Security & Trust
Enterprise-Grade Security
LRDefender is built on a Zero Trust architecture: every request is authenticated, every segment is encrypted, and sensitive processing stays on the server—never in plaintext storage.
Architecture
End-to-end protection
A single, auditable path from the browser to encrypted storage. Data is transformed server-side and never written to disk without strong encryption.
Client SDK
Minimal surface, attested calls
Edge CDN
TLS termination, caching
API Gateway
Authn/z, rate limits, routing
Processing
Server-side only analytics
Encrypted storage
AES-256, no plaintext at rest
Assurance
Compliance & certifications
Controls mapped to international frameworks with continuous monitoring—not point-in-time checkbox exercises.
SOC 2 Type II
Framework
GDPR
Framework
CCPA
Framework
ISO 27001
Framework
ePrivacy
Framework
Data security
Encryption & lifecycle controls
Defense in depth for data at rest, in transit, and under your key management policies.
AES-256 encryption at rest
Fingerprint artifacts and tenant metadata are encrypted with modern ciphers and envelope encryption backed by hardware security modules.
TLS 1.3 in transit
All client and service-to-service traffic uses TLS 1.3 with strong cipher suites and certificate pinning at the edge.
Customer-managed keys (BYOK)
Bring your own KMS keys so ciphertext remains under policies you control, including revocation and audit trails.
Automatic key rotation
Data encryption keys rotate on a defined schedule with zero-downtime re-encryption and auditable rotation events.
Configurable retention (7–90+ days)
Set retention windows per environment. Enterprise plans support custom policies beyond the standard window.
Infrastructure
Global, resilient, always on
Hosted on AWS with edge protection and autoscaling built into the platform—not bolted on as an afterthought.
AWS multi-region
Production workloads run in US-East, EU-West, and AP-Southeast with strict network segmentation.
High availability
Designed for high uptime with redundant infrastructure and transparent status reporting.
DDoS protection
Always-on volumetric and application-layer mitigation at the edge before traffic reaches your APIs.
WAF protection
Managed rule sets, bot scoring, and custom policies shield the control plane and data paths.
Elastic autoscaling
Horizontally scaled workers and APIs absorb spikes while preserving isolation between tenants.
Privacy by design
Built for regulated teams
Minimize data, maximize control, and stay aligned with privacy programs from day one.
No PII collection
Signals are engineered to avoid personal identifiers; we focus on hardware and runtime characteristics—not names or government IDs.
Privacy-preserving fingerprinting
Hashes and similarity scores are derived with stability and unlinkability in mind, aligned to your consent posture.
Consent management support
Integrate with your CMP and policy engine so collection respects regional consent frameworks out of the box.
Data subject requests
Workflows for access, correction, and deletion with dedicated success metrics and audit trails.
DPA on request
Execute a Data Processing Agreement tailored to regulated industries and procurement requirements.
Security operations
Operational excellence
Continuous testing, researcher partnerships, and strict response timelines keep the platform battle-tested.
Security testing program
Ongoing internal security assessments with plans for third-party penetration testing as the platform matures.
Responsible disclosure
We welcome security researchers to report vulnerabilities through our coordinated disclosure process.
Automated monitoring & alerting
Infrastructure health monitoring, anomaly detection, and automated alerting across all production systems.
Rapid incident response
Committed to fast incident response with severity-based escalation and transparent communication.
Change management
Peer-reviewed releases, staged rollouts, and automated rollback guardrails for every production change.
Transparency
Subprocessor list
Key vendors that process data on our behalf under written agreements and security reviews.
| Subprocessor | Purpose | Primary region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, KMS, object storage, and compute | US-East, EU-West, AP-Southeast |
| Cloudflare | Edge CDN, DDoS mitigation, WAF, and DNS | Global |
| Datadog | Observability, security monitoring, and incident analytics | United States |
| Stripe | Payment processing and billing infrastructure | United States |
| SendGrid (Twilio) | Transactional email delivery for account notices | United States |
Full list available under NDA for enterprise customers. Updates communicated per DPA terms.
Trust center
Need documentation or a deeper review?
Download our DPA, request a security questionnaire, or speak directly with the team that operates LRDefender in production.