Lemonsoft Data Security

In Finnish

Lemonsoft's Information Security

Lemonsoft has an information security management system in place that complies with the internationally recognized ISO/IEC 27001:2022 standard. The management system has been certified (FI241203-173) by KPMG on December 3, 2024.

The information security management system covers all activities related to software production, customer data handling, maintenance, and service management, ensuring the security and availability of services. The scope also includes data protection, employee security awareness, facility security, and the management of third parties and subcontractors, which are essential for ensuring service security.

Lemonsoft itself is not subject to the NIS2 directive, but the management system takes into account the requirements of the cybersecurity directive to serve our critical infrastructure customers.

The management system includes, among other things:

  • Continuity management
  • Risk management
  • Change management
  • Vulnerability management
  • Incident management
  • Supply chain management
  • Data classification
  • Facility security

Lemonsoft's Privacy policy Lemonsoft's Data Security Policy

Lemonsoft's Information Security Objectives

Through the information security management system, we achieve our set information security objectives, which are:

  • Ensuring the continuity of Lemonsoft’s business operations through information security.
  • Protecting personal data processed in Lemonsoft’s operations through information security.
  • Protecting Lemonsoft’s and partners’ trade secrets processed in Lemonsoft’s operations through information security.
  • Ensuring customer satisfaction and compliance with information security requirements through the management system.
  • Ensuring compliance with legal obligations through the management system.
  • Integrating information security into Lemonsoft’s corporate culture through the management system.

Information Security Training

Information security training is regularly provided to all Lemonsoft employees, and tailored training is organized for key roles, such as application developers.

The training includes, among other things:

  • Data protection
  • Data classification
  • Individual security guidelines
  • Social engineering
  • Vulnerability management
  • Threat modeling
  • Secure development principles
  • Common vulnerabilities (SQLi, XSS, IDOR, OWASP top 10)
  • Fraud detection and prevention

Continuity Management

Lemonsoft has established a continuity management principle. Additionally, service-specific continuity plans have been developed for each product. The plans are reviewed, practiced, and tested according to the annual schedule and as agreed separately.

The continuity plans include, among other things:

  • Roles and responsibilities
  • Risk analysis
  • Critical dependencies
  • Preparedness for disruptions and interruptions
  • Fault tolerance
  • Backup and recovery
  • Plan practice and testing
  • Plan maintenance and communication

Lemonsoft’s Cybersecurity

Lemonsoft’s cybersecurity planning and implementation are guided by the cybersecurity principle. The purpose of the cybersecurity principle is to actively prevent and detect cyberattacks against Lemonsoft and to limit the potential impacts of realized attacks. The APT13m04 threat model, which is kept up to date with various threat intelligence sources, is used in cybersecurity planning. The details of the cybersecurity implementation are confidential and not disclosed to outsiders.

Lemonsoft’s cybersecurity is continuously developed and consists of the following components:

  • Reducing the attack surface through vulnerability management and hardening
  • Early detection of attacks
  • Rapid and as automated as possible response
  • Limiting the impacts of realized attacks and recovery
  • Producing legally admissible evidence and cooperating with authorities

We have an internal Bug Bounty program to actively search for vulnerabilities in our infrastructure before attackers do. We also conduct OSINT tests and vulnerability scans to find potential weaknesses.

Lemonsoft has 24/7 incident management and monitoring. We use various technologies to detect attacks and attack attempts. Through threat hunting, we search for traces of potential attackers in our network. Lemonsoft has its own CSIRT team that regularly practices for cyberattacks with various purple teaming and red teaming exercises. We also conduct DFIR cooperation with external suppliers and authorities as needed.

We use encryption and data masking in databases and files to prevent the exploitation of potentially leaked data for criminal purposes. In addition to encryption, we use various honeypots, accounts, machines, networks, and vulnerabilities to deceive and detect attackers.

Continuity planning and recovery practice are documented and regular to ensure our resilience to various disruptions, such as ransomware attacks. As in the 2023 ransomware attack, we do not negotiate with attackers, do not pay ransoms, and do not have insurance for paying ransoms.

Our verified logs collect information about the attacker. We cooperate with the Cybersecurity Center, where we report detected attack attempts and indicators of compromise (IOC) to be shared with other authorities. We also upload suspicious files to VirusTotal for analysis by the security community, as well as various suspected phishing site IP addresses. We do not impose any restrictions on sharing threat information internationally or with NATO countries.

If necessary, we file a police report with a low threshold and transfer the investigation responsibility to the police.

Do you need more information?

Get in touch. We are here to help!

Pasi Hakkarainen

Information Security Manager

pasi.hakkarainen@lemonsoft.fi

Janne Tammi

CTO

janne.tammi@lemonsoft.fi