights; and (c) warranties that LogMeIn will not sell our users’ ‘personal information.’
For visitors to our webpages, LogMeIn discloses the types of information it collects and uses to provide, maintain, enhance, and secure its Services in its Privacy Policy on our public website The company may, from time to time, update the Privacy Policy to reflect changes to its information practices and/or changes in applicable law, but will provide notice on its website for any material changes prior to any such change taking effect.
[3]
.
V1 October 2020
5.2 GDPR
The General Data Protection Regulation (GDPR) is a European Union (EU) law on data protection and privacy for individuals within the European Union. GDPR aims primarily to give control to its citizens and residents over their personal data and to simplify the regulatory environment across the EU. The Service is compliant with the applicable provisions of the GDPR. For more information, please visit www.logmeininc.com/trust.
5.3 CCPA
LogMeIn hereby represents and warrants that it will be in compliance with the California Consumer Privacy Act (CCPA) and will implement and maintain the necessary controls to adhere to the applicable provisions of CCPA no later than January 1, 2020. For more information, please visit www.logmeininc.com/trust.
5.4 Transfer Frameworks
LogMeIn is aware of the European Court of Justice’s decision with respect to the EU-U.S. Privacy Shield Framework and is actively monitoring the situation. LogMeIn’s privacy program and contracts have been designed to account for shifts in the regulatory landscape to avoid impacts to our ability to provide our services to you. The EU-U.S. Privacy Shield Framework was just one (of several) mechanisms that LogMeIn relied on to lawfully transfer personal data. Therefore, LogMeIn offer in the following Transfer Frameworks.
5.4.1 Standard Contractual Clauses
The Standard Contractual Clauses (or “SCCs”) are standardized contractual terms, recognized and adopted by the European Commission, whose primary purpose are to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. LogMeIn has invested in a world-class data privacy program designed to meet the exacting requirements of the SCCs for the transfer of personal data. LogMeIn offers customers SCCs, sometimes referred to as EU Model Clauses, that make specific guarantees around transfers of personal data for in-scope LogMeIn services as part of its global DPA helps ensure that LogMeIn customers can freely move data from the EEA to the rest of the world.
[4]
5.4.2 APEC CBPR and PRP Certifications
LogMeIn has additionally obtained Asia-Pacific Economic Cooperation ("APEC") Cross-Border Privacy Rules ("CBPR") and Privacy Recognition for Processors ("PRP") certifications. The APEC CBPR and PRP frameworks are the first data regulation frameworks approved for the transfer of personal data between APEC-member countries and were obtained and independently validated through TrustArc, an APEC-approved third-party leader in data protection compliance.
[4]
[4]
[4]
. Execution of the SCCs
5.5 Return and Deletion of Customer Content
At any time, join.me Customers may request the return or deletion of their Content through standardized interfaces. If these interfaces are not available, LogMeIn will otherwise make a
commercially reasonable effort to support the Customer, subject to technical feasibility, in the retrieval or deletion of their Content. Additionally, Customer Content will be deleted within thirty (30) days of Customer request.
Upon the expiration or termination of a paid subscription to join.me, Customer’s accounts shall revert to a free account. Free join.me accounts shall automatically be deleted after two (2) years of user inactivity (e.g. no logins). Upon written request, LogMeIn will certify to relevant account and Content deletion.
5.6 Sensitive Data
While LogMeIn aims to protect all Customer Content, regulatory and contractual limitations require us to restrict the use of join.me for certain types of information. Unless Customer has written permission from LogMeIn, the following data must not be uploaded or generated to join.me:
Government-issued identification numbers and images of identification documents.
Information related to an individual’s health, including, but not limited to, Personal
Health Information (PHI) identified in the U.S. Health Insurance Portability and Accountability Act (HIPAA) and related laws and regulations.
Information related to financial accounts and payment instruments, including, but not limited to, credit card data. The only general exception to this provision extends to explicitly identified payment forms and pages that are used by LogMeIn to collect payment for join.me.
Any information especially protected by applicable laws and regulation, specifically information about individual’s race, ethnicity, religious or political beliefs, organizational memberships, etc.
5.7 Tracking and Analytics
LogMeIn is continuously improving its websites and products using various third-party web analytics tools, which help LogMeIn understand how visitors use its websites, desktop tools, and mobile applications, what they like and dislike, and where they may have problems. For further details please reference our Privacy Policy [3]
6 Third Parties
6.1 Use of Third Parties
As part of the internal assessment and processes related to vendors and third parties, vendor evaluations may be performed by multiple teams depending upon relevancy and applicability. The Security team evaluates vendors that provide information security-based services including the evaluation of third-party hosting facilities. Legal and Procurement may evaluate contracts, Statements of Work (SOW) and service agreements, as necessary per internal processes. Appropriate compliance documentation or reports may be obtained and evaluated at least annually, as deemed appropriate, to ensure the control environment is functioning adequately and any necessary user consideration controls are addressed. In addition, third parties that host
V1 October 2020
or that are granted access to sensitive or confidential data by LogMeIn are required to sign a
[1]
LogMeIn, Inc., "join.me Architecture Whitepaper," 2018. [Online]. Available: https://az766929.vo.msecnd.net/document-library/joinme/pdf/english/jm-guides­architecture-v1.pdf.
[2]
LogMeIn, Inc., "Terms of Service for LogMeIn," LogMeIn, Inc., March 2020 [Online]. Available: https://www.logmeininc.com/legal/terms-and-conditions
[3]
LogMeIn, Inc, "LogMeIn Privacy Policy," LogMeIn, Inc., April 2020 [Online]. Available: https://www.logmeininc.com/legal/privacy.
[4]
LogMeIn, Inc., "LogMeIn Special Note on Privacy Shield," LogMeIn, Inc., August 2020 [Online]. Available: https://www.logmeininc.com/legal/privacy-shield.
written contract outlining the relevant requirements for access to, or storage or handling of, the information (as applicable).
6.2 Contract Practices
To ensure business continuity and that appropriate measures are in place to protect the confidentiality and integrity of third-party business processes and data processing, LogMeIn reviews relevant third parties’ terms and conditions and either utilizes LogMeIn-approved procurement templates or negotiates such third-party terms, where deemed where necessary.
7 Contacting LogMeIn
Customers can contact LogMeIn at https://support.logmeininc.com/ for general inquiries or
privacy@logmein.com for privacy-related questions.
8 References
Loading...