Trust Center

Built for security reviews.
No back-and-forth required.

Encryption design, audit architecture, access controls, and compliance posture — all documented up front so your team can evaluate Lockzero without NDAs or long review cycles.

Everything here is what your auditor will ask for.

For evidence requests, SOC 2 reports, or DPA execution, email security@lockzero.io.

Independently Verified · 2026

Don’t take our word for it.

Every grade below is from a third-party scanner with public, re-runnable URLs. Click any card to verify our score yourself — right now.

A+
securityheaders.com
All 6 critical headers green — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy
Verify live →
A+
Mozilla HTTP Observatory
Score: 125/100 · Tests passed: 10/10
Verify live →
A+
Qualys SSL Labs
A+ on all 4 endpoints (IPv4 + IPv6) · TLS 1.3 · HSTS · CAA
Verify live →

Last verified 2026-05-18. Grades may evolve as we strengthen our infrastructure.

Observable Security · No Slides

Watch the attack fail.

Most vendors say “trust us, we’re secure.” We show you the attack happening, and the moment it dies. Real tools, real terminals, real targets.

Stolen credential → 401

Rotation kills the key

Attacker has a working key. We rotate. Their next request: 401 Invalid. Your app: still running.

Full reconnaissance

Empty recon

Real nmap. Real path probing. Real subdomain enum. Attacker comes up empty — by design.

Git history is forever

Real leak, real scanner

Gitleaks finds the planted key in 25 commits of history. With Lockzero, there’s nothing to find.

HTTP hardening

Live header check

Real curl against lockzero.io showing every security header in place. Verified independently above.

Cryptography

Encryption

At rest

  • AES-256-GCM for every stored credential
  • Envelope encryption: each secret has its own data encryption key (DEK) wrapped by an AWS KMS-managed master key
  • FIPS 140-2 validated cryptographic module (AWS KMS)
  • Per-secret nonces, never reused
  • Decrypted only in memory — never written to disk

In transit

  • TLS 1.2+ required on all endpoints (TLS 1.0 / 1.1 rejected)
  • HSTS enforced with preload + includeSubDomains
  • Cipher suite restricted to AEAD constructions (no CBC)
  • Certificate transparency monitoring on lockzero.io

Key management

  • Master key in AWS KMS (us-east-1, single-region)
  • Bootstrap secrets in AWS Secrets Manager (no plaintext on disk)
  • Automatic key rotation supported (expand → migrate → contract)
  • IAM-scoped key access — only the production EC2 instance role can call kms:Decrypt
  • CloudTrail audit on every KMS operation

Compliance tier (Enterprise)

  • Customer-owned KMS key (BYOK)
  • Per-workspace AWS Secrets Manager namespace
  • Dedicated CloudTrail audit feed
  • Controls aligned to FedRAMP Moderate requirements (Enterprise tier)
Auditability

Audit log architecture

Every action on every secret is permanently recorded with cryptographic integrity guarantees. We can prove what happened — and prove nobody changed the record after the fact.

Tamper-evident audit logs by default

Every event is chained with SHA-256. Any modification to any record breaks the chain. There is no way to alter history without detection.

Hash-chain integrity

  • Every audit row contains a SHA-256 hash of (event payload + previous row's hash)
  • Any retroactive modification breaks the chain — undetectable tampering is mathematically impossible
  • Daily verification job — alerts on any chain break
  • S3 WORM archive of yesterday's logs (Object Lock COMPLIANCE mode, immutable)

What's logged

  • Every secret view, edit, rotation, and deletion
  • Every authentication event (success, failure, MFA)
  • Every API key issuance and revocation
  • Every connector configuration change
  • Actor (user or API key), IP address, user agent, timestamp, result
  • SIEM webhook export available for external aggregation
Authentication & Authorization

Access controls

  • 4-tier RBAC: Owner → Admin → Operator → Viewer
  • TOTP MFA with Argon2id-hashed backup codes
  • Re-authentication required to reveal sensitive credentials
  • 30-min session idle timeout (CMMC AC.L2-3.1.10)
  • 10 failed logins → 30-min account lockout (CMMC AC.L2-3.1.8)
  • 12-character password minimum + complexity (CMMC IA.L2-3.5.7)
  • Last 12 password hashes blocked from reuse (CMMC IA.L2-3.5.8)
  • HaveIBeenPwned breach check on every password change
  • Cross-tenant isolation: every query scoped by workspaceId from the JWT

API access

  • API keys formatted lz_<43 random chars> — stored as SHA-256 hash only, raw key shown to user once
  • Per-key namespace allowlist + last-used tracking
  • Honeypot keys auto-trigger honeypot_triggered alert on use
  • Rate limits: 240 req/min per IP (default), per-endpoint stricter where appropriate
  • OAuth 2.0 with PKCE for SDK / CLI flows
  • CSRF protection on all browser-session mutations
Compliance Posture

Where we are with each framework

We’re building toward the certifications enterprise buyers expect. Live status below.

Self-Attested ✓

CMMC Level 1

All 17 FAR 52.204-21 practices implemented. CMMC Level 2 key controls (IA, AC, SC families) also implemented.

In Progress

SOC 2 Type II

Continuous 6-month observation window underway. Trust Services Criteria mapped.

In Progress

HIPAA

BAA available on request. AWS BAA in place for underlying infrastructure.

Planned

ISO 27001

Targeting certification once SOC 2 lands. Same control overlap.

Planned

Annual Pen Test

Independent third-party penetration test. Results summarized in the SOC 2 package.

Roadmap

FedRAMP Moderate

For federal customers. Significant lift; pursued only with anchor customer commitment.

Full NIST 800-171 control implementation matrix → lockzero.io/compliance

Data Inventory

What data we store — and why

A complete itemized breakdown of every data category we collect, how long we keep it, and the legal basis. No surprises for your DPA review.

Data categoryWhat exactlyRetentionBasis
Account identityEmail address, display name, Auth0 user ID, profile picture URLFor the life of the account + 30 days after deletionContract (account provisioning)
Workspace settingsWorkspace name, plan tier, billing interval, feature flags, SAML/SCIM configurationFor the life of the workspace + 30 days after deletionContract
Secret metadataSecret name, description, namespace, tags, rotation schedule, last-rotated timestamp — NOT the secret valueUntil explicitly deleted by the workspaceContract
Encrypted secret valuesAES-256-GCM ciphertext only — the decryption key is held in AWS KMS and is never stored alongside the ciphertextUntil explicitly deleted by the workspaceContract
Audit logActor (user ID or API key hash), action, affected entity, IP address, user agent, timestamp, result — never secret values365 days (default) · up to 7 years on EnterpriseLegitimate interest · Legal obligation
API keysSHA-256 hash of the key, scopes, creation timestamp, last-used timestamp — raw key shown once at creation and never storedUntil revoked, then 30 days for audit trailContract
Session dataJWT claims, session revocation flags — stored ephemerally in Redis with a 30-day TTL30 days (refresh token lifetime)Contract
Billing & subscriptionStripe customer ID, subscription status, invoice history, usage counters — no raw card data (Stripe holds that)*7 years (legal / tax obligation)Legal obligation · Contract
AI proxy metadataModel name, token counts, latency, status code, connector used — NOT prompt or response content (unless Traffic Inspector is enabled)90 daysLegitimate interest (abuse prevention, spend accounting)
Traffic Inspector capturesRedacted prompt + response bodies, only when Traffic Inspector is explicitly enabled by an admin in your workspace7 days (hard cap)Contract (explicit opt-in)
Support correspondenceEmail content you send to security@lockzero.io or support@lockzero.io2 yearsLegitimate interest (support continuity)

* Stripe stores and processes your payment card data under their own PCI DSS compliance. Lockzero never sees raw card numbers. Audit logs are retained for 365 days by default; Enterprise plans may configure extended retention up to 7 years.

Data Guarantee

What we never store

These are hard architectural guarantees — not policy commitments. Each item is enforced by the code, not by a rule that an employee could bypass.

Secrets & credentials

  • No plaintext secrets at rest — every value is AES-256-GCM encrypted before any database write; the raw value is never persisted
  • No secrets in logs — all metadata is sanitized before every audit write; secret values are masked at every application layer
  • No secrets in client-side code — decryption happens server-side only, at proxy injection time; the browser never sees a raw credential
  • No secrets in analytics or support tickets — our tooling never receives plaintext credential values
  • No raw key material after injection — the decrypted value lives in memory only for the duration of the proxy request, then is discarded
  • No cross-region replication of secrets — data does not leave your chosen region without explicit Enterprise configuration

AI traffic & access

  • No AI prompt or response storage by default — proxied LLM request and response bodies are not stored unless you explicitly enable the Traffic Inspector feature
  • No engineer access to plaintext credentials — only the production EC2 instance role can call kms:Decrypt; every KMS call is independently logged in CloudTrail
  • No admin bypass of the audit trail — even an owner-role account cannot read, modify, or delete audit log entries; the hash chain makes tampering detectable
  • No third-party access to your secrets — subprocessors receive only what is necessary (e.g. AWS KMS receives wrapped encryption keys, not your credential values)
  • Honeypot keys alert immediately — any use of a canary API key triggers a critical alert, signaling a possible vault breach
Vendor Disclosure

Subprocessors

Third parties that may process Lockzero customer data. We list every one, including their certifications and what they have access to.

View full subprocessor list →

Data Residency

Data residency & isolation

  • Primary region: AWS us-east-1 (N. Virginia)
  • Database: Encrypted Postgres on AWS EBS gp3
  • Backups: AWS S3 same region, SSE-KMS, versioning + 90-day non-current retention + 365-day expiry
  • Audit archive: AWS S3 Object Lock (COMPLIANCE mode), 7-year retention
  • CDN: Cloudflare global edge (cache only — no customer secrets)
  • EU residency: Available on the Compliance tier (eu-central-1 deployment)
  • No cross-region replication of customer secrets — data does not leave the chosen region
Resilience

Backup & disaster recovery

  • RPO 24 hours — nightly encrypted pg_dump to S3 (SSE-KMS)
  • RTO 30 minutes — restore + smoke test runbook drilled quarterly
  • EBS snapshots hourly via AWS Backup, 30-day retention
  • Daily automated BackupVerification job — alerts on freshness gap > 25h
  • Tamper-evident audit log archived to S3 Object Lock (immutable, 7-year retention)
  • Cross-region replication available on the Compliance tier
  • Documented incident response runbook with role assignments
  • Customer notification within 24 hours of any confirmed incident
Incident Response

Incident response & disclosure

  • Detection: CloudWatch alarms (CPU, status check, KMS overrun, billing), SIEM webhook forwarding, daily audit chain integrity verifier, AI anomaly detector (volumetric, geographic, off-hours, reconnaissance patterns)
  • Response: documented playbook (docs/RUNBOOK.md) covering DB down, tunnel down, Redis OOM, audit tamper, suspected breach
  • Notification: affected customers contacted within 24 hours of confirmed incident
  • Disclosure: post-mortem published at lockzero.io/status
  • Forensics: state captured before remediation; CloudTrail provides 90-day audit of all AWS-side actions

Security disclosure program

Found a vulnerability? We respond within 48 hours and credit researchers in the security advisory.

security@lockzero.io

No bug bounty yet — but every report gets a response, an acknowledgement, and credit.

Trust Center — Lockzero | Lockzero