Security Policy

Last updated: May 8, 2026

1. Infrastructure Security

Our platform is built on industry-leading security practices:

Hosted on SOC 2-compliant cloud infrastructure (AWS/GCP)
All data encrypted at rest using AES-256
All data in transit protected by TLS 1.3
Network segmentation and firewall protection
DDoS protection and Web Application Firewall

2. Access Controls

We enforce strict access controls:

Role-based access control (RBAC) for all team accounts
Multi-factor authentication (MFA) enforcement
Principle of least privilege for all staff
Regular access audits and revocation procedures
API key authentication with granular permissions

3. Application Security

Our development practices prioritize security:

OWASP Top 10 compliance in all code
Automated security scanning in CI/CD pipeline
Regular third-party penetration testing
Dependency vulnerability monitoring
Secure software development lifecycle (SSDLC)

4. Data Privacy

We protect your data with:

Strict data segregation between customers
Data residency options (US and EU regions)
Automated backup with point-in-time recovery
99.9% durability guarantee for stored data
Secure deletion protocols for data removal

5. Compliance & Certifications

We maintain compliance with:

SOC 2 Type II (in progress)
GDPR compliance
CCPA compliance
ISO 27001 (planned Q3 2026)
HIPAA compliance for diagnostic services

6. Incident Response

Our incident response process includes:

24/7 security monitoring and alerting
Dedicated security incident response team
Notification within 72 hours of confirmed breach
Post-incident analysis and remediation
Regular tabletop exercises

7. Vendor Security

We vet all third-party vendors and sub-processors for security compliance, including SOC 2 reports, penetration testing results, and data processing agreements.

8. Reporting Vulnerabilities

To report a security vulnerability, contact security@lalax.com. We offer bug bounties for verified vulnerabilities and acknowledge all reports within 48 hours.