Access control
Easy-to-use control over who can see and update your account data with our permissions and access management. Best-in-class tools and infrastructure to keep your data safe.
Peer to peer
Because you connect directly to the device you’re managing, data never passes through our servers. This greatly reduces access points and attack vectors.
Passwords and multi-factor authentication
Set password policies for your users to require complex passwords. Optionally, require all users to enable multi-factor authentication.
Permissions and write protections
Grant custom permissions for individual users. Restrict the changes users can make, easily add/remove permissions, and onboard new users to your team in seconds.
IP restrictions
Impose restrictions on which devices can access your data. IP allow lists and deny lists prevent connections from untrusted devices.
Audit trails and governance
Review changes to your account & devices at a glance, with an audit trail of who made edits when.
Restricted developer access
Our internal identity access and secrets management policies mean that access to production data is heavily guarded.
Encrypted networks
Infrastructure is critical to keeping your account secure. Behind the scenes, we use industry-leading cloud providers and networking best practices to make sure Level is both highly secure and highly available.
Encryption at rest
Any time data is stored in our databases or server hard drives, it’s encrypted first. Access is only possible via a long, random key phrase.
Encryption in transit: HTTPS / SSL
HTTPS and SSL everywhere, no exceptions. If data moves between our servers and a connected client, it’s via an encrypted channel -- always.
Firewall and intrusion prevention
Our servers & database are behind a strict firewall to only allow authorized connections. Automated network traffic monitoring to detect and prevent intrusion attempts.
Backups and data restoration
Automated backups of user data occur every hour. We can restore a backup within minutes, protecting you from data loss.
Servers on private IP addresses
We use a private cloud to host our infrastructure with private IP addresses. Outside devices will never be able to reach those private machines.
Secure external providers
When we need to use an external provider, we make sure they’re established and trusted. Our staff must use a password manager and multi-factor authentication for all external accounts.
Development practices
Internal practices, decisions, and training to make sure our developers and product designers always put security first.
Secure by design
We think first about security, before we build anything. Our code architecture enforces security by design.
Code review and testing
All code, no matter how small, must be reviewed and tested. Each release must pass a complete quality assurance checklist.
Policies and developer training
Internal policies enforce and encourage a culture of security. All our developers receive training on security best practices.
Frequent, small releases
Using an agile approach with small, frequent releases means changes are easier to review, test, and rollback -- reducing overall risk.
Version control and instant rollbacks
We use industry standard version control (git) and cloud repositories (GitHub) to securely host our code and trigger deployments. When a deploy goes wrong, we can instantly roll back to an earlier version of the code.
Automated testing and deployment
Code gets merged into our application only after passing our entire test suite and receiving code review approval. Continuous testing, integration, & deployment means there’s no guesswork or variability in the deploy process.
Incident response
We’re prepared in the event of a security incident. Rapid discovery, automated escalation, and quick recovery are our priorities. Transparency and keeping users informed along the way are core values.
24/7 monitoring and logging
Tracking & logging system metrics and traffic flows at all times. We use best-in-class application and infrastructure monitoring software to drive insights.
Instant alerts and escalation
When there’s an anomaly, we want to know as soon as possible. Our engineers receive automated alerts upon detection. Alerts escalate to senior management above a threshold.
Rollbacks and backups for instant recovery
We can roll back both the code and the database to prior versions instantly, as needed. Minimal time to remediation for our customers.
Status updates for users
Transparency is critical when it comes to security events. We’ll keep you up to date on system status, and you’ll have access to post-incident reports.
Bug and error reporting
Users are our most valuable source of feedback and error detection. If you notice something amiss, please don’t hesitate to contact us.
Post-incident investigation
After every incident, we’ll conduct a thorough review with our team of what happened, how, and what steps we can take in the future to prevent it.
Vulnerability testing and compliance
Third-party confirmation that we’re following best practices.
OWASP security practices
We train our developers on OWASP principles and receive regular penetration testing to ensure we’re following them.
General Data Protection Regulations (GDPR)
We comply with GDPR, and we’ll never collect or use data without your permission.
ISO 27001 & SOC 2
These industry-recognized compliance certifications are on our radar. We’re building Level to be compliant, so that when the time comes for an audit, we’re ready.
Penetration testing
We hire third-party penetration and vulnerability testing providers to confirm we’re developing safely.