Security overview

Security program overview

Lockstack maintains security controls designed to support your compliance objectives and protect your data.

Control areas

Access controls

  • Least privilege access enforcement across all systems
  • Multi-factor authentication (MFA) for administrative access
  • Role-based access control (RBAC) with audit trails
  • SSO integration support (SAML, OIDC)
  • Regular access reviews and de-provisioning procedures
  • Session management with timeout policies

Encryption

  • Data encrypted in transit using TLS 1.2+ for all connections
  • Data encrypted at rest where applicable (databases, backups, logs)
  • Secrets management using industry-standard vaults
  • Key rotation procedures and documentation
  • Encryption key access controls and audit logging

Vulnerability management

  • Continuous dependency scanning for known vulnerabilities
  • Regular security patching cadence (critical: 24-48h)
  • Automated vulnerability detection in CI/CD pipeline
  • Quarterly penetration testing (Regulated tier)
  • Security update notifications and change records

Logging & monitoring

  • Centralized logging of security-relevant events
  • Immutable audit logs with tamper detection
  • Real-time monitoring and alerting on anomalies
  • Log retention based on compliance requirements (90 days to 7 years)
  • Evidence export in standardized formats
  • Access logs, authentication events, and change records

Incident response

  • Documented incident response procedures
  • 24/7 monitoring and detection (Growth+ tiers)
  • Escalation procedures and contact hierarchy
  • Incident timeline logging for audit purposes
  • Root cause analysis and remediation tracking
  • Post-incident review process

Backup & disaster recovery

  • Automated backup scheduling based on tier
  • Encrypted backups with access controls
  • RPO/RTO targets defined per environment
  • Monthly restore testing and verification
  • Backup success/failure logging
  • Disaster recovery runbooks and procedures

Compliance alignment

SOC 2-aligned controls

Lockstack's security controls are designed to align with SOC 2 Type II trust service criteria. We maintain controls mapped to Security, Availability, Confidentiality, and Processing Integrity. We provide audit evidence including access logs, change records, and operational documentation to support your SOC 2 audit process.

Note: We support SOC 2 readiness for your organization. Lockstack's own SOC 2 audit status is available upon request during procurement discussions.

ISO 27001 alignment

Our information security controls align with ISO 27001 requirements including access control, cryptography, operational security, and compliance. We can provide control mapping documentation to support your ISO 27001 certification efforts.

GDPR support

For customers processing EU personal data, we provide a Data Processing Agreement (DPA), support data subject rights (access, deletion, portability), maintain data processing records, and implement appropriate technical and organizational measures for data protection.

HIPAA-aligned deployments

Regulated tier customers can request HIPAA-aligned configurations including enhanced access controls, audit logging, encryption, and Business Associate Agreements (BAA). Contact us to discuss your healthcare compliance requirements.

Responsible disclosure

If you discover a security vulnerability in Lockstack systems or services, please report it to our security team. We are committed to working with security researchers and the community to verify and address vulnerabilities promptly.

Security contact:

contact@lockstack.dev

When reporting a vulnerability, please include:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof-of-concept code
  • Your contact information for follow-up

We commit to acknowledging your report within 48 hours and providing status updates as we investigate and remediate the issue.

Subprocessors

Lockstack uses carefully selected third-party service providers (subprocessors) to deliver our managed platform. All subprocessors are subject to contractual obligations regarding data protection and security.

A complete list of subprocessors, including their function and data processing location, is available to customers upon request and is included in our Data Processing Agreement.

We notify customers of any material changes to our subprocessor list in accordance with DPA terms.

Request a security review

Need to complete a vendor security assessment? We support security questionnaires and can participate in your procurement security review process.

Contact security team