Security

Overview

Updated July 2021

TABLE OF CONTENTS
ABOUT LEANDNA 3 ENCRYPTION 7
ENCRYPTION IN TRANSIT
SECURITY GOVERNANCE 4 ENCRYPTION AT REST
SECURITY TEAMS
KEY MANAGEMENT 7
POLICIES AND STANDARDS
TLS KEY MANAGEMENT
SECURE POLICIES SET
ENCRYPTION KEY MANAGEMENT
ACCESS CONTROL 4
PATCHING AND VULNERABILITY
ACCESS CONTROL POLICY AND PROCEDURES
MANAGEMENT 8
AUTHENTICATION
PATCHING

NETWORK SECURITY 5 VULNERABILITY MANAGEMENT

VIRTUAL PRIVATE CLOUD

CHANGE MANAGEMENT 8
FIREWALLS
CHANGE MANAGEMENT POLICY AND PROCESS
THREAT DETECTION
CUSTOMER SEGMENTATION RISK MANAGEMENT 8
VENDOR AND PARTNER MANAGEMENT
PLATFORM HARDENING 6 SECURITY AWARENESS TRAINING
DENIAL OF SERVICE (DOS) PROTECTION
PENETRATION TESTING & VULNERABILITY SCANNING BUSINESS CONTINUITY AND
OPERATING SYSTEMS
DISASTER RECOVERY 9
BACKUP AND RECOVERY POLICY AND PROCESS
PLATFORM MONITORING AND RTO/RPO/SLA
INCIDENT RESPONSE 6
AUDIT LOGGING COMPLIANCE REPORTING 9
USER ACTIVITY AND ACCOUNT MANAGEMENT CLOUD PROVIDERS

CONFIGURATION CHANGES
PRIVILEGED ACCESS
MONITORING AND ALERTING
INCIDENT RESPONSE

DATA HANDLING 7
PERSONAL INFORMATION

leandna.com | 512.790.3360 | team@leandna.com 2

 SECURITY OVERVIEW

ABOUT LEANDNA

Austin-based SaaS startup LeanDNA launched in 2014 SERVICES PROVIDED

to bridge the gap between complex supply chains and LeanDNA offers a Software as a Service (SaaS) product
their outdated, labor-intensive methods for inventory providing data analytics to manufacturers, helping them
management and shortage prevention. Today’s mission is reduce inventory and improve on-time delivery.
to disrupt manufacturing by transforming every factory into
a strategic force. The company works to disrupt the global LeanDNA’s typical user is a buyer, planner, supply
supply chain space by delivering advanced AI technology chain analyst, supply chain manager or executive of a
to provide and prioritize insights and workflows for manufacturing company, division, or facility. They use
procurement teams to optimize their inventory processes LeanDNA to:
and generate savings—all while integrating quickly and • Identify inventory reduction opportunities
seamlessly with any ERP.
• Collaborate to address inventory reduction opportunities

A more than 30-year supply chain veteran, CEO and • Identify and prioritize shortages (current and projected)
Founder Richard Lebovitz has worked with manufacturers • Collaborate internally and with suppliers to resolve
throughout the world in engineering, sales, marketing, and current and projected shortages
Lean strategy roles to empower factory-level employees • Initiate and manage continuous improvement projects
with technology that increases efficiency and enables
• Track KPIs related to supply chain and continuous
global scale.
improvements

After receiving its Series B funding round in 2019, the

company has grown rapidly—in the number of Leaniacs,
customer count, and revenue. Industries served by
LeanDNA include aerospace, medical device, industrial
products and furniture, specialty automotive and
transportation, computers and electronics, and electrical
and electronics.

leandna.com | 512.790.3360 | team@leandna.com 3

 SECURITY OVERVIEW

SECURITY GOVERNANCE ACCESS CONTROL AND

SECURITY TEAM USER MANAGEMENT
LeanDNA has designated security personnel who are ACCESS CONTROL POLICY AND PROCEDURES
responsible for executing security policies and managing LeanDNA’s access control policy applies to employee access
security incidents. The Security Personnel are overseen by to LeanDNA Web Application and supporting infrastructure.
executive management. The established access control processes include, but are
not limited to:
This document references Security Personnel as points of
• Unique user identification and authentication
contact for various security-related activities. At present, the
LeanDNA Security Personnel are: • Account provisioning and de-provisioning processes

• Roy Shamir, VP Engineering • User credential requirements

• Kevin Pyle, Security/DevOps Engineer • The Principle of Least Privilege

• Jacob Williams, Software Developer • User access auditing

POLICIES AND STANDARDS ACCESS TO CUSTOMER SYSTEMS

LeanDNA has developed and maintains specific internal A software application named LeanDNA Connect will be
guidelines to ensure that all employees are aware of proper installed on a server within the customer network. This
procedures, and accountable to ensure the security of application will connect to data source systems (typically
all systems and customer data. These policies have been the ERP system) using a standard user account with read-
verified by third-party auditors as part of SOC 2 compliance. only access to specific tables. LeanDNA maintains a list of
The full SOC 2 Type II report can be made available to required tables per ERP system. This list can be provided
customers and prospects under the non-disclosure upon request. Once LeanDNA Connect connects locally
agreement. within the customer network, it generates files that are
kept on the local customer system. These files are then
All employees are subject to disciplinary action for non- compressed and transferred from the local computer to a
compliance with security policies up to, and including, LeanDNA server using HTTPS or SFTP (Secure FTP). All data
termination. is encrypted in transit to our servers and at rest within our
hosting environment (see Encryption section for details).
Once the files are received, a synchronization process takes
SECURITY POLICIES SET
place to update the customer database in the LeanDNA
The following are LeanDNA Security policies:
environment with the latest data from the files.
• Acceptable Use Policy
• Access Control Policy Periodic access to the server hosting LeanDNA Connect is
required for application upgrades, changes to LeanDNA
• Endpoint Protection Software Policy
Connect configuration in response to user requests, and for
• Backup/Restore Policy, including Disaster investigating issues. Access to the server hosting LeanDNA
Recovery Procedures
Connect will be granted by the customer via remote access
• Password Policy solutions such as VPN with Remote Desktop, or via screen
• Encryption Policy sharing solutions, for example TeamViewer or Webex.

• Change Management Policy

• Incident Response Policy
• Information Sensitivity Policy
• Risk Assessment Policy
• Vendor Risk Assessment Policy

leandna.com | 512.790.3360 | team@leandna.com 4

 SECURITY OVERVIEW

AUTHENTICATION NETWORK SECURITY

LeanDNA mandates use of Multi-Factor Authentication
VIRTUAL PRIVATE CLOUD
(MFA) when accessing critical systems such as resources
The LeanDNA web application uses a combination of
in AWS. Terminal access requires first establishing a
AWS EC2 instances and AWS services such as Elastic Load
connection with a bastion host, using a password protected
Balancer and S3. All instances run in a dedicated Virtual
private key and MFA. From the bastion host, terminal access
Private Cloud (VPC). AWS Services that have VPC endpoints
requires a password protected private key.
also run inside the dedicated VPC. Communication within
the VPC is secured using SSH or TLS. Communication to
LEANDNA WEB APPLICATION AUTHENTICATION services outside the VPC is secured using TLS.
Customers are responsible for user management and
access control to LeanDNA. Every LeanDNA customer has a
FIREWALLS
designated administrator responsible for user management
LeanDNA limits inbound network traffic to specific nodes,
tasks, such as creation and removal of accounts, access
which are security hardened (DMZ), and specific ports
reviews, and changing roles and permissions.
which only accept securely encrypted traffic. Administrative
access is isolated to a separate hardened access point
LeanDNA supports Single Sign-On (SSO) using the SAML
and not mixed with user traffic. Network traffic within
2.0 protocol. LeanDNA recommends customers utilize
our datacenter is tiered and segmented using access
SSO allowing them to enforce password policies and/or
control lists and subnet groups for additional protection.
use of MFA, and ease account generation and termination
Additionally, all internal service protocols are encrypted
procedures.
and require authentication.

If SSO not used, customer accounts use passwords

managed by LeanDNA: THREAT DETECTION
• Minimum password requirements: LeanDNA uses a LeanDNA uses a 3rd party Threat Detection product to
password strength evaluation tool to ensure that the alert on suspicious activity based on network events, DNS
password quality is high events, and AWS activity logs.
• Storage: Hashed and salted (see encryption section)
• Account lockout: repeated failures to provide a correct CUSTOMER SEGMENTATION
password result in a temporary lockout, utilizing “Device Each request for customer data is tagged with customer
Cookies” as a protection against DoS attacks. specific identification information, and checked against the
• Device activation: when a user logs in from a new device, requesting user-customer association. In addition, the data
they are required to enter a six-digit code that is sent to in the database is segmented to dedicated logical customer
their email account databases, providing an additional security layer for
protecting customer data. Similarly, data stored in S3 uses a
Optionally, customers may request to restrict access to logical segmentation, making it easy to associate data with
specific ranges of source IP addresses. the customer and filter out unauthorized requests.

leandna.com | 512.790.3360 | team@leandna.com 5

 SECURITY OVERVIEW

PLATFORM HARDENING PLATFORM MONITORING AND

DENIAL OF SERVICE (DOS) PROTECTION INCIDENT RESPONSE
LeanDNA makes use of AWS CloudFront, AWS Route 53 and AUDIT LOGGING
AWS Shield (Standard) to provide comprehensive DDoS LeanDNA audits many different types of events. Some of
protection against common DDoS attacks. these events are available through an administrator view in
the web application, and some can be made available upon
PENETRATION TESTING AND VULNERABILITY SCANNING request. The following activities are logged:
LeanDNA contracts an independent third-party vendor with
security expertise to conduct quarterly penetration testing User Activity and Account Management
and vulnerability scans on the LeanDNA Web Application. • Login to the web application
Findings from the penetration testing are reviewed by • Creation and deletion of user accounts
LeanDNA Security Personnel and, if warranted, remediated. • Password change events
Penetration Test reports are available upon request. • Changes to user access and privileges
• Changes to subscription of users to various email streams

OPERATING SYSTEMS
Configuration Changes
LeanDNA runs on Amazon Linux. Access to LeanDNA
• Changes to site and company settings
Amazon Linux instances is highly restricted. A bastion host
• Changes to the setup configuration for Metrics, Lean
accepts external SSH connections which may forward
Projects, or Supply Chain
traffic within the datacenter. Acquiring a connection to
the bastion requires presenting a Time-based One-Time
Privileged Access
Password (TOTP) in addition to public key authentication.
• LeanDNA admin (privileged) access is also logged:
Console access to the bastion is restricted to administrative
• AWS Account creation, role changes, and account
users within the operations team. For interactive access to
deletion
any other system, users must first connect to the bastion
• Terminal access to AWS instances
host and present a TOTP, then connect from the bastion to
• Database access
the system of interest.

Application servers and other internal services are run MONITORING AND ALERTING
within containers (OS-level virtualization) which isolate An external service regularly monitors the availability of the
filesystem, process, and network access. Access to the web application. When downtime is detected, alerts go out
container orchestration API is private, authenticated, to on-duty staff using smartphone apps, instant messages
and isolated to a distinct administrative bastion for each and emails. In addition, anomalies in LeanDNA logs are
operating environment. reported as email alerts to LeanDNA DevOps. Abnormal
usage of AWS resources such as low disk space or memory
A dedicated SFTP server allows external connections for generates email alerts. Active data pipeline monitoring
customer data uploads. All connections are authenticated detects and alerts our teams if customer data imports do
and encrypted and operate in a chroot environment. not complete successfully and on time.
File permissions further restrict customer accounts from
exploring the file system.

leandna.com | 512.790.3360 | team@leandna.com 6

 SECURITY OVERVIEW

INCIDENT RESPONSE SSH: LeanDNA uses 2048-bit keys for asymmetric

In the event of a security incident that relates to the encryption and supports an industry standard set of cipher
LeanDNA customer data, Security Personnel follow a suites with a minimum of 128-bit keys for symmetric
formal incident response and escalation plan. In the event encryption.
of a breach affecting customer data, customers would be
notified in accordance with contract terms. Customers do ENCRYPTION AT REST
not have additional responsibilities for incident response Data at rest (in S3 or AWS database volumes) are encrypted
unless explicitly communicated or recommended by using AES with 256 bit keys. Passwords are stored securely,
LeanDNA Support or Security Personnel. All incidents will using the PBKDF2 function with SHA-512, 512-bit salt value,
go through Detection, Analysis, Containment, Eradication and 4096 iterations.
and Recovery stages, and conclude with a formal
Retrospective step. KEY MANAGEMENT
TLS KEY MANAGEMENT
TLS certificates visible to the end user are managed by
DATA HANDLING
AWS. Amazon CloudFront obtains a certificate from Amazon
For questions about data privacy, refer to the Terms of
Certificate Manager and maintains it securely on Amazon
Service and Privacy Policy available on www.leandna.com.
administered devices. Amazon handles periodic rotation of
this certificate. LeanDNA administrators cannot export the
PERSONAL INFORMATION IN THE WEB APPLICATION private key of this certificate.
LeanDNA stores the following information for each user:
first name, last name, business email address. LeanDNA
ENCRYPTION KEY MANAGEMENT
is committed to protecting the privacy of individuals who
Data at rest is encrypted by an AWS Customer-Managed
utilize the LeanDNA web application and supporting
Key. The key is maintained and secured by AWS Key
services. LeanDNA uses persistent cookies for security
Management Service (KMS). Files written to Amazon S3
and to make interactions with the web application easy
are stored under Server-Side Encryption with KMS. Only
and meaningful, but these do not contain any personal or
authorized entities have the appropriate Amazon Identity
financial information of the users (other than the username
and Access Management (IAM) permission to attempt to
used in the web application, if the user opts in to remember
decrypt data with the key. When decryption is authorized,
the identity on that computer). Session cookies exist only
it is done by the server and the plaintext is returned to the
during one session, and disappear from the computer when
client so the client has no opportunity to misuse the key
the browser closes or the computer is shut down, unless
or retain secret material. Similarly, Amazon Elastic Block
the user opts to remember the identity on that computer.
Storage volumes that contain customer data are encrypted
using an AWS KMS key. Authorized entities receive the
ENCRYPTION plaintext of the block storage on read, and writes are
transparently encrypted by the Amazon infrastructure.
ENCRYPTION IN TRANSIT Unauthorized entities are not able to read the block
All communication, even within the LeanDNA VPC in AWS, is device at all, even to retrieve the ciphertext, so
encrypted in transit. unauthorized clients cannot perform offline attacks against
the Elastic Block Storage (EBS) volume. Attempts to attach
HTTPS: TLS 1.2 is the default, 1.3 is supported. RSA key the EBS block device to an unauthorized entity fail at
size is 2048. Minimum cipher strength is 128 bits. LeanDNA attachment time.
supports an industry standard set of cipher suites, with a
minimum of 128 bit keys for symmetric key encryption.

leandna.com | 512.790.3360 | team@leandna.com 7

 SECURITY OVERVIEW

PATCHING AND VULNERABILITY LeanDNA uses a Continuous Integration pipeline to

constantly build, deploy to a test environment, and run
MANAGEMENT
automated tests against new code.
PATCHING
LeanDNA regularly applies security updates to all Web Post-release retrospectives are performed to identify root
Application and Data Pipeline components. Security cause for issues that may have occurred during the release
updates are evaluated on a weekly basis at a minimum. cycle. These root causes are documented as improvement
Patches are applied to a staging environment for testing tickets and addressed according to priority.
prior to being deployed to production.

If LeanDNA becomes aware of a high-risk vulnerability RISK MANAGEMENT

with a valid or known exploit, the team promptly applies LeanDNA’s risk management process identifies the impact
package updates to help maintain the security of the and likelihood of any potential risks to LeanDNA’s ability to
environment. provide reliable, safe services to their clients. A combined
risk score is attached to each risk to help prioritize the
VULNERABILITY MANAGEMENT mitigation process.
LeanDNA utilizes an independent third-party vendor with
security expertise to periodically run vulnerability scans on Risks are reviewed on an annual basis. Following the
the environment. In addition, automated code vulnerability review, Security Personnel create an action plan for each
scans are executed on a daily basis. Newly-discovered item with a combined score of medium or above. The
security vulnerabilities are assessed based on potential action plan is reviewed quarterly. The review covers:
customer impact and available mitigations in place. • Risks associated with personnel, e.g. accidental or
Findings are ticketed and addressed by Engineering based
malicious unauthorized data disclosure
on their severity.
• Risks associated with 3rd party services
• Risks associated with the LeanDNA website and web
CHANGE MANAGEMENT application - e.g. OWASP top 10 vulnerabilities
CHANGE MANAGEMENT POLICY AND PROCESS • Risks associated with change management and product
LeanDNA uses best-of-breed ticketing system and a development process
source code management system to support robust • Risks associated with compliance and oversight
change control processes.
LeanDNA established a virtual team responsible for
Code and infrastructure changes are tracked by tickets conducting these assessments and recommending
that help: mitigation actions. The findings of this team are
• Define requirements communicated to executive management. The team is
also responsible for reviewing the mitigation actions on a
• Break down to individual tasks
quarterly basis and monitoring that the planned actions are
• Authorize a task for a specific release put into place in a timely manner.
• Track the progress of the task
• Track code changes that were made for the task,
including peer code reviews
• Document testing required for the related changes
• Document the results of the testing
• Authorize the release of the change to the
production environment

leandna.com | 512.790.3360 | team@leandna.com 8

 SECURITY OVERVIEW

VENDOR AND PARTNER MANAGEMENT LeanDNA does not own, house, or manage its own cloud
LeanDNA’s vendor risk assessment review process occurs infrastructure. Business critical systems are either vendor-
before service begins, and at a quarterly cadence for provided, cloud-based software solutions, or internally-
existing vendors. Security Personnel audit and decide if a developed software which is hosted with high-availability
vendor is a critical vendor based on predefined conditions. cloud providers.
LeanDNA uses SaaS/Cloud vendors exclusively for services
related to data handling. As such, if a vendor is deemed In the event of an unexpected outage or disruption at
critical (before or after starting to use their services), a any office location, employees are able to work remotely
cloud-specific risk assessment shall be conducted. If a and continue customer support and normal business
vendor cannot produce evidence that shows conformance operations.
with either SOC 2 Type II, or ISO 27001, alternative vendors
are evaluated. If no alternative is found, the vendor RTO/RPO/SLA
must complete the Consensus Assessments Initiative LeanDNA maintains a 99.5% availability SLA for all
Questionnaire that is published by the Cloud Security customers. Because LeanDNA performs daily backups, the
Alliance. Answers must be reviewed and vetted by Security Recovery Point Objective (RPO) is 24 hours. The Recovery
Personnel. Time Objective (RTO) is four hours.

SECURITY AWARENESS TRAINING

All LeanDNA employees are required to complete Security COMPLIANCE REPORTING
Awareness training upon hire and annually thereafter. LeanDNA is SOC 2 Type II certified for the Security and
The Security Awareness training covers data privacy Confidentiality principles. The SOC 2 report can be made
and protection, confidentiality, and social engineering. available to customers and prospects under NDA.
Engineering staff receive additional training on OWASP
top 10 vulnerabilities, as well as ongoing team meetings LeanDNA’s cloud provider, AWS, has multiple security
covering security topics that are relevant to the LeanDNA certifications, including SOC 2 Type II and ISO 27001.
Web Application and Data Pipeline. Employees must also Information about AWS compliance programs can be found
read and acknowledge the Code of Ethics and Business here: https://aws.amazon.com/compliance/programs/
Conduct Policy. SOC 2 reports are available from AWS under NDA.

BUSINESS CONTINUITY AND

DISASTER RECOVERY
The backup process for customer data runs on a daily basis
and stores encrypted backups in Amazon EC2. LeanDNA
backups are replicated between multiple AWS regions,
making the data accessible even in the event of an outage
of an entire AWS region. LeanDNA does not back up to any
physical media, and the backup process is fully automated.

leandna.com | 512.790.3360 | team@leandna.com 9