|Lenses.io Ltd is a company registered in England & Wales|
Company Registered Number 09975716
VAT number: GB 231980705
Registered office address
17 Bevis Marks,
London, EC3A 7LN, United Kingdom
Lenses ® Enterprise
Business Continuity & Incident Management
The following document outlines policies and plans around disaster and impact analysis, business continuity and incident management that Lenses.io is following, to ensure a high level or reliability and security when delivering services to customers including Government, Financial, Insurance and Healthcare organizations.
“Probability rating” is defined as Very Low, Low, Medium, High, Very High.
“Impact rating” is defined as Negligible, Significant, Major, Critical, Catastrophic.
2. DISASTER RECOVERY
The purpose of Disaster Recovery is to identify issues that can impact the business, their probability and planning around minimizing such risks. The main risks identified and listed in the following table are related to Loss of data (no organization is immune to Loss of Data) and unexpected/natural disasters.
|Loss of Data||“Low” probability |
|The probability is “low” due to the nature of the product and the fact that the company operates on a zero-customer data policy (Lenses does not store, process or access any customer data). The internal company data that are at risk of Loss are 1) Intellectual Property related (such as source code) 2) accounting, taxation and financial data 3) HR data 4) support data 5) marketing and sales data as required per normal business operations.|
1) Internal IP related data (source code) are stored in an immutable, distributed code-repository with secondary fail-safe mechanisms including external escrow services (details).
2) Internal Accounting, taxation and financial data are stored in global Cloud services (QuickBooks, ADP, Xero) with whom the company has DPA agreements in place, with a secondary fail-safe mechanism of backup data held by our chartered accountants.
4) Support data, are stored in global Cloud services (ZenDesk) with whom the company has a DPA agreement in place.
|Unexpected / Natural Disaster||“High” probability|
|The probability is “high” due to the numerous incidents that can be classified as an unexpected or natural disaster: loss of electricity, loss of internet connectivity, an office related incident, a strike or a pandemic are all possible incidents for the company.|
The impact is “negligible” as the company operates from multiple locations and countries in Europe and North America. To ensure the offering of world class support, in accordance to ourSLAs and avoid the risk of this disaster to be elevated to “Major”, the company has a policy on support, where members of the support team are daily in 3 (or more) different geographic locations, and any unresponded tickets are escalated across the entire engineering organization.
The company is holding insurance policies at sufficient levels, from ‘A’ rated by A.M. Best, Standard & Poor's and ‘A+’ by Fitch companies in the UK and USA, including:
- Employers liability (£10,000,000)
- Public and products liability (£5,000,000)
- Management liability - Director's and Officers' liability (£2,000,000)
- Professional indemnity (£1,000,000)
As well as additional security policies for:
- Cyber and data
- Crisis Containment
- Reputation protection
- Key person cover
- Network security and personal data events
- Directors' personal cyber
4. OPERATIONAL RISKS
Lenses.io periodically reviews and refreshes it policies to identify any operational risk across our product, services, activities, processes, people and systems that can impact the company's business continuity or impact our customers or their reputation. The key policies in place are:
- Product teams and engineering following our Software Security Certification process available at https://lenses.io/legals/software-security-certification/
- Regular assessments to identify where risks may not be sufficiently mitigated
- Regular review and maintenance of risk records
- Controls to ensuring continual compliance with SLAs with our clients via automated reporting in our customer support solution.
- Identifying and assessing the key controls to mitigate risks
- At least annually testing of the effectiveness of the key controls
- Identifying and escalating material operational risk events
- Advise clients of an event / incident within 24 hours and keep audit log of all incidents
- Root Cause Analysis, mitigating similar issues in future and reporting of outputs
- Apply a baseline set of minimum controls that need to be configured on End User Computing Application's (EUCA's), to ensure adequate governance over its use and protection of the data that is contained within
5. INCIDENT MANAGEMENT
The company policy, once an incident has been detected, is to access the impact and severity, escalate to stakeholders and if an external entity (customer or partner) is affected, to immediately communicate to all third parties with transparency and full disclosure. A list of all i) notifications ii) advisories and iii) incidents is available bellow.
Advisory 19-Jul-2019 Lenses (SLE-SA-2711) - Application Vulnerability Assessment highlighted 2 medium and 3 low severity findings. It is recommended to upgrade to Lenses version 2.3.6 or later;
Advisory 31-Aug-2020 An issue with a third-party library was identified on Friday, 28th Aug 2020 affecting the performance and stability of Lenses version 4.0.1. A new release was made available on Monday, 31st Aug 2020;
Notification 14-Jan-2021 Lenses support is now using ZenDesk. All open tickets have been migrated, and all customers notified. No interruption of services or changes are required;
Advisory 22-Feb-2021 If using Lenses 4.1 series, please make sure you upgrade to the latest 4.1.3 version of Lenses. A regression in the 4.1 series caused performance degradation, and 4.1.3 also fixes an issue that occasionally a Connect worker could be restarted.
Notification 11-Dec-2021 The latest version of Lenses 4.3 is not affected by the CVE-2021-44228 vulnerability. Find the latest updates on the Log4J vulnerability here;
Last update: 11 Oct 2021
The Business Continuity & Incident Management document may be updated from time to time.