Security at Lemma
We protect your data, your skills evidence, and your trust in the platform. Here is exactly how.
Infrastructure
We chose providers with strong security track records and compliance certifications.
Neon PostgreSQL
All critical data lives in Neon's managed PostgreSQL. Automatic backups, point-in-time recovery, and connection pooling ensure resilience and performance.
Vercel edge delivery
The Lemma web application is served from Vercel's global edge network with automatic TLS, DDoS mitigation, and zero-downtime deployments.
Cloudflare protection
All traffic passes through Cloudflare for DDoS protection, WAF rules, and R2 object storage. Your uploads are geo-distributed and encrypted at rest.
Railway backend
The API server runs on Railway with persistent processes, keeping WebSocket connections and background workers alive – no cold starts in the critical path.
Neon branch isolation
Development and staging use separate Neon database branches. Production data is strictly isolated and never accessible from lower environments.
Continuous monitoring
Sentry captures all runtime errors and performance anomalies. PostHog provides privacy-respecting analytics with no advertising profiles ever created.
Encryption
Data is encrypted in transit and at rest. No exceptions.
In transit
- All HTTP traffic enforces TLS 1.2 or higher
- HSTS headers prevent protocol downgrade attacks
- WebSocket connections use WSS (TLS-encrypted)
- API keys are transmitted only over encrypted channels
At rest
- Database volumes encrypted using AES-256
- S3/R2 object storage uses server-side encryption
- Backups are encrypted independently from primary storage
- Session tokens hashed before storage – never stored in plaintext
Access controls
Principle of least privilege
Every service account and database user is granted only the permissions needed for its specific role. No shared admin credentials exist in the system.
Firebase authentication
User identity is managed by Firebase Auth. We never store passwords. Tokens are short-lived and rotated automatically.
API key scoping
Developer API keys carry explicit permission scopes. A verify-only key cannot send assessments. Keys can be revoked instantly from the dashboard.
Internal admin routes
Administrative endpoints require an additional internal authorization layer beyond standard authentication. No public endpoint exposes admin capabilities.
Incident response
We have a defined playbook for security incidents. Speed and transparency are our priorities.
Detection
Sentry alerts and structured log monitoring detect anomalies in real time. On-call rotations ensure coverage 24/7.
Containment
Affected systems are isolated immediately. Compromised keys or tokens are revoked. Traffic is rerouted as needed.
Notification
Affected users are notified within 72 hours of confirmed incidents, consistent with GDPR obligations.
Post-mortem
All incidents result in a written post-mortem with root cause analysis and concrete remediation items.
Bug bounty
We welcome responsible disclosure of security vulnerabilities. If you find a security issue, please contact us at security@getlemma.io before publishing. We will acknowledge your report within 48 hours and aim to remediate critical issues within 7 days.
A formal bug bounty program with defined scopes and rewards is on our roadmap for Q3 2026.
SOC 2 roadmap
SOC 2 Type II audit is planned for 2026. We are actively building the controls, documentation, and monitoring infrastructure required for certification.
Enterprise customers can request our current security documentation package, including infrastructure diagrams, data flow maps, and internal policy documents.
Security contact
For vulnerability reports, security questions, or enterprise security reviews, reach us at security@getlemma.io. For general data privacy inquiries, use privacy@getlemma.io.
Start proving what you know.
Early access is rolling out for individuals and teams. No credit card, no PDFs – just the things you made, made visible.