Documentation Index

Fetch the complete documentation index at: https://docs.lobstersoftware.com/llms.txt

Use this file to discover all available pages before exploring further.

Security overview

Prev Next

The Lobster Cloud operates a multi-layered security model that protects your environment at every level: from the physical data center infrastructure managed by AWS, through network segmentation and encryption managed by Lobster, to application-level security within the Lobster Data Platform. This page provides an overview of all security measures in place.


Infrastructure security

Each customer environment is fully isolated within its own dedicated AWS Virtual Private Cloud (VPC). There is no shared infrastructure between customers.

Measure

Implementation

Customer isolation

Each customer receives a dedicated VPC with separate subnets, Security Groups, and database instances.

Network segmentation

Public and private subnets across multiple Availability Zones. Database instances are placed in private subnets with no direct external access.

Firewall policy

Dedicated firewall rules per system component (LDP, DMZ, DEV). Incoming traffic is denied by default unless explicitly authorized.

VPC endpoints

AWS services are accessed via VPC endpoints without exposure to the public internet.


Encryption

All data is encrypted both at rest and in transit.

Type

Scope

Method

Encryption at rest

EBS volumes, RDS databases, backups

AES-256-GCM via AWS Key Management Service (KMS). Key material is rotated automatically on an annual basis.

Encryption in transit

All connections

TLS 1.3 by default. TLS 1.2 is used only where required for client compatibility. TLS 1.0 and TLS 1.1 are disabled.

SSL/TLS certificates

Web services, platform access

Domain-validated (DV) certificates from Let's Encrypt by default, automatically renewed every 90 days. Customer-provided certificates of any validation class (DV, OV, EV) are supported on request.

Key Management Service (KMS)

All your data at rest (EBS volumes, RDS databases, backups) is encrypted using AES-256-GCM. Key material is rotated annually by AWS KMS. Note: KMS annual rotation rotates the underlying key material; previously encrypted data continues to be decryptable using prior key versions, in line with AWS KMS standard behaviour.

Keys are created and managed by Lobster within your dedicated AWS environment, located either in the AWS Frankfurt region (eu-central-1) or the AWS Zürich region (eu-central-2). KMS keys never leave the selected region.

Access boundaries

Layer

Lobster access

Your access

Lobster Data Platform (web UI, application)

None by default. Temporary support access only upon your documented request via support ticket.

Full, via configured user accounts.

AWS infrastructure (KMS, EBS, RDS, EC2, VPC)

Operational access is required for platform operation, maintenance, and incident response. All access is role-based, logged via AWS CloudTrail, and continuously monitored by the Arctic Wolf SOC.

None.

This separation means that Lobster does not have access to your application data through the user-facing platform, but does have the technical means to operate the underlying infrastructure. Decryption of your business data outside documented operational and incident-response scenarios is prohibited by binding internal policy (see "Mandatory security policies" section below).

Bring Your Own Key (BYOK)

Bring Your Own Key (BYOK) is not supported in the Lobster Cloud and is not part of the service offering. This applies without exception. BYOK is not available as a paid option, project-specific arrangement, or planned roadmap item.

As a managed iPaaS service, Lobster requires uninterrupted, controlled access to all AWS services within your environment at all times to guarantee operations, maintenance, incident response, and 24/7 support. An externally held key would interrupt this access and is therefore architecturally incompatible with the Lobster Cloud service model.

All encryption keys are created and managed by Lobster within your dedicated AWS environment in Frankfurt or Zürich, using AWS KMS. This setup is mandatory for all customers.


Monitoring and threat detection

Lobster operates 24/7 monitoring across multiple layers, using a combination of AWS-native services and specialized third-party tools.

Service

Purpose

New Relic APM

Application performance monitoring, infrastructure monitoring

Arctic Wolf

24/7 Security Operations Center (SOC) with continuous threat detection and response at the AWS account level. EU data centers. No customer data is processed.

AWS GuardDuty

Continuous threat monitoring and anomaly detection across your AWS environment.

AWS Security Hub

Centralized security and compliance dashboard.

AWS CloudTrail

Complete audit logging of all API calls and administrative actions.

AWS Config

Continuous configuration review and compliance monitoring.

VPC Flow Logs

Network traffic monitoring and forensic analysis.

PagerDuty

Automated incident alerting and escalation. Triggers the on-call team response.


Incident response

Lobster follows a structured incident response process with defined timeframes.

Phase

Timeframe

Action

Detection

Real-time

Anomalies are detected automatically via New Relic, GuardDuty, and Arctic Wolf.

Alerting

Less than 7 minutes

PagerDuty triggers automatic notification of the on-call team.

On-call notification

Less than 15 minutes

The on-call engineer is notified via the PagerDuty escalation policy.

Customer notification

Less than 20 minutes

You are informed about the incident via PagerDuty.

Incident assessment

Less than 4 hours

The security team and the Arctic Wolf SOC assess the severity and impact.

GDPR notification

Less than 72 hours

If required, the Data Protection Officer notifies the supervisory authority (Article 33 GDPR).

Post-incident review

Less than 7 days

Lessons-learned documentation and process improvements.


Mandatory security policies

The following security policies are binding for Lobster and apply without exception. They define both the conduct of employees and the organizational boundaries governing the operation of hosted customer systems.

Policy

Exception

Your business data is not decrypted by Lobster outside explicitly documented operational or incident-response scenarios.

Decryption is permitted only (a) where technically required for incident response in coordination with you, or (b) upon your documented request via support ticket. All such events are logged via AWS CloudTrail and reviewed.

Your data is not transferred to any other server or storage system.

Log data and Configuration Files may be copied for troubleshooting purposes only and only upon your documented request or in the event of a verified security incident.

Lobster employees do not have access to the web interface of the Lobster Data Platform.

You may grant temporary access via support ticket. Access is strictly limited to the Support team.

Your data is not disclosed to third parties.

Disclosure is permitted exclusively upon your written request submitted via support ticket.

Deviations from the standardized system configuration are not permitted.

None.

Lobster does not install scripts, third-party software, or custom network configurations on hosted customer systems within the Lobster iPaaS environment. This applies regardless of customer requests.

No exceptions. Requests of this nature will be declined.


Audits and compliance reviews

Audit type

Frequency

Internal security audits

Quarterly

Penetration tests (external firm)

Annually

ISO 27001, ISO 27018, and ISO 9001 certification audits

Annually

AWS compliance checks (Config, Security Hub, Arctic Wolf)

Continuous

IAM permission review and recertification

Quarterly

Performance audits

Monthly


Employee training

All Lobster employees undergo mandatory security training to ensure consistent adherence to security policies.

Training topic

Frequency

GDPR and data protection

Annually

IT security

Continuous

AWS security best practices

Every six months

Incident response procedures

Quarterly

Confidentiality obligation (Section 53 BDSG)

Upon hiring

Security awareness

Continuous