This page covers how Lobster protects your data in the Lobster Cloud, including data hosting locations, data sovereignty, customer data handling principles, data subject rights, and data deletion procedures.
Data hosting locations
Aspect | Details |
|---|---|
Standard region | You can find them here: AWS Regions and Data Residency |
Optional region | You can find them here: AWS Regions and Data Residency |
Third-country transfer | No transfer of personal data by Lobster outside the EU, EEA, or Switzerland. |
Switzerland's adequacy | The EU Commission has issued an adequacy decision for Switzerland. Data transfer between the EU and Switzerland is GDPR-compliant. The Swiss Federal Act on Data Protection (FADP) applies additionally. |
You select your hosting region during the onboarding.
Important
The region cannot be changed after provisioning.
Data sovereignty
You retain complete control and ownership of your data at all times. Lobster acts as a data processor under GDPR Article 28. The following principles apply:
Principle | Details |
|---|---|
Data ownership | Your data belongs to you. Lobster makes no claims whatsoever on the data you collect or process using the software. |
Data minimisation | Lobster only processes data that is strictly necessary for the operation and monitoring of the platform. This data consists of system logs and operational metrics. It does not contain your business data. |
Customer data handling principles
Lobster enforces strict rules on how customer data is handled within the Cloud environment. These rules are binding for all Lobster employees.
Category | Rule |
|---|---|
No decryption | Lobster does not decrypt your encrypted data. |
No data copies | Lobster does not copy data from your system to other servers or storage media. |
No data archiving | Lobster does not archive any data from your system that is not required for the backup. Details on the backup process and retention period can be found here: Backup and Recovery |
No system cloning | Lobster does not clone systems (servers or databases) to create new environments (for example, creating a DEV system from a production copy). |
No data synchronisation | Lobster does not synchronize data between your servers and databases (for example, between test and production systems). |
No database dumps | Lobster does not create database dumps to clone databases. |
Each system in your environment (production, test, DEV, DMZ) has its own software-based encryption integrated into the Lobster Data Platform. Data encrypted within one system cannot be transferred to another system without breaking the encryption. This architectural design ensures that your data remains within its designated encrypted environment.
Operational data
The only data processed by Lobster consists of system logs and operational metrics required for platform monitoring, troubleshooting, and performance optimization. This data does not contain your business data.
Data type | Retention period |
|---|---|
System logs | 12 months (CloudWatch Logs retention policy) |
Operational metrics | As required for monitoring and performance analysis |
Responsibility distribution
Area | Lobster responsibility | Your responsibility |
|---|---|---|
Infrastructure security | Complete AWS infrastructure, OS, database, network, encryption, monitoring | Not applicable |
Data processing compliance | Technical and organizational measures (TOMs), data processor obligations under Art. 28 GDPR | GDPR-compliant usage of the platform, compliance with legal requirements (GDPR, BDSG) |
Data quality and content | Not applicable | Complete responsibility for the accuracy, completeness, and legality of processed data |
End-user access management | Not applicable | User Management within the Lobster Data Platform |
Data subject rights | Technical tools and infrastructure | Responding to data subject requests as the data controller |
Third-party providers
Lobster uses the following third-party providers for infrastructure and monitoring. None of these providers process your business data.
Provider | Purpose | Data processing | Location |
|---|---|---|---|
AWS | Cloud infrastructure (hosting) | Customer data (complete) | |
Arctic Wolf | 24/7 Security Operations Center (SOC), threat detection | Security logs and metrics only. No customer data. | EU data centres |
New Relic | Performance and infrastructure monitoring | Metrics and logs only. No customer data. | EU data centres |
PagerDuty | Incident management and alerting | Alerting data only. No customer data. | EU data centres |
All third-party providers operate under Data Processing Agreements (DPA) in accordance with GDPR Article 28. A complete list of subcontractors is available on request. Changes to subcontractors are communicated to you with adequate advance notice, and you have the right to object to new subcontractors.