Documentation Index

Fetch the complete documentation index at: https://docs.lobstersoftware.com/llms.txt

Use this file to discover all available pages before exploring further.

Data protection and privacy

Prev Next

This page describes how Lobster protects your data in the Lobster Cloud. It covers hosting locations, international data transfers under Schrems II, data sovereignty, customer data handling principles, and the allocation of responsibilities between Lobster and you as a customer.


Hosting locations

Aspect

Details

Available regions

Frankfurt (eu-central-1, Germany) and Zürich (eu-central-2, Switzerland). For details, see AWS regions and data residency.

Third-country transfer

Lobster does not transfer personal data to countries outside the EU, EEA, or Switzerland.

Switzerland adequacy

The European Commission has issued an adequacy decision for Switzerland. Data transfers between the EU and Switzerland are GDPR-compliant. The Swiss Federal Act on Data Protection (FADP) applies in addition.

You select your hosting region during Onboarding.

IMPORTANT

The region cannot be changed after provisioning.


International data transfers and Schrems II

Lobster does not transfer personal data to countries outside the EU, EEA, or Switzerland. All customer environments are hosted exclusively in the AWS Frankfurt region (eu-central-1) or the AWS Zürich region (eu-central-2). Your data residency is contractually enforced, and the region cannot be changed after provisioning.

However, AWS Europe is part of the corporate group of Amazon.com, Inc. (USA), which means that the U.S. CLOUD Act may potentially apply to European AWS entities. To address the requirements of the Schrems II ruling and the European Data Protection Board (EDPB) Recommendations 01/2020, Lobster has implemented the following measures:

Measure

Details

Standard Contractual Clauses (SCC)

Lobster has concluded the European Commission's Standard Contractual Clauses (Decision 2021/914) with AWS as part of the AWS Data Processing Addendum. The applicable modules cover the controller-to-processor and processor-to-subprocessor relationships.

Transfer Impact Assessment (TIA)

A documented TIA in line with Clause 14 of the SCC has been performed and is reviewed annually. The TIA is made available to you under NDA upon request. Please send requests to your Lobster contact or to (data protection contact e-mail).

Encryption at rest

All your data is encrypted with AES-256-GCM via AWS KMS. Keys are managed by Lobster within your dedicated AWS environment in Frankfurt or Zürich and never leave the selected region.

Encryption in transit

All connections use TLS 1.2 or higher. For details, see the Security overview.

Data minimization

Lobster does not process customer business data beyond what is technically required for platform operation. See the section "Customer data handling principles".

No decryption by Lobster

Lobster does not decrypt your business data. See the section "Customer data handling principles".

Transparency on government access

Lobster commits to challenge any disclosure request from public authorities where legally permissible and to inform affected customers without undue delay, to the extent permitted by applicable law.

Upon request, Lobster also provides the following data protection documentation: the Data Processing Agreement (DPA) under Article 28 GDPR, the list of sub-processors, and current certifications (ISO 27001, ISO 27018, ISO 9001).

For details on the encryption architecture and key management, see Security overview.


Data sovereignty

You retain full control and ownership of your data at all times. Lobster acts as a data processor under Article 28 GDPR. The following principles apply:

Principle

Details

Data ownership

Your data belongs to you. Lobster makes no claims to the data you collect or process using the software.

Data minimization

Lobster processes only the data strictly required to operate and monitor the platform. This data consists of system logs and operational metrics. It does not contain any of your business data.


Customer data handling principles

Lobster enforces strict rules for handling customer data within the cloud environment. These rules are binding for all Lobster employees.

Category

Rule

No decryption

Lobster does not decrypt your business data. This is established as a binding internal policy and is enforced through role-based access controls, full audit logging via AWS CloudTrail, and continuous monitoring by the Arctic Wolf Security Operations Center (SOC). Narrowly defined operational exceptions (incident response or your documented request) are documented in the Security overview.

No data copies

Lobster does not copy your business data to other servers or storage media. Log data and Configuration Files may be copied for troubleshooting purposes only, and only upon your documented request or in the event of a verified security incident. Such copies are deleted after the issue is resolved.

No data archiving

Lobster does not archive any data from your system that is not required for backup. For details on the backup process and retention periods, see Cloud backup details.

No system cloning

Lobster does not clone systems (servers or databases) to create new environments, for example a DEV system from a production copy.

No data synchronization

Lobster does not synchronize data between your servers and databases, for example between test and production systems.

No database dumps

Lobster does not create database dumps for the purpose of cloning databases.

Each system in your environment (production, test, DEV, DMZ) has its own software-based encryption integrated into the Lobster Data Platform. Data encrypted within one system cannot be transferred to another system without breaking the encryption. This architectural design ensures that your data remains within its intended encrypted environment.


Operational data

Lobster only retains operational data (system logs, metrics) required to operate, monitor, and secure the platform. Operational data does not contain any of your business data such as messages, files, or transaction payloads. The retention periods below apply exclusively to operational data.

Data type

Retention period

System logs

12 months (CloudWatch Logs retention policy).

Operational metrics

As required for monitoring and performance analysis.

NOTE

Some Lobster materials describe the platform's handling of customer business data as "Zero Data Retention". This refers to the fact that Lobster does not archive, copy, or otherwise retain customer business data beyond what the customer's own configuration specifies. The term does not apply to operational data such as system logs, which are retained for the periods documented above.


Shared responsibility

Area

Lobster's responsibility

Your responsibility

Infrastructure security

Entire AWS infrastructure, operating system, database, network, encryption, and monitoring.

Not applicable.

Data processing compliance

Technical and organizational measures (TOMs), processor obligations under Article 28 GDPR.

GDPR-compliant use of the platform, compliance with legal requirements (GDPR, BDSG, FADP, where applicable).

Data quality and content

Not applicable.

Full responsibility for the accuracy, completeness, and lawfulness of the processed data.

End-user access management

Not applicable.

User management within the Lobster Data Platform.

Data subject rights

Provision of technical tools and infrastructure.

Responding to data subject requests as the controller.


Third-party providers

Lobster uses the following third-party providers for infrastructure and monitoring. None of these providers process your business data.

Provider

Purpose

Data processing

Location

AWS

Cloud infrastructure (hosting).

Customer data (in full)

AWS regions and data residency. AWS Europe is part of the corporate group of Amazon.com, Inc. (USA). See section "International data transfers and Schrems II".

Arctic Wolf

24/7 Security Operations Center (SOC), threat detection.

Security logs and metrics only. No customer data.

EU data centers.

New Relic

Performance and infrastructure monitoring.

Metrics and logs only. No customer data.

EU data centers.

PagerDuty

Incident management and alerting.

Alerting data only. No customer data.

EU data centers.

All third-party providers operate under Data Processing Agreements (DPA) in accordance with Article 28 GDPR. A complete list of subprocessors is available upon request. Changes to sub-processors will be communicated to you with appropriate advance notice; you have the right to object to new sub-processors.