Lobster Cloud operates a multi-layered security model that protects your environment at every level: from the physical data center infrastructure managed by AWS, through network segmentation and encryption managed by Lobster, to application-level security within the Lobster Data Platform. This page provides an overview of all security measures in place.
Infrastructure security
Each customer environment is fully isolated within its own dedicated AWS Virtual Private Cloud (VPC). There is no shared infrastructure between customers.
Measure | Implementation |
|---|---|
Customer isolation | Each customer receives a dedicated VPC with separate subnets, Security Groups and database instances. |
Network segmentation | Public and private subnets across multiple Availability Zones. Database instances are placed in private subnets with no direct external access. |
Dedicated firewall rules per system component (LDP, DMZ, DEV). Incoming traffic is denied by default unless explicitly authorized. | |
VPC Endpoints | AWS services are accessed via VPC Endpoints without exposure to the public internet. |
Encryption
All data is encrypted both at rest and in transit.
Type | Scope | Method |
|---|---|---|
Encryption at rest | EBS volumes, RDS databases, backups | AES-256 via AWS Key Management Service (KMS). Keys rotate automatically on an annual basis. |
Encryption in transit | All connections | TLS 1.2 or higher. |
Web services, platform access | Let's Encrypt certificates, automatically renewed every 90 days. Custom certificates supported. |
Monitoring and threat detection
Lobster operates 24/7 monitoring across multiple layers using a combination of AWS-native services and specialized third-party tools.
Service | Purpose |
|---|---|
New Relic APM | Application performance monitoring, infrastructure monitoring |
Arctic Wolf | 24/7 Security Operations Center (SOC) with continuous threat detection and response at the AWS account level. EU-based data centers. No customer data processed. |
AWS GuardDuty | Continuous threat monitoring and anomaly detection across your AWS environment. |
AWS Security Hub | Centralized security and compliance dashboard. |
AWS CloudTrail | Complete audit logging of all API calls and administrative actions. |
AWS Config | Continuous configuration review and compliance monitoring. |
VPC Flow Logs | Network traffic monitoring and forensic analysis. |
PagerDuty | Automated incident alerting and escalation. Triggers on-call team response. |
Incident response
Lobster follows a structured incident response process with defined timeframes.
Phase | Timeframe | Action |
|---|---|---|
Detection | Real-time | Anomalies detected automatically via New Relic, GuardDuty, and Arctic Wolf. |
Alerting | Less than 7 minutes | PagerDuty triggers automatic notification to the on-call team. |
On-call notification | Less than 15 minutes | The on-call engineer is notified via the PagerDuty escalation policy. |
Customer notification | Less than 20 minutes | The customer is informed about the incident via PagerDuty. |
Incident assessment | Less than 4 hours | The security team and Arctic Wolf SOC assess the severity and impact. |
GDPR notification | Less than 72 hours | If required, the Data Protection Officer notifies the supervisory authority (GDPR Art. 33). |
Post-incident review | Less than 7 days | Lessons learned documentation and process improvements. |
Mandatory Security Policies
The following security policies are binding for Lobster and apply without exception. They define both the conduct of employees and the organizational boundaries governing the operation of hosted customer systems.
Policy | Exception |
|---|---|
Customer data is never decrypted at any time. | None. |
Customer data is not transferred to any other server or storage system. | Log data and configuration files may be copied for troubleshooting purposes, exclusively upon documented customer request or in the event of a verified incident. |
Lobster employees do not have access to the web interface of the Lobster Data Platform. | Temporary access may be granted by the customer via support ticket. Access is strictly limited to the Support team. |
Customer data is not disclosed to third parties. | Disclosure is permitted exclusively upon written customer request submitted via support ticket. |
Deviations from the standardized system configuration are not permitted. | None. |
Lobster does not install scripts, third-party software, or custom network configurations on hosted customer systems within the Lobster iPaaS environment. This applies regardless of customer requests. | No exceptions. Requests of this nature will be declined. |
Audit and compliance reviews
Audit Type | Frequency |
|---|---|
Internal security audits | Quarterly |
Penetration tests (external firm) | Annually |
ISO 27001, ISO 27018, ISO 9001 certification audit | Annually |
AWS compliance checks (Config, Security Hub, Arctic Wolf) | Continuous |
IAM permission review and recertification | Quarterly |
Performance audits | Monthly |
Employee training
All Lobster employees undergo mandatory security training to ensure consistent adherence to security policies.
Training topic | Frequency |
|---|---|
GDPR and data protection | Annually |
IT security | Continuous |
AWS security best practices | Every six months |
Incident response procedures | Quarterly |
Confidentiality obligation (Section 53 BDSG) | Upon hiring |
Security awareness | Continuous |