This document outlines the security principles and practices used in Lexchart.
Security is at the core of Lexchart's architecture, development, and deployment.
Leverage security frameworks and libraries
We select frameworks and libraries as part of system design, which conform to our stringent security requirements. Among other factors, we select frameworks and libraries which are from trusted sources. The frameworks and libraries are actively maintained by teams of developers. The building blocks are used by large, global companies powering some of the largest websites on the internet.
Secure database access
Database queries are secured. As a general matter, we take a "zero trust" approach to security. This means that requests for data from our servers must satisfy security requirements.
Lexchart authenticates users over a secure channel before responding to requests for data in the application. All communication with the server -- requests from the client and responses from the server -- happens over secure HTTPS, the communication protocol encrypted with Transport Layer Security (TLS).
Encode and escape data
We employ a variety of techniques to sanitize data submitted to our servers as part of our zero trust philosophy. All submissions are encoded. When special characters are necessary for legitimate purposes, we escape those characters.
Validate all input
To implement our zero trust approach to security, we validate the syntax and semantics of all requests for data from our servers. All input validation is done server-side for security. We perform client side validation prior to submission.
Implement digital identity
User access is authenticated with strong password practices. Users must create a strong password at the time of account creation. Insecure passwords are rejected. Our password strength requirements are based on a combination of algorithms, empirical data, and known security risks. We implement a secure password recovery mechanism.
When users initiate a session (they log in), our server generates a secure session id. Browser cookies used for session management are limited in time and scope.
Enforce access controls
In addition to the user authentication described above, users are authorized to access certain data and features through access controls in the application. As part of our zero trust approach, all requests for data and feature access are denied by default. Authenticated users with the correct authorization (access privileges) are allowed to request data and features.
User authorization to features and data is governed by their attributes. The application uses an attribute based access control approach to control access based on attributes of the user, the requested data, and the environment.
All data is encrypted in transit through end-to-end secure communication using TLS. All data is encrypted at rest in our application.
We use PCI compliant vendors to process all credit card transactions. We store no credit card data. We require minimal user information sufficient for creating an account.
Security logging and monitoring
Our system architecture uses consistent logging across application features and security specific requirements. We monitor usage of the application for behavior which is inconsistent with the expected usage, timing, or data.
Error handling and exceptions
We include extensive error handling within the application to provide a consistent, reliable user experience. Exceptions are logged and appropriate staff are notified of events.
Contact us with any questions.