Lobby Security and Privacy

July 7th, 2021

Lobby respects the privacy of hosts and guests and makes all efforts to keep their information secure. This document explains at the high level how we approach this. Additional information is available to clients under an NDA.

Security and Privacy by Design

We incorporate security concerns at the design phase and build our systems from the ground up to ensure that hosts’ and guests’ information stays safe.

  1. Minimal collection: We only collect information that we truly need to deliver the service and to improve our product. In particular, we do not collect any data for the purpose of selling it to other parties.
  2. Automatic deletion: We delete data automatically when we no longer need it. In particular, unless the host enables collection of contact info or advanced analytics, raw guest data is deleted or crypto-shredded within 48 hours.
  3. Zero-trust architecture:  We follow the principles of “zero-trust” architecture, treating all data access requests as coming from untrusted parties until identity and permissions are established through authentication and authorization.
  4. Fully-managed cloud systems: Whenever possible, we use fully managed cloud systems offered by carefully vetted cloud providers to store and process data. This helps minimize the security risks due to unpatched servers or outdated configurations. We choose these providers very carefully and catalog what data we share with each of them. (The catalog is available under an NDA.)
  5. Anonymization and encryption: We rely on anonymization and encryption to ensure that our partners’ systems do not have access to any private data except in cases where they actually need that data to perform their function. (E.g., our payment provider has access to client’s credit card info, as it needs it to effect billing, but we do not show this data to any other 3rd party systems.) We also have a system in place to limit the risk of incidental logging of private data.

Privacy of Audio and Video

Securing participants’ audio and video information is paramount, so we make sure that this data is only available to event participants.

  1. Industry-leading providers: We rely on industry leading providers (Twilio and Agora) to deliver audio and video directly between participants. This data does not pass through Lobby’s own systems.
  2. Data encrypted in transit: Audio and video data is always encrypted in transit, protecting it from eavesdropping.
  3. Audio and video are never stored: Audio and video can never be accessed after the fact because they are never stored.

The bottom line is that one needs to be in the event to hear and see other participants and can only do this real-time.

Modern Software Architecture

We rely on a modern “serverless” software architecture to avoid common security pitfalls. While serverless systems still need to be secured, a simpler architecture makes this job much easier.

  1. No servers managed by Lobby: We do not have servers that could harbor malware.
  2. No SQL in production: We do not rely in production on SQL databases that one could attack with SQL injection. If we ever introduce them, we are well aware of the methods to prevent SQL injection attacks.
  3. Zero-trust: Different components of our system follow a “zero-trust” paradigm expecting explicit authentication from any other component that wants to talk to them.

Modern Software Development Processes

We follow modern software development practices that improve security.

  1. Security-as-code: Everyone is responsible for security, with the development team playing the most important role, aiming to ensure that security concerns are factored in at the very beginning of the development process. Among other things, this means that all of our developers are trained on security.
  2. Frequent deployments: We release a new version of Lobby every few days or as needed, so we can fix quickly any security issues that may be identified.
  3. Code reviews: All code goes through peer review before being merged.
  4. Incident response process and post-mortems: We have an incident response process, which includes post-mortems and five-whys analysis for any production or security incidents.
  5. Vulnerability checks: We check our dependencies for vulnerabilities on a regular basis.

Organization-Wide Processes

We have a strong set of internal security and privacy policies that we follow closely, which are available for client review under NDA.

  1. Strong authentication: Access to all of our systems relies on authenticated with strong passwords and MFA. Passwords are never shared.
  2. Security awareness: We make sure that our staff has been trained on security at least to the extent that is required for their role and keep security as a focus for everyone.
  3. Quarterly risk analysis: We review our security posture at the level of the executive team on a quarterly basis.
  4. 3rd party systems catalog: We maintain a catalog of the systems we share data with. New systems are reviewed and cataloged before use.
  5. Laptop and mobile device policy: We have a policy for securing data on laptops and other mobile devices.

GDPR

We aim to offer a GDPR-compatible level of protection to all clients, regardless of where they are situated.

  1. DPAs with subprocessors: We have DPAs or equivalent terms of service in place with subprocessors that receive personal data from us.
  2. Lobby DPA for our clients: We are ready to sign a DPA with clients that need this.Data residence: Account data is stored in the United States and Canada by default but can be set up to reside in Europe for clients that need that.