Privacy and Security Policies Taken Seriously — How LuxSci Actively Protects Your Accounts

February 15th, 2013

LuxSci is a small company and our staff are well trained and vigilant, watching for social engineering and other attacks on your accounts and data.  We have very strict privacy policies and internal security policies designed to ensure that your data remains confidential and that nothing unauthorized happens to your accounts.

This may sound like normal business, but it really isn’t.  We take extra care to protect you. 

Lost and Forgotten Passwords.

One of the most common customer interactions we have is in regards to lost or forgotten passwords.  LuxSci intentionally does not have automated system for password recovery.  Instead:

  1. Our Support staff fields the password reset requests manually and verifies the identity of the customer before ever sending a password reset link.
  2. All password requests and the responses to them are logged in our Support system for the account administrator to view.
  3. If we cannot reliably verify a user’s identity, then we will refuse to reset a password and direct the user to talk to his/her administrator directly.
  4. If it is the administrator who has lost his/her password and we cannot verify the identity via normal means, then we have extraordinary means that we follow to establish account ownership and verify rights of access.
  5. If our Support staff feels that the password request is “phishy”, we will actively refuse it and refer the request to the account administrator.
  6. Even if the request is fine, but the customer has chosen his/her verification information “poorly”, then we may refuse the request or seek further verification.

Some examples may serve to better illustrate these points:

  • Users can put security questions on their account and these can be used for identity verification.  However, if the question and answer are obvious or very easily guessed (even if just by the nature of who is calling), then we may disregard such questions as a viable means of identity verification.
  • It is not uncommon for the person who used to be your account administrator to be fired or leave the company.  In such cases, the administrative password must be recovered and in such cases we are very careful and use special processes for determining if the “new administrator” is really the rightful account owner.

We want to ensure that your account cannot be hijacked, to the best of our ability.

Account Closure and Administrative Requests

Very often when a customer moves on from one service provider to another, that customer will just email the old provider and request account closure.  Seems reasonable … the customer is giving notice.  However, it is really easy for email messages to be forged even though there are steps you can take to combat that.

So, LuxSci will never honor account closure requests, or requests for any kind of information or administrative action for that matter, sent via email to us.  We will instead turn that request into a Support Ticket (or ask you to) and have you login to your LuxSci account to verify or confirm the request.  The act of logging into your LuxSci account verifies your identity and your level of authorization/permission, and the use of our Support Ticketing system providing a dated, logged audit trail of your requests and our responses.

It may seem like this is just making extra work, but in reality this protects our accounts every day from:

  • Unauthorized account closures or changes
  • Confusion on the part of some user or consultant that requests inappropriate changes

Furthermore, this

  • Ensures that the proper parties sign off on all significant requests.
  • Ensures that all requests are documented and time stamped.
  • Provides a forum for all parties involved to see requests and take action if inappropriate ones are being made.

We really cannot reiterate enough — this happens all the time.  Some employee is being malicious and trying to damage a company, some user is upset and trying to get retribution, some consultant decides things should work “his way” and requests an inappropriate change that could take your email completely offline… the list goes on and on.

Confidential Information

Our privacy policy is very clear about confidentiality and non-disclosure of your information — email messages, stored WebAide data (contacts, calendars, files, etc.), etc.   This applies to third parties calling in and asking about your account, billing, users, and other information — we do not give out anything without proof of identity and authorization.  We generally will not even acknowledge if you are a customer or not, unless that is already clear from the context.  Applied to a medical context (HIPAA), our privacy policy goes even further to meet all of the regulatory requirements.

It’s about Trust

You trust us with your data when you host with us.

  • We want your data to remain as secure as possible.
  • We strive to look out for your best interests if we notice inconsistencies or lack of best practices.
  • We respect your privacy and our privacy policies.
  • We defend your account from unauthorized changes, access, or disclosure.

It’s all in a day’s work here at LuxSci.