Lydmera
FeaturesPricingHow it works

Security Overview

Last updated: 27 May 2026·Last reviewed: 27 May 2026

We take the security of customer data seriously. This page describes how we protect data in transit, at rest, and in use, plus our practices for incident response and responsible disclosure.

Encryption

In transit

All connections to the Service use TLS 1.2 or higher. Certificates are managed by our hosting provider with automatic renewal. We do not support deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1).

At rest

Customer data stored on our infrastructure is encrypted at rest using AES-256 or equivalent. Database and file-storage encryption is managed by our infrastructure providers under their respective SOC 2 Type II controls.

Authentication and access control

Account authentication

Customers authenticate via email and password. Strong password requirements are enforced (minimum length, complexity, breach checking against known-compromised credentials).

Multi-factor authentication

Available to all customers in account settings. Required for any administrative or sensitive operations.

Access controls

Lydmera staff access to production systems follows the principle of least privilege. Access is granted on a need-to-know basis, logged, and reviewed regularly. Production access requires multi-factor authentication.

Customer Content access by Lydmera staff is logged. We do not access Customer Content for any purpose other than:

  • Delivering the Service (e.g., calculation processing)
  • Resolving customer support requests when explicitly authorised
  • Investigating security incidents
  • Complying with legal obligations

Infrastructure security

Our infrastructure runs on industry-standard cloud providers. These providers maintain SOC 2 Type II compliance and equivalent security certifications. For a named list of our current providers, email privacy@lydmera.com.

Network security

  • All external traffic encrypted via HTTPS
  • Internal services communicate over encrypted private networks where possible
  • Firewall rules restrict access to authorised services
  • DDoS protection via our edge provider

Application security

  • Input validation and output encoding to prevent injection attacks
  • CSRF protection on state-changing operations
  • Content Security Policy headers
  • Regular dependency scanning for known vulnerabilities

Monitoring and logging

We monitor the Service continuously for security events:

  • Authentication anomalies (unusual login patterns, brute-force attempts)
  • Application errors and exceptions
  • Unusual traffic patterns
  • Suspicious data access

Operational logs are retained for 90 days, then deleted or anonymised. Security incident logs may be retained longer where necessary for investigation or legal purposes.

Backup and disaster recovery

Customer data is backed up regularly through our infrastructure providers' managed backup services. Backups are encrypted, geographically separated from primary systems, and retained for up to 90 days.

In the event of a major incident affecting production systems, our target recovery time objectives are:

  • Service restoration: within 24 hours
  • Data restoration from backup: within 48 hours

These are targets, not guarantees — see our Terms of Service for service availability disclaimers.

Incident response

We follow a structured incident response process:

  1. Detection — security monitoring identifies a potential incident
  2. Assessment — severity and scope are determined
  3. Containment — affected systems are isolated to prevent escalation
  4. Eradication — root cause is addressed
  5. Recovery — services are restored
  6. Notification — affected customers are notified where required
  7. Post-incident review — lessons learned are documented and applied

Breach notification

If a security incident affects personal data, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware of the incident, in accordance with UK GDPR, EU GDPR, and the Data Protection (Bailiwick of Guernsey) Law, 2017.

Responsible disclosure

We welcome reports from security researchers, customers, and members of the public regarding potential vulnerabilities in the Service.

How to report

Email security@lydmera.com with:

  • A description of the vulnerability
  • Steps to reproduce
  • Your assessment of severity
  • Your contact information (if you would like recognition or response)

Our commitment

  • We acknowledge reports within 5 business days
  • We provide an initial assessment within 14 business days
  • We will not pursue legal action against good-faith security researchers who:
    • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
    • Report vulnerabilities promptly
    • Do not publicly disclose vulnerabilities before we have had reasonable time to respond
    • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue

Out of scope

  • Denial-of-service attacks
  • Social engineering of Lydmera staff
  • Physical access to our offices or infrastructure
  • Issues in third-party services we use (please report those to the respective providers)

Certifications and compliance

We work toward and maintain alignment with industry security frameworks. Where we hold formal certifications, they are listed here:

[To be updated as certifications are obtained.]

Enterprise security questionnaires

Enterprise customers requiring formal security documentation (security questionnaire responses, SIG questionnaires, CAIQ, etc.) can request these at security@lydmera.com.

Subprocessors and data flow

For enterprise security reviews that require a named list of our subprocessors with locations and safeguards, email privacy@lydmera.com.

Contact

For security disclosures: security@lydmera.com

For security questions from prospective enterprise customers: security@lydmera.com

For general questions: use our contact form.

Changes to this overview

We may update this Security Overview as our practices evolve. The "Last updated" date at the top of this page indicates the most recent revision.

Lydmera

Product

FeaturesPricing

Company

Contact

Legal

Privacy PolicyTermsAll legal documents →
© 2026 Lydmera Limited · LYDMERA™