The Lobster Cloud operates a multi-layered security model that protects your environment at every level: from the physical data center infrastructure managed by AWS, through network segmentation and encryption managed by Lobster, to application-level security within the Lobster Data Platform. This page provides an overview of all security measures in place.
Infrastructure security
Each customer environment is fully isolated within its own dedicated AWS Virtual Private Cloud (VPC). There is no shared infrastructure between customers.
Measure | Implementation |
|---|---|
Customer isolation | Each customer receives a dedicated VPC with separate subnets, Security Groups, and database instances. |
Network segmentation | Public and private subnets across multiple Availability Zones. Database instances are placed in private subnets with no direct external access. |
Dedicated firewall rules per system component (LDP, DMZ, DEV). Incoming traffic is denied by default unless explicitly authorized. | |
VPC endpoints | AWS services are accessed via VPC endpoints without exposure to the public internet. |
Encryption
All data is encrypted both at rest and in transit.
Type | Scope | Method |
|---|---|---|
Encryption at rest | EBS volumes, RDS databases, backups | AES-256-GCM via AWS Key Management Service (KMS). Key material is rotated automatically on an annual basis. |
Encryption in transit | All connections | TLS 1.3 by default. TLS 1.2 is used only where required for client compatibility. TLS 1.0 and TLS 1.1 are disabled. |
Web services, platform access | Domain-validated (DV) certificates from Let's Encrypt by default, automatically renewed every 90 days. Customer-provided certificates of any validation class (DV, OV, EV) are supported on request. |
Key Management Service (KMS)
All your data at rest (EBS volumes, RDS databases, backups) is encrypted using AES-256-GCM. Key material is rotated annually by AWS KMS. Note: KMS annual rotation rotates the underlying key material; previously encrypted data continues to be decryptable using prior key versions, in line with AWS KMS standard behaviour.
Keys are created and managed by Lobster within your dedicated AWS environment, located either in the AWS Frankfurt region (eu-central-1) or the AWS Zürich region (eu-central-2). KMS keys never leave the selected region.
Access boundaries
Layer | Lobster access | Your access |
|---|---|---|
Lobster Data Platform (web UI, application) | None by default. Temporary support access only upon your documented request via support ticket. | Full, via configured user accounts. |
AWS infrastructure (KMS, EBS, RDS, EC2, VPC) | Operational access is required for platform operation, maintenance, and incident response. All access is role-based, logged via AWS CloudTrail, and continuously monitored by the Arctic Wolf SOC. | None. |
This separation means that Lobster does not have access to your application data through the user-facing platform, but does have the technical means to operate the underlying infrastructure. Decryption of your business data outside documented operational and incident-response scenarios is prohibited by binding internal policy (see "Mandatory security policies" section below).
Bring Your Own Key (BYOK)
Bring Your Own Key (BYOK) is not supported in the Lobster Cloud and is not part of the service offering. This applies without exception. BYOK is not available as a paid option, project-specific arrangement, or planned roadmap item.
As a managed iPaaS service, Lobster requires uninterrupted, controlled access to all AWS services within your environment at all times to guarantee operations, maintenance, incident response, and 24/7 support. An externally held key would interrupt this access and is therefore architecturally incompatible with the Lobster Cloud service model.
All encryption keys are created and managed by Lobster within your dedicated AWS environment in Frankfurt or Zürich, using AWS KMS. This setup is mandatory for all customers.
Monitoring and threat detection
Lobster operates 24/7 monitoring across multiple layers, using a combination of AWS-native services and specialized third-party tools.
Service | Purpose |
|---|---|
New Relic APM | Application performance monitoring, infrastructure monitoring |
Arctic Wolf | 24/7 Security Operations Center (SOC) with continuous threat detection and response at the AWS account level. EU data centers. No customer data is processed. |
AWS GuardDuty | Continuous threat monitoring and anomaly detection across your AWS environment. |
AWS Security Hub | Centralized security and compliance dashboard. |
AWS CloudTrail | Complete audit logging of all API calls and administrative actions. |
AWS Config | Continuous configuration review and compliance monitoring. |
VPC Flow Logs | Network traffic monitoring and forensic analysis. |
PagerDuty | Automated incident alerting and escalation. Triggers the on-call team response. |
Incident response
Lobster follows a structured incident response process with defined timeframes.
Phase | Timeframe | Action |
|---|---|---|
Detection | Real-time | Anomalies are detected automatically via New Relic, GuardDuty, and Arctic Wolf. |
Alerting | Less than 7 minutes | PagerDuty triggers automatic notification of the on-call team. |
On-call notification | Less than 15 minutes | The on-call engineer is notified via the PagerDuty escalation policy. |
Customer notification | Less than 20 minutes | You are informed about the incident via PagerDuty. |
Incident assessment | Less than 4 hours | The security team and the Arctic Wolf SOC assess the severity and impact. |
GDPR notification | Less than 72 hours | If required, the Data Protection Officer notifies the supervisory authority (Article 33 GDPR). |
Post-incident review | Less than 7 days | Lessons-learned documentation and process improvements. |
Mandatory security policies
The following security policies are binding for Lobster and apply without exception. They define both the conduct of employees and the organizational boundaries governing the operation of hosted customer systems.
Policy | Exception |
|---|---|
Your business data is not decrypted by Lobster outside explicitly documented operational or incident-response scenarios. | Decryption is permitted only (a) where technically required for incident response in coordination with you, or (b) upon your documented request via support ticket. All such events are logged via AWS CloudTrail and reviewed. |
Your data is not transferred to any other server or storage system. | Log data and Configuration Files may be copied for troubleshooting purposes only and only upon your documented request or in the event of a verified security incident. |
Lobster employees do not have access to the web interface of the Lobster Data Platform. | You may grant temporary access via support ticket. Access is strictly limited to the Support team. |
Your data is not disclosed to third parties. | Disclosure is permitted exclusively upon your written request submitted via support ticket. |
Deviations from the standardized system configuration are not permitted. | None. |
Lobster does not install scripts, third-party software, or custom network configurations on hosted customer systems within the Lobster iPaaS environment. This applies regardless of customer requests. | No exceptions. Requests of this nature will be declined. |
Audits and compliance reviews
Audit type | Frequency |
|---|---|
Internal security audits | Quarterly |
Penetration tests (external firm) | Annually |
ISO 27001, ISO 27018, and ISO 9001 certification audits | Annually |
AWS compliance checks (Config, Security Hub, Arctic Wolf) | Continuous |
IAM permission review and recertification | Quarterly |
Performance audits | Monthly |
Employee training
All Lobster employees undergo mandatory security training to ensure consistent adherence to security policies.
Training topic | Frequency |
|---|---|
GDPR and data protection | Annually |
IT security | Continuous |
AWS security best practices | Every six months |
Incident response procedures | Quarterly |
Confidentiality obligation (Section 53 BDSG) | Upon hiring |
Security awareness | Continuous |