Letman Security Policy


Security is a top priority for Letman because it is fundamental to your confidence and experience in using our Service. This Security Policy describes the organisational and technical measures that Letman implements platform wide, to prevent unauthorised access, use, alteration or disclosure of customer data.

We recommend you also review our Terms of Service and Privacy Policy before using our service.

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with our Service, please contact security@letman.ie.

We take all reports very seriously. Once a report is receivied, our team will rapidly verify each vulnerability before taking the necessary steps to fix it.

Incident Response Plan

We have implemented procedures for handling security events and educated our employees on our policies. When a security event is detected:

  1. The event is escalated as a highest priority for our team to investigate and rapidly implement a fix.
  2. After the security event is fixed we write up a post-mortem analysis and the report is distributed internally that will make the detection and prevention of a similar event easier in the future.
  3. If an event will affect your data in any way, we will promptly notify you in writing upon verification of a security breach. The notification will describe the breach and the status of our investigation.

Hosting Infrastructure

  • All our services operate in the cloud on Amazon Web Services (“AWS”).
  • For Letman IE & UK, all our services and data are hosted in the AWS facilities in the EU-West-1 region (Dublin).
  • All our service on AWS are protected by AWS security as decribed at https://aws.amazon.com/compliance/shared-responsibility-model.
  • All of our AWS infrastructure is designed to be have redundancy spread across multiple data centres (availablity zones) in the relative region. This should allow our services to continue running should any one of those data centers fail unexpectantly.
  • AWS does not disclose the precise geographical location of any its data centers. As such, we build on the physical security and environmental controls provided by AWS. See https://aws.amazon.com/security for details of AWS security infrastructure.
  • All of our servers are within our own virtual private cloud. This is designed to prevent unauthorised requests getting to our internal network.
  • We keep encrypted backups in multiple locations on AWS of any datastores that contains customer data.


  • Information on how Letman collects and processes data is in our Privacy Policy.
  • All data sent to and from Letman is encrypted and authenticated in transit via TLS 1.2 protocol and AES-256-bit encryption.
  • Letman's latest SSL Labs Report can be found here.

Administrator Controls

  • We make use of permission levels for any employees with access to customer data. All access is authenticated, logged and audited.
  • We run a zero-trust corporate network. No unauthenticated access to resources or internal networks is granted from being on the network.
  • We have 2-factor authentication enabled on all our infrastructure accounts to ensure access to our cloud services are protected.

Letman Employees

  • Confidentiality: All employee contracts include a confidentiality agreement.
  • All employees receive onboarding and systems training about our security systems and policies.
  • Each update to the software is reviewed by at least two software engineers to ensure quality.
  • All software engineers are sent to relevant training seminars at least once a year to ensure familiarity with modern and new approaches to security and reliability.

Customer Responsibilities

In relation to data security, the customer is responsible for:

  • Managing their own user accounts and access levels for those user accounts.
  • Protecting their own login credentials and ensure their employees use a strong password policy.
  • Compliance with our terms of service.
  • Compliance with all local laws.
  • Promptly notifying Letman of any possible suspicious activities that could negatively impact the security of the Service or their account.