User Guide
Security and data privacy
Lightup’s mission is to help our customers find issues in their data easily and in an automated manner. We are committed to being transparent about our security practices to help our customers understand our approach. Lightup has been focused on security and privacy as a priority right from when the company was founded. This page summarizes our key security and privacy features.


  • Security is architected into the platform from ground up across all facets of product development and deployment.
  • No data is copied from customer data sources into the Lightup environment, irrespective of the deployment model.
  • Regular penetration tests and third-party audits are performed to ensure SOC2 Type 2 and ISAE 3000 compliance.

Compliance and certification

We invest heavily in secure software development including automation tools and employee training. Security patches are applied promptly. Static code analysis is performed as part of our CI/CD pipeline to make sure known vulnerabilities do not pass through.
We maintain compliance with ISAE 3000 and SOC2 Type 2. We successfully completed the SOC2 Type 2 certification in July 2021.
We undergo regular penetration tests by third parties to ensure that our platform remains secure and can be independently verified. Recent pen-test reports are available upon request.

Protecting your data end-to-end

Compliance and certification do not automatically imply security. Here are the key security features that Lightup implements to protect customer data end-to-end:
  • Data in transit: [applies to Cloud and Hybrid deployments] All data transmission between Lightup and customers -- DQIs, metadata, or results -- uses strong encryption protocols. Lightup supports and enforces the latest recommended secure cipher suites. The minimum requirement during connection negotiation is TLS1.2 with AES128 encryption.
  • Data at rest: [applies to Cloud deployments] Lightup uses 3rd party (AWS) managed RDS and Redshift services to store DQIs, metadata, and results. Data encryption and periodic backup snapshots are always enabled. Our cloud infrastructure (AWS) uses the open standard AES-256 encryption algorithm to encrypt data at rest.
  • Data access: [applies to Cloud and Hybrid deployments] Customers' data never leaves their production environment. All data access activity to query for DQIs or querying metadata or results is logged.
  • Single tenant VPC: [applies to Cloud deployments] Compute and storage resources associated with a customer are isolated in a dedicated VPC unique to the customer. Lightup stores metrics and metadata in a dedicated database that is not shared with other customers.
  • Environment separation: Lightup separates networks and the environments between testing, development, and customer deployments. Network access to Lightup environments from a public network is restricted. Access is only allowed through a dedicated virtual private network.
  • Intrusion detection and vulnerability monitoring: Lightup automates the monitoring of vulnerabilities in the infrastructure and software package dependencies as part of the CI/CD pipeline. Security patches are applied immediately upon detection. All access activity is logged.

Privacy policy

Lightup protects both customers' data and individual data rights. Details of our approach can be found in our Privacy Policy.

Responsible disclosure

Lightup adopts a Responsible Disclosure Policy to encourage community support in keeping Lightup secure.

Additional resources

Download the infosec bundle or contact us at [email protected] for additional information on Lightup's security program and implementation, including recent pen testing reports and certifications.
Last modified 1mo ago