Enterprise-grade security.
From day one.
LotKeeper is built on AWS with VPC isolation, encryption at every layer, and architecture designed for SOC 2 Type II certification. Your financial data and resident information are protected by the same infrastructure trusted by the largest companies in the world.
SOC 2 Type II: Architecture ready, observation period planned
- ECS Fargate containers with no OS to patch and no SSH access. The attack surface is the application, not the host.
- CloudFront CDN with AWS WAF v2: managed rulesets for SQL injection, known bad inputs, and bot detection.
- Multi-AZ deployment across two AWS availability zones for automatic failover.
- Internal Application Load Balancer. All traffic routes through CloudFront and WAF before reaching the application.
- Distroless container images: no shell, no package manager, no unnecessary binaries.
- All connections encrypted in transit: database (force_ssl), cache (Redis TLS), API, and object storage.
- AWS KMS Customer Managed Keys for encryption at rest across Aurora, S3, ElastiCache, and EBS.
- Application-layer encryption for sensitive PII (SSN, bank account numbers) using AWS Encryption SDK. Even database administrators cannot read these fields.
- S3 bucket policies deny unencrypted uploads. Versioning enabled on all buckets.
- No plaintext credentials anywhere in production. All secrets stored in AWS Secrets Manager with 30-day automatic rotation.
- 50+ granular permissions enforced through application-layer RBAC on every API route and server action.
- PostgreSQL Row-Level Security provides a second, independent enforcement layer at the database. Even if application code has a bug, the database blocks unauthorized access.
- IAM Identity Center with MFA enforced for all infrastructure access. No long-lived access keys.
- 30-minute idle session timeout and 8-hour absolute timeout for application users.
- Break-glass access to production requires a hardware MFA token stored in a physical safe.
- Security group chain: ALB accepts traffic from CloudFront IP ranges only. Application containers accept traffic from the ALB only. Database and cache accept traffic from application containers only.
- All egress routes through NAT Gateway. No resource has a public IP address.
- WAF rate limiting: 2,000 requests per 5 minutes globally, 100 requests per 5 minutes on authentication endpoints.
- VPC Flow Logs enabled for network traffic analysis and threat detection.
- AWS CloudTrail records every API call with 1-year retention in encrypted S3 storage.
- AWS GuardDuty provides continuous threat detection across VPC flow logs, DNS queries, and CloudTrail events.
- AWS Security Hub scores the environment against the CIS Foundations Benchmark continuously.
- Immutable application-level audit log tracks every financial transaction through a double-entry ledger. No record can be modified or deleted.
- Architecture designed for SOC 2 Type II certification. Compliance automation tooling (Vanta or Drata) planned for the observation period.
- Semgrep SAST runs Next.js and TypeScript rulesets on every pull request.
- npm audit blocks merges on high-severity dependency vulnerabilities.
- TruffleHog scans for verified secrets in code. No credentials reach the repository.
- Trivy scans container images. CRITICAL and HIGH CVEs block deployment to production.
- Blue/green deployments via AWS CodeDeploy with automatic rollback if health checks fail within a 5-minute bake period.
- All infrastructure managed through Terraform with reviewed pull request diffs. No manual changes to production.
- Aurora PostgreSQL point-in-time recovery with 35-day backup retention.
- ECS tasks distributed across two availability zones with automatic failover and redeployment.
- Cross-region S3 replication from us-east-1 to us-west-2 for document and file storage.
- Automated backups verified regularly. Recovery procedures documented and tested.
Subprocessors
Third-party services that process data on behalf of LotKeeper.
Infrastructure, compute, storage
SOC 2, ISO 27001, FedRAMP
Payment processing
PCI DSS Level 1
Authentication
SOC 2 Type II
Background job scheduling
SOC 2
AI assistant
SOC 2
SMS/voice communications
SOC 2
Transactional email
—
eSignature
SOC 2
Have a security question?
We are happy to walk through our security architecture, provide documentation for procurement reviews, or answer specific questions from your security team.