Privacy
At LambdaTest, we deeply value our user's privacy. We will put our best foot forward to protect and defend it. We truly believe in being transparent with our users so that both people and organizations can control their data and have the freedom to decide how their data can be used. We will empower and strongly defend the privacy choices of every customer who uses our platform.
In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protect personal data. From the European General Data Protection Regulation (GDPR) to new US state laws like the California Consumer Privacy Act (CCPA), we know how much effort it takes to assess and manage privacy risks. That’s why LambdaTest builds its products & services with an eye toward minimizing that effort for our customers.
Our Cloud Testing Platforms provide industry-leading functionality with a minimal collection of personal data and an emphasis on security. Privacy and security considerations are baked directly into our product development process so customers can focus on things that matter the most,i.e. their tests.
Overview
LambdaTest prioritizes customer trust. We know that the security and integrity of customer data are important to our customers’ values and operations.
LambdaTest’s Commitment to Privacy & Data Protection
We're committed to protecting and honoring your privacy and rights through our product, infrastructure, and data governance practices.
We have a comprehensive global privacy and data protection compliance program that aligns our practices with regulations such as the General Data Protection Regulation, California Consumer Privacy Act, and other applicable privacy and data protection laws/acts, which take a unified approach to privacy and information governance to give Customers. LambdaTest helps customers maintain control of their privacy and data security in a myriad of ways:
- Product Security
- Cloud Security
- Data Security
- Application Security
Authentication Options
LambdaTest has several different authentication options: users can enable LambdaTest platform authentication, integrating in test scripts, integrating with GitHub, etc. And, also Single sign-on (SSO), and/or Enterprise SSO (SAML,) for user authentication options available.
Learn about user access
Learn about GitHub Integration Learn about SSO 2-Factor Authentication (2FA)
LambdaTest authentication for platforms available through the Manage Team offers 2-factor (2FA) authentication as well.
Service Credential Storage
LambdaTest follows secure credential storage best practices by never storing passwords in human-readable format and only as the result of a secure, one way hashing with a random salt using industry-standard techniques.
Role-Based Access Controls
Access to data within LambdaTest platforms is governed by role-based access control (RBAC) and can be configured to define granular access privileges. LambdaTest supports various permission levels for users (Admin, User, Guest).
Learn about user rolesIP Whitelisting
We provide two different strategies for IP whitelisting wherever it is required by the customer.
1. Whitelist the multiple IP which is shared in nature.
2. Just whitelist one IP, which is a dedicated IP for a customer, which comes at an extra cost shared in nature.
Tunnel
You can test your locally hosted pages and privately hosted pages at LambdaTest Selenium Test Automation Platform using the LambdaTest tunnel app. The LambdaTest tunnel allows you to connect your local system with LambdaTest servers via SSH-based integration tunnel
https://www.lambdatest.com/support/docs/testing-locally-hosted-pages/Encryption in Transit
All communications with LambdaTest platforms and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and LambdaTest is secure during transit.
We also support http and TLS 1 for a few selenium frameworks which don’t support https or TLS.
Encryption at Rest
Data at rest is encrypted using AES-256 bit standards with keys being managed by key management services.
Tokenization
We use (DigiCert) certificates for domain management and ISRG Root X1 (chain of trust Let’s Encrypt) is the certificate authority. We are using email-based verification to obtain certificates. These certificates are managed via AWS ACM and DigiCert panel. The certificates are set to renew every 365 days. Nobody will view and download the certificate details except a few dedicated members of the Cloud Infrastructure team.
Dedicated Security Team
Our globally distributed Security Team is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More restricted systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year LambdaTest employs third-party security experts to perform a broad penetration test across the LambdaTest Production and Corporate Networks.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect abnormal behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Programme
LambdaTest participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
DDoS Mitigation
LambdaTest has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provides deeper protection along with our use of AWS DDoS-specific services.
Logical Access
Access to the LambdaTest Production Network is restricted by an explicit need-to-know basis, utilizes the least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the LambdaTest Production Network are required to use multiple factors of authentication.
Muti-Tenancy
Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in-tenant. Per this design, no customer has access to another Customer’s data.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Facilities
LambdaTest hosts Customer data or Test data primarily in AWS and Azure data centers that have been certified as ISO 27001, 27701, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.
Learn about Compliance at AWSAWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.
Learn more about Data Centre Controls at AWSData Hosting Location
LambdaTest hosts its products and associated customer data in the United States, Europe, and Asia Pacific region of AWS and Azure data centers which meet global standards and regulations.
On-Site Security
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures.
Learn about AWS physical securityUptime
LambdaTest maintains a publicly available platform-health dashboard, which includes platform, or system availability details, scheduled maintenance, service incident history, and relevant security events.
Redundancy
LambdaTest employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery service offering allows us to deliver a high service availability, as customer or test data is replicated across availability zones.
Disaster Recovery
Our Disaster Recovery (DR) program ensures that our Services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment and creating Disaster Recovery plans and testing activities.
Enhanced Disaster Recovery
Our Disaster Recovery services add contractual objectives for Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These are supported through our capability to prioritize operations of Enhanced Disaster Recovery customers during any declared disaster event.
In the event of a disaster, the following objectives apply:
i. 4-hour Recovery Time Objective (RTO): LambdaTest will aim to restore normal operations for your LambdaTest platform account within four hours from the time a disaster is declared, unless a disaster, or multiple disasters, impacts all of the Availability Zones used on an account.
ii. Under 1-hour Recovery Point Objective (RPO): LambdaTest will target one hour or less of data loss for your account. This is calculated from the point of the disruption, not from LambdaTest’s disaster declaration.
LambdaTest minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our Information systems or Customer data.
LambdaTest hosts its products and associated customer data in the United States, Europe, and Asia Pacific region of AWS and Azure data centers which meet global standards and regulations.
LambdaTest never discloses any Customer data, Test execution data, and Accounts data to any third parties 'unless' where disclosure is necessary to be provided for certain services or as required to respond to lawful requests from public authorities-- please check if this was the intended statement
LambdaTest has developed security protections and control processes to help our customers ensure a secure environment for their information. Independent third-party experts have confirmed LambdaTest’s adherence to high industry standards.
LambdaTest provides advanced access using the least privilege principle and encryption features to help customers protect their information. We do not access or use customer content for any purpose other than providing, maintaining, and improving the LambdaTest Services and as otherwise required by law.
To verify that our privacy practices are appropriate, LambdaTest maintains a data inventory and flow of our product, documenting how data is processed and stored and what systems process PII or personal data, if any.
LambdaTest processes and stores Test execution data from its Customers while providing LambdaTest Services or transmitted via the LambdaTest platform by or on behalf of our Customers.
These data include reports, tests, networks, browser process logs, other artifacts, authentication, licensing, and test execution metadata (e.g. test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing.
All test execution data reports are available from the LambdaTest platform interface. Test execution data reports and other Test execution data are stored for 60 days and then automatically deleted. Customers who require longer data retention periods are encouraged to download their data directly.
Disposal of Data - Test execution data is disposed of in a method that renders the data unrecoverable, to the extent reasonably possible, in accordance with industry best practices for wiping off or cleaning up electronic media (e.g. NIST SP 800-88).
Secure Code Training
Secure coding guidelines based on OWASP Top 10 are shared with the engineering teams or engineers. The guidelines shall include but are not limited to Input Validation, Output Encoding, Session Management, Error Handling, and Logging. Engineers are also trained on the secure coding guidelines by the Application Security team at least on a yearly basis.
Framework Security Controls
LambdaTest leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), amongst others.
Quality Assurance
Our Quality Assurance (QA) team reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate Environments
Development, testing, and staging environments are logically separated from the Production environment. No Customer data or Test data is used in our development or test environments.
Version Control
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core platform applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, LambdaTest employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Reporting
LambdaTest takes the security of its systems and products seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps LambdaTest in ensuring the security and privacy of its users. Bugs can be reported through email at security@lambdatest.com.
Patch Management
LambdaTest patch management process is governed by the applicable policy and standard to ensure that all patches, security and otherwise, are deployed in accordance with defined SLAs.
Frequently asked questions
- LambdaTest Account data
- Test execution data
The second category of data consists of the data that our Customers uploaded to our Platform, or our Platform otherwise accesses that in the course of testing applications, reports, tests, networks, browsers process logs, other artifacts, authentication, licensing, and test execution metadata (e.g., test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing
In general, ‘Test execution data' means data stored or processes for delivery of Services we provide as a data processor and includes data stored for backup as well. 'Test execution data' need not contain any identifiable PII and sensitive PII regarding customer personnel, customers, end-users, or other third parties.
Please note that LambdaTest does not collect, nor does it require, any identifiable PII or sensitive data by default for its functioning.
From a privacy perspective, the Customer is the controller of Test execution data, and LambdaTest is a processor. This means that throughout the time that a customer subscribes to services with LambdaTest, the Customer retains ownership of and control over Test execution data in its account.
Test execution data’ means data stored for delivery of services we provide as a data processor and includes data stored for backup. LambdaTest hosts its products and associated data on Amazon Web Services (AWS) and Microsoft Azure (Azure) data center, qualified by global IT standards and regulations.
LambdaTest can host the data in the below-mentioned AWS locations (called regions as per AWS)
| Country | City | AWS Region |
|---|---|---|
| USA | Virginia | US East 1 |
| USA | Ohio | US East 2 |
| USA | California | US West 1 |
| USA | Oregon | US West 2 |
| EU/EEA | Frankfurt | EU Central 1 |
| EU/EEA | Ireland | EU West 1 |
| EU/EEA | London | EU West 2 |
| EU/EEA | Paris | EU West 3 |
| Australia | Sydney | Asia Pacific SouthEast 2 |
| Singapore | Singapore | Asia Pacific SouthEast 1 |
| India | Mumbai | Asia Pacific South 1 |
LambdaTest can host the data in the below-mentioned Microsoft Azure locations (called regions as per Azure).
| Country | City | AWS Region |
|---|---|---|
| USA | Virginia | US East |
| EU | Frankfurt | EU Central |
For example, LambdaTest servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. Additionally, we engage third-party security experts to perform detailed penetration tests on a periodic basis, and our Customer Success support team is on call 24/7 to respond to security alerts and events.
As data processors, we inform the concerned data controllers without undue delay. The Data Protection Officer is responsible for reporting security incidents /breaches to customers.
Customers will have a dedicated Customer Success Manager who will be the SPOC for reporting. The account owner/admin of the Customer’s LambdaTest platform will be notified of any security incident that has an impact on the Customer. If there are any email DLs, we will also be able to report the same. We are happy to contractually agree on such requirements with a mutual concurrence.
- LambdaTest does not disclose any Customer data except as necessary to provide its services to its customers and comply with the law as detailed in our Privacy Policy found here
- LambdaTest has achieved a number of internationally-recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks as described on our Security site.
We may also share such information with relevant law enforcement agencies or public authorities if we believe the same to be necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.