Built for security

We built Level to be secure from the ground up. Our team is committed to providing a safe, secure, and private platform for remote device management.

Access control

Easy-to-use control over who can see and update your account data with our permissions and access management. Best-in-class tools and infrastructure to keep your data safe.

Peer to peer

Because you connect directly to the device you’re managing, data never passes through our servers. This greatly reduces access points and attack vectors.

Passwords and multi-factor authentication

Set password policies for your users to require complex passwords. Optionally, require all users to enable multi-factor authentication.

Permissions and write protections

Grant custom permissions for individual users. Restrict the changes users can make, easily add/remove permissions, and onboard new users to your team in seconds.

IP restrictions

Impose restrictions on which devices can access your data. IP allow lists and deny lists prevent connections from untrusted devices.

Audit trails and governance

Review changes to your account & devices at a glance, with an audit trail of who made edits when.

Restricted developer access

Our internal identity access and secrets management policies mean that access to production data is heavily guarded.

Encrypted networks

Infrastructure is critical to keeping your account secure. Behind the scenes, we use industry-leading cloud providers and networking best practices to make sure Level is both highly secure and highly available.

Encryption at rest

Any time data is stored in our databases or server hard drives, it’s encrypted first. Access is only possible via a long, random key phrase.

Encryption in transit: HTTPS / SSL

HTTPS and SSL everywhere, no exceptions. If data moves between our servers and a connected client, it’s via an encrypted channel -- always.

Firewall and intrusion prevention

Our servers & database are behind a strict firewall to only allow authorized connections. Automated network traffic monitoring to detect and prevent intrusion attempts.

Backups and data restoration

Automated backups of user data occur every hour. We can restore a backup within minutes, protecting you from data loss.

Servers on private IP addresses

We use a private cloud to host our infrastructure with private IP addresses. Outside devices will never be able to reach those private machines.

Secure external providers

When we need to use an external provider, we make sure they’re established and trusted. Our staff must use a password manager and multi-factor authentication for all external accounts.

Development practices

Internal practices, decisions, and training to make sure our developers and product designers always put security first.

Secure by design

We think first about security, before we build anything. Our code architecture enforces security by design.

Code review and testing

All code, no matter how small, must be reviewed and tested. Each release must pass a complete quality assurance checklist.

Policies and developer training

Internal policies enforce and encourage a culture of security. All our developers receive training on security best practices.

Frequent, small releases

Using an agile approach with small, frequent releases means changes are easier to review, test, and rollback -- reducing overall risk.

Version control and instant rollbacks

We use industry standard version control (git) and cloud repositories (GitHub) to securely host our code and trigger deployments. When a deploy goes wrong, we can instantly roll back to an earlier version of the code.

Automated testing and deployment

Code gets merged into our application only after passing our entire test suite and receiving code review approval. Continuous testing, integration, & deployment means there’s no guesswork or variability in the deploy process.

Incident response

We’re prepared in the event of a security incident. Rapid discovery, automated escalation, and quick recovery are our priorities. Transparency and keeping users informed along the way are core values.

24/7 monitoring and logging

Tracking & logging system metrics and traffic flows at all times. We use best-in-class application and infrastructure monitoring software to drive insights.

Instant alerts and escalation

When there’s an anomaly, we want to know as soon as possible. Our engineers receive automated alerts upon detection. Alerts escalate to senior management above a threshold.

Rollbacks and backups for instant recovery

We can roll back both the code and the database to prior versions instantly, as needed. Minimal time to remediation for our customers.

Status updates for users

Transparency is critical when it comes to security events. We’ll keep you up to date on system status, and you’ll have access to post-incident reports.

Bug and error reporting

Users are our most valuable source of feedback and error detection. If you notice something amiss, please don’t hesitate to contact us.

Post-incident investigation

After every incident, we’ll conduct a thorough review with our team of what happened, how, and what steps we can take in the future to prevent it.

Vulnerability testing and compliance

Third-party confirmation that we’re following best practices.

OWASP security practices

We train our developers on OWASP principles and receive regular penetration testing to ensure we’re following them.

General Data Protection Regulations (GDPR)

We comply with GDPR, and we’ll never collect or use data without your permission.

ISO 27001 & SOC 2

These industry-recognized compliance certifications are on our radar. We’re building Level to be compliant, so that when the time comes for an audit, we’re ready.

Penetration testing

We hire third-party penetration and vulnerability testing providers to confirm we’re developing safely.

Report a vulnerability

If you think you’ve found a bug (even if you aren’t sure!), we’d like to hear from you. We offer a Bug Bounty program for security researchers. When you submit an issue, please include detailed reproduction steps or a proof-of-concept along with your email.