Security
Your data is safe with us.
Security is not a feature we bolt on. It is a constraint we design around from the first line of code.
SOC 2 Type II
In progress
GDPR Compliant
EU data rights
AES-256
Encryption at rest
99.9% Uptime
SLA guaranteed
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections require SSL certificates. Backup snapshots are encrypted with separate keys rotated quarterly.
Session video streams use end-to-end encrypted WebRTC channels via LiveKit. We never store raw video on our servers. Temporary processing buffers are wiped within 60 seconds.
Authentication
Lemma uses Firebase Authentication with support for email/password, Google, and Apple sign-in. Sessions are managed through secure, HTTP-only cookies with strict SameSite policies.
API access for developer integrations uses scoped bearer tokens with configurable expiry. Tokens can be revoked instantly from the dashboard. All authentication events are logged with full audit trails.
Infrastructure
Our application runs on Vercel (frontend) and Railway (backend) with automatic failover and geographic distribution. PostgreSQL is hosted on Neon with point-in-time recovery and daily automated backups.
Static assets are served through Cloudflare CDN with DDoS protection and Web Application Firewall rules. All infrastructure configuration is managed through code and reviewed before deployment.
Compliance
Lemma is GDPR compliant. You can export or delete all your data at any time from your account settings. We process data under legitimate interest for core functionality and explicit consent for optional features.
We are working toward SOC 2 Type II certification. Our security controls, access policies, and incident response procedures are documented and regularly reviewed.
Incident Response
We maintain a documented incident response plan with defined severity levels, escalation paths, and communication protocols. Critical incidents trigger alerts within 5 minutes.
Post-incident reviews are conducted within 48 hours. Root cause analysis and remediation steps are documented internally. If user data is affected, we notify impacted users within 72 hours as required by GDPR.
Report a vulnerability
If you discover a security issue, please email security@getlemma.io. We respond to all reports within 24 hours and do not pursue legal action against good-faith researchers.
Practices
Built-in security at every layer
Security is not an afterthought. These practices are wired into our development lifecycle, infrastructure, and operations.
End-to-end encryption
TLS 1.3 in transit, AES-256 at rest. Session video uses encrypted WebRTC via LiveKit.
Scoped API tokens
Developer tokens are scoped per-permission and expire automatically. Instant revocation from the dashboard.
Immutable audit logs
Every evidence event, authentication attempt, and data access is logged immutably with timestamps.
GDPR by default
Data export and deletion available in account settings. Processing under legitimate interest with explicit consent for optionals.
Automated backups
Point-in-time recovery on PostgreSQL with daily snapshots. Backup encryption uses separately rotated keys.
Responsible disclosure
We respond to security reports within 24 hours. No legal action against good-faith researchers.
Security FAQ
Application data is stored in Neon PostgreSQL with region-specific hosting options. Static assets are served through Cloudflare CDN. We do not store raw video recordings.