Privacy & Security at Ledger: A Year-in-Review
Things to know:
– At Ledger, we are doing what’s necessary to face any future threats and working around the clock to strengthen our security posture and enable our users to keep their data safe.
– In 2021, we took concrete actions to upgrade our security standards, ranging from hiring world-class security professionals, improving our data management policies and enabling our users to control their rights throughout their journey with us.
At Ledger, privacy & security is the foundation of what we do, and it’s why we exist as a business, to keep your assets secure. When one person is affected by hackers, scams, or another breach, it hurts the whole community.
Throughout 2021, we have worked to continuously bolster our global systems and improve our data management policy. Below summarizes Ledger’s actions taken this year to improve our data security & privacy standards.
1- Hiring world-class professionals
Early 2021, Matt Johnson joined us as Chief Information Security Officer (CISO) and took substantial measures to prevent data breaches. He started his career in the Australian Federal Police in Canberra (Australia), and was the Group Chief Security Officer for Ingenico and the Director of Cybersecurity for Visa Europe.
In March 2021, Tiphaine Bessière joined Ledger as a Data Protection Officer (DPO) to bring her proven experience and reinforce Ledger’s compliance with privacy regulations. She worked 8 years for the French data protection authority (CNIL) before joining Ubisoft, a video game company.
2- Improving our data management methods for more privacy
Back in January 2021, we announced changes in the way Ledger handles customer data with the goal to put your e-commerce order information such as name, address, phone number in a segregated environment three months after the shipping of your product, with strictly limited access.
As per this public commitment, we have migrated all order data older than 18 months and will gradually migrate data older than 12, 6 and 3 months in the near future.
All this information will be stored in this separate database for 10 years, as per our accounting obligations, and then removed from our system.
3- Reviewing third-party providers data practices
We closely monitor the data shared with our third-party providers to ensure they meet our standards. Our method follows two policies:
- Data minimization: We are currently auditing all data that external service providers have access to minimize exposure and make sure it’s in line with our practices. We focus specifically on providers than handle PII such as names, postal and email addresses.
- Data retention: We are reviewing all of our third-party providers’ data-management policies to ensure our customers’ data are rapidly deleted or anonymized.
4- Enabling our users to control their data
We aim to establish the most adapted framework for our users to control their rights and maximize the information they receive.
Back in April 2021, we implemented a cookie banner to inform users during their journey on Ledger.com and to express their consent. This cookie banner allows them to give their consent for each type of cookie (performance, functional and targeting cookies). They can opt-in or opt-out, depending on their region. We display this banner worldwide, although we don’t have to in many countries.
In September 2021, we created a dedicated form on our Ledger customer support portal enabling our users to make data requests easily, including for data access and deletion purposes. We are currently working on the automation of the answers to this form to enable all data requests to be processed as quickly as possible.
5- Reinforcing security measures
At Ledger, we not only want to ensure the privacy and security of our customers, but also create a vibrant ecosystem we can all trust. To this end, we are undertaking several important security processes:
- Continued certification and security evaluation of our products.
We undertake rigorous security testing using independent, accredited security labs against the highest standards. We believe in our product so strongly that we continue to undertake these independent security assessments.
Ledger is the only hardware wallet provider that puts itself up to this challenge. No other provider has this level of independent validation and certification.
- The protection of our ecosystem.
A common barrier to entry is that people don’t know where to start or are concerned by stories of theft or loss of crypto assets. Ledger has published an extensive training library to ensure that someone starting on their digital asset journey is confident of doing so.
We have also invested significantly to protect users from scammers. In 2021, we have taken offline more than 500 websites that were targeting, not only Ledger customers, but general crypto investors. We are working with other manufacturers and exchanges to share information and continue to improve the security of our ecosystem.
6- Maximizing Transparency
Employees’ awareness is also fundamental. We organize regular privacy training sessions for all our global employees and long-term contractors to prevent potential risks of data breaches and continue to teach best practices as they evolve in the space.
Security & Privacy values are at the core of why Ledger exists
Ledger is founded on the principle that everyone should have secure protection for their crypto and digital assets, along with the choice of what information they share about their information and user behaviors. Our products are designed with resilience and security in mind, with our Secure Element technology at the core of our products, and we will continue to work hard to ensure your trust.
To every Ledger user, please know we are working around the clock to provide you with the strongest and most secure journey into the fast-evolving world of Web3.