security overview

Lithium security

At Lithium, security is our strength and one of our core competencies. Many Lithium customers and end-users are extremely tech savvy and demand the highest standard in security from our products and services. As such, Lithium reaffirms its commitment to security by adhering to security best practices in every aspect of our product development and deployment life cycle. Security is incorporated in to the design of our products and services and tested rigorously before rollout to production. We also conduct regular security audits and security vulnerability testing of our products and services to ensure continued compliance with our strict security standards. Below is a brief overview of security measures used at Lithium.

  • An extensive input and output validation layer checks and validates for proper and expected input and output.
  • Our application has a robust permissions system which allows granular control over user, role, and group level access.
  • User provided content is also checked and validated using an intelligent HTML parser with customizable whitelist and blacklist filters.
  • Robust logging mechanism to audit and track user and admin access and usage.
  • We use industry standard SSL technology for server authentication and data encryption.
  • Session cookies are protected and do not include user credentials.
  • Our solution is protected by firewalls and other security measures to prevent intruders.
  • Lithium datacenters are SAS70 Type II compliant, ISO27001 certified, and PCI DSS section 9 certified.
  • Lithium hosted application solutions are SAS70 Type II compliant.
  • Lithium is EU Safe Harbor certified by the U.S. Department of Commerce.
  • Lithium has been awarded TRUSTe’s Privacy Seal signifying that our privacy policy and practices are complaint with TRUSTe’s program requirements including transparency, accountability, and choice regarding collection and use of private information. Please visit www.lithium.com/privacy to review our privacy policy.

security testing policy

Lithium is fully committed to keeping our customers' information secure. We encourage safe and responsible security testing and reporting of security issues according to the following few simple rules.

  • All security testing must be conducted in our non-production environment to minimize risk to our customers. Please contact the Lithium Security team at security [at] lithium [dot] com for details or to arrange for testing.
  • Report all issues privately and securely to Lithium Security team by sending an email to security [at] lithium [dot] com. If possible, please use proper encryption and protection such as SMIME certificates or PGP encryption. Please refer to the Reporting Security Issues section below for additional details.
  • Do not attempt any testing that could cause or trigger a Denial-of-Service condition.
  • Do not attempt to access, modify, or delete information that does not belong to you or your organization.

reporting security issues

To report security issues or problems with any Lithium product or service or website, please follow these simple rules:

  • If you are conducting security testing, please follow our Security Testing Policy above.
  • Report all issues privately and securely to the Lithium Security team by sending an email to security [at] lithium [dot] com and sign and encrypt your email using SMIME certificates or PGP encryption.
  • To exchange SMIME certificates or PGP encryption key credentials please send a signed email message to security [at] lithium [dot] com.
  • If you don’t have access to SMIME or PGP, please send an email to security [at] lithium [dot] com to make alternate arrangements.
  • Provide full details of the issue and any details to replicate the problem.
  • Provide your contact information so the Lithium Security team could contact you for clarifications or details.

requesting security information

Please email security [at] lithium [dot] com to request additional information, such as:

  • Current Lithium hosted application SAS70 Type II report
  • Lithium hosted application SAS70 bridge letter requests
  • Any other information security requests and inquiries

Certain security documentation will only be made available to existing Lithium customers.