Key security features

Lightup’s mission is to help our customers find issues in their data easily and in an automated manner. We are committed to being transparent about our security practices to help our customers understand our approach. Lightup has been focused on security and privacy as a priority right from when the company was founded. This page summarizes our key security and privacy features.


  • Security is architected into the platform from the ground up, across all facets of product development and deployment.
  • No customer source data is copied into the Lightup environment, irrespective of the deployment model.
  • Regular third-party audits and pen-tests ensure SOC2 Type 2 and ISAE 3000 compliance.

SOC2 Type 2 and ISAE 3000 compliant

We undergo regular pen-tests by third parties to ensure that our platform remains secure and standards-compliant. Recent pen-test reports are available upon request.

We invest heavily in secure software development including automation tools and employee training. Security patches are applied promptly. Static code analysis is performed as part of our CI/CD pipeline to make sure known vulnerabilities do not pass through.

Protecting your data end-to-end

Compliance and certification do not automatically imply security. Lightup implements key security features to protect customer data end-to-end, in any deployment.

  • Data in transit: [applies to Cloud and Hybrid deployments] All data transmission between Lightup and customers -- DQIs, metadata, or results -- uses strong encryption protocols. Lightup supports and enforces the latest recommended secure cipher suites. The minimum requirement during connection negotiation is TLS1.2 with AES-256 encryption.
  • Data at rest: [applies to Cloud deployments] Lightup uses 3rd party (AWS) managed RDS and Redshift services to store DQIs, metadata, and results. Data encryption and periodic backup snapshots are always enabled. Our cloud infrastructure (AWS) uses the open standard AES-256 encryption algorithm to encrypt data at rest.
  • Data access: [applies to Cloud and Hybrid deployments] Customers' data never leaves their production environment. All data access activity to query for DQIs or querying metadata or results is logged.
  • Single tenant VPC: [applies to Cloud deployments] Compute and storage resources associated with a customer are isolated in a dedicated VPC unique to the customer. Lightup stores metrics and metadata in a dedicated database that is not shared with other customers.
  • Environment separation: Lightup separates networks and the environments between testing, development, and customer deployments. Network access to Lightup environments from a public network is restricted. Access is only allowed through a dedicated virtual private network.
  • Intrusion detection and vulnerability monitoring: Lightup automates the monitoring of vulnerabilities in the infrastructure and software package dependencies as part of the CI/CD pipeline. Security patches are applied immediately upon detection. All access activity is logged.
  • Responsible disclosure: Lightup maintains a Responsible Disclosure Policy to encourage community support in keeping Lightup secure.

Additional resources

  • Contact us for more information on Lightup's security program and implementation, including recent pen-test reports and certifications.