Security Overview
Last updated: ·Last reviewed:
We take the security of customer data seriously. This page describes how we protect data in transit, at rest, and in use, plus our practices for incident response and responsible disclosure.
Encryption
In transit
All connections to the Service use TLS 1.2 or higher. Certificates are managed by our hosting provider with automatic renewal. We do not support deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1).
At rest
Customer data stored on our infrastructure is encrypted at rest using AES-256 or equivalent. Database and file-storage encryption is managed by our infrastructure providers under their respective SOC 2 Type II controls.
Authentication and access control
Account authentication
Customers authenticate via email and password. Strong password requirements are enforced (minimum length, complexity, breach checking against known-compromised credentials).
Multi-factor authentication
Available to all customers in account settings. Required for any administrative or sensitive operations.
Access controls
Lydmera staff access to production systems follows the principle of least privilege. Access is granted on a need-to-know basis, logged, and reviewed regularly. Production access requires multi-factor authentication.
Customer Content access by Lydmera staff is logged. We do not access Customer Content for any purpose other than:
- Delivering the Service (e.g., calculation processing)
- Resolving customer support requests when explicitly authorised
- Investigating security incidents
- Complying with legal obligations
Infrastructure security
Our infrastructure runs on industry-standard cloud providers. These providers maintain SOC 2 Type II compliance and equivalent security certifications. For a named list of our current providers, email privacy@lydmera.com.
Network security
- All external traffic encrypted via HTTPS
- Internal services communicate over encrypted private networks where possible
- Firewall rules restrict access to authorised services
- DDoS protection via our edge provider
Application security
- Input validation and output encoding to prevent injection attacks
- CSRF protection on state-changing operations
- Content Security Policy headers
- Regular dependency scanning for known vulnerabilities
Monitoring and logging
We monitor the Service continuously for security events:
- Authentication anomalies (unusual login patterns, brute-force attempts)
- Application errors and exceptions
- Unusual traffic patterns
- Suspicious data access
Operational logs are retained for 90 days, then deleted or anonymised. Security incident logs may be retained longer where necessary for investigation or legal purposes.
Backup and disaster recovery
Customer data is backed up regularly through our infrastructure providers' managed backup services. Backups are encrypted, geographically separated from primary systems, and retained for up to 90 days.
In the event of a major incident affecting production systems, our target recovery time objectives are:
- Service restoration: within 24 hours
- Data restoration from backup: within 48 hours
These are targets, not guarantees — see our Terms of Service for service availability disclaimers.
Incident response
We follow a structured incident response process:
- Detection — security monitoring identifies a potential incident
- Assessment — severity and scope are determined
- Containment — affected systems are isolated to prevent escalation
- Eradication — root cause is addressed
- Recovery — services are restored
- Notification — affected customers are notified where required
- Post-incident review — lessons learned are documented and applied
Breach notification
If a security incident affects personal data, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware of the incident, in accordance with UK GDPR, EU GDPR, and the Data Protection (Bailiwick of Guernsey) Law, 2017.
Responsible disclosure
We welcome reports from security researchers, customers, and members of the public regarding potential vulnerabilities in the Service.
How to report
Email security@lydmera.com with:
- A description of the vulnerability
- Steps to reproduce
- Your assessment of severity
- Your contact information (if you would like recognition or response)
Our commitment
- We acknowledge reports within 5 business days
- We provide an initial assessment within 14 business days
- We will not pursue legal action against good-faith security researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
- Report vulnerabilities promptly
- Do not publicly disclose vulnerabilities before we have had reasonable time to respond
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Out of scope
- Denial-of-service attacks
- Social engineering of Lydmera staff
- Physical access to our offices or infrastructure
- Issues in third-party services we use (please report those to the respective providers)
Certifications and compliance
We work toward and maintain alignment with industry security frameworks. Where we hold formal certifications, they are listed here:
[To be updated as certifications are obtained.]
Enterprise security questionnaires
Enterprise customers requiring formal security documentation (security questionnaire responses, SIG questionnaires, CAIQ, etc.) can request these at security@lydmera.com.
Subprocessors and data flow
For enterprise security reviews that require a named list of our subprocessors with locations and safeguards, email privacy@lydmera.com.
Contact
For security disclosures: security@lydmera.com
For security questions from prospective enterprise customers: security@lydmera.com
For general questions: use our contact form.
Changes to this overview
We may update this Security Overview as our practices evolve. The "Last updated" date at the top of this page indicates the most recent revision.