Security
Security is a top priority at Lyser. Our information security management system is based on industry best practices. Below is an overview of Lyser’s security strategy, divided into 10 key categories.
Application security
Does Lyser conduct penetration testing of its network, infrastructure, and services?
Penetration testing is conducted to measure the security posture of Lyser Services and Infrastructure. Lyser has an external penetration test performed at least once per year.
The objective of those penetration tests is to identify design or functionality issues in Lyser services that could expose Data or Customers to risks from malicious activities.
Data Sharing and Role-Based Access Control
A Lyser account administrator manages and controls individual user rights by granting specific types of user roles. Details about user roles, collaboration mode and authorization are documented in our Support Hub.
Customer data, such as Job ads and templates, can only be accessed by other users within your Lyser account if those items were specifically shared with them, or if the accounts collaboration mode allows it.
Data security
Is data encrypted in transit?
Data is encrypted in transit using minimum TLS 1.2.
Is data encrypted at rest?
Data is encrypted at rest using AES 256.
Where is data stored?
Lyser does not store any data onsite. Microsoft Azure data centers are used to host the services provided to customers.
Application security
Where can I get updates on Lyser incidents?
A listing of incidents that could have impacted Lyser customers is located here: https://status.developdiverse.com/
Does Lyser have external reporting procedures in place for cybersecurity or privacy incidents?
Incident report is handled as part of our incident management process, whereby incidents impacting customers are reported to respective customers.
For privacy-specific incidents, the process is governed by the DPA customers, and authorities are informed as required by the law.
Identity and Access Management
How do users and administrators gain access to the application?
Lyser supports just-in-time user-provisioning and SSO onboarding against Microsoft Entra ID (OpenID Connect) and SAML2.
Organizational Security
Does Lyser have a cybersecurity awareness training program in place?
Mandatory general security training is provided at onboarding to all employees and contractors. Mandatory training on a specific security topic is also provided annually.
Does Lyser perform background checks and screening prior to employment?
All employees undergo a background check prior to employment.
Need-to-Know and Least Privilege
Lyser operates by the principle of lest privilege, hence only a limited set of employees have access to our datacenter. There are strict security policies for employee access, all events are logged and monitored, and data are strictly regulated. Access to production requires a series of strong security authentication such as multi-factor authentication, a one-time password, and a personal certificate.
Physical Security
How do you manage data center security?
Lyser’s service data is hosted in Microsoft Azure data centers. MS Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. Please refer to this link for more details.
The data center’s physical infrastructure is operated by Azure and we rely on their data center security controls.
Have you implemented physical security controls at your offices?
Lyser maintains a physical and environmental policy for its office to ensure the security and integrity of Lyser’s facilities and the assets located within.
Lyser office have industry-standard physical security protection with secure access, burglary alarm, etc.
Further visitors to secure areas are required to sign in and out with arrival and departure times, are required to wear an identification badge, and are always escorted while in secure areas.
Artificial Intelligence
Does the Lyser platform leverage any AI?
Lyser utilizes AI in various aspects of the product, such as our inclusive writing capabilities
Is customer PII data used to train your Artificial Intelligence?
Lyser does not use customer data to train its internal LLMs/ML models.
Is the data shared with third parties, and if so, what safeguards are in place to protect it?
Only Lyser and Microsoft Azure are involved in the processing, with no additional third parties included.
The security of Azure OpenAI is primarily managed by Microsoft, which implements a range of security measures to protect customer data. These include data encryption both in transit and at rest, strong access controls through Azure Active Directory.
Is the EU AI Act applicable to Lyser?
Yes, the EU AI act is applicable to all providers and users of AI systems within the EU.
Lyser’s AI features can be classified in the “Limited Risk” category established by the EU AI Act, meaning that they will be subject to minimal transparency obligations to end users. Lyser will continue to monitor its compliance obligations under the EU AI Act and make adjustments when necessary.
AI models used at Lyser
As Lyser are using two categories of AI technology: Off-the-shelf, public generative AI models (e.g., GPT) and our own proprietary models known as “Lyser AI.”
Public generative AI models
These kinds of AI models are integrated into Lyser to perform tasks such as generating content based on our prompts. We may have a unique approach for how we apply these AI models, but this type is not based on any AI model proprietary to Lyser.
Lyser AI models
This category refers to our own proprietary approach to developing AI models through multiple learning techniques, including deep learning. Lyser AI leverages our unique data, such as extensive bias research data, language structure and culture research data, to complete specific and more complex tasks, such as highlighting a bias phrase and suggesting alternatives. Each feature supported by Lyser AI involves training a new model to perform a specific task.
Our intention going forward is to use both off-the-shelf models and Lyser AI depending on the specific customer problem we are solving.
Privacy (Data Processing & Data subjects)
What types of personal data Does Lyser process on behalf of customers?
User profile information, such as name, email address and job title. Can be read from customer ADs.
System information such as IP address and usage behavior as users navigate through the services.
Does Lyser process sensitive data?
Lyser is mainly used for Job adverticements and employer branding content, which is mostly public available content.
Whose personal data does Lyser process?
Lyser primarily processes customer employee data, who are users of the services.
Who have access to customer data?
Lyser restricts access to customer data and content to its employees who require it in connection with their roles and based on the principle of least privilege.
Which sub processors are Lyser using?
Please refer to this page for more information.
Vendor Management
Does Lyser regularly assess the security of its subprocessors?
Yes, we performs an annual security assessment on its data sub processors to ensure appropriate security posture.
How does Lyser assess the security posture of its subprocessors?
The annual security assessment of our sub-processors consists reviewing and validating the security artifacts of each subprocessor (audit reports, certifications, penetration test reports, etc.) If risks are observed during the assessment, they are evaluated and documented on the organization’s risk register to ensure a risk treatment plan is applied to reduce the third party risk.
Contact us
If you have any security questions or concerns, please click here to contact our team.
