Compliance and risk management
Layer is compliant with the controls outlined in the HIPAA framework and has undergone third-party gap analysis, remediation and verification to ensure compliant handling of personal health information (PHI). Layer acts as a HIPAA business associate (BA) and executes business associate agreements (BAA) with covered entities in the healthcare space.
EU - U.S. Privacy Shield Framework
Layer is self-certified under Privacy Shield as a part of our commitment to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
Risk Assessment & Mitigation
Layer maintains detailed risk assessment and mitigation policies that are regularly reviewed and updated.
Layer utilizes continuous monitoring techniques including vulnerability scanning, statistical anomaly detection, signature based file modification detection, log analysis and deployment of an Intrusion Detection System (IDS).
Incident Response Program
Layer maintains a formalized incident response program. The incident response policy defines how security vulnerabilities and incidents are triaged, classified, reported, remediated and mitigated.
Layer retains operational logs for 90 days and security logs for 180 days. Access to the security logs is restricted to security personnel.
Distributed Denial of Service (DDOS) Defense
Layer utilizes third party technologies and platforms to detect, mitigate and prevent DDoS attacks.
Before a candidate joins the Layer staff, they must pass a stringent background check by a specialized third-party. These checks include verification of education, previous employment history and external reference checks. Where local labor law or statutory regulations permit, Layer may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.
All new Layer employees attend a “Security 101” training during the onboarding process. In addition, all Layer employees must take the Layer Security and Privacy training once a year, which covers the Information Security Policies, security best practices, and privacy principles. Depending on the job role, additional training on specific aspects of security may be required. For example, engineers are trained on security related topics such as cryptography, attack patterns and secure coding practices.
The Layer security team provides continuous communication of emerging threats, advises employees of phishing campaigns and gives presentations on information security regularly to the company.
All third party vendors are assessed by the Layer security team to ensure that they comply with our stringent security requirements.
Once a third-party relationship has been established, Layer periodically reviews the relationship to ensure ongoing compliance from a security and business continuity perspective.
Once a vendor relationship is terminated Layer ensures that all access is appropriately revoked and data returned or destroyed.