Security

LambdaTest Inc (herein referred to as ‘LambdaTest’ in this document) is committed to ensuring Confidentiality, Integrity, Availability, and Privacy and providing comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity interruptions to their availability.,

LambdaTest is a SaaS-based continuous quality testing cloud platform that is used by over 2 Million developers and testers globally. With over 3000+ combinations of real browsers, mobile devices, and operating systems, it helps developers and testers to perform cross-browser and cross-platform compatibility testing at scale with blazing fast speed. Also, it helps them run tests on containers at scale and supports on-prem or private cloud deployment model. We believe in providing products that are ready to Go-To-Market, easy to set up and use, and require minimal customization. All of our products live up to this promise and are backed by our world-class support.

Our Customers include Fortune 500 & G2000 companies from across the globe and they trust us with their data security. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering, technology landscaping, and service delivery principles.

In support of the Security & Privacy by Design, security is at the heart of how we build our products, secure your data and provide high resilience. We have created and implemented security & privacy principles. These principles have a robust framework for building and maintaining secure systems, applications, and services that address and allow us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy consideration or related risk by default and by design while ensuring its adherence to multiple requirements globally.

We have atop-down governance and security in our DNA and this helps us to constantly wade through our threat vectors and calibrate and strengthen our security posture to align with the changing business and technology landscape.

This policy applies to all LambdaTest employees, assignees, partners and contractors that provide services to LambdaTest and is an integral part of the Business Code of Conduct.

This also covers the security of information systems and data networks owned or used by LambdaTest as well as the information that is stored, transmitted, or processed by those systems.

LambdaTest is committed to complying with all applicable legislation and law of the land in all locations and countries related to its operations and information processing.

Key legislation that is complied with include laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.

Executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all LambdaTest commitments to Customers and stakeholders are upheld.

LambdaTest is committed to information security, protection of personal information, and privacy with applicable laws, regulations, and standards. Information Security & Compliance Steering Committee (ISCSC) members are responsible for defining and improving the Integrated Management System (IMS). The top management has demonstrated leadership and commitment to the Integrated Management System (IMS) by:

i. Ensuring the information security and personal data protection policy and its objectives are established and are compatible with the strategic direction of LambdaTest.

ii. Ensuring the integration of ISMS, PIMS, SOC 2, CSA, and other standards requirements into LambdaTest’s processes.

iii. Ensuring that the resources needed are available

iv. Communicating the importance of an effective integrated management system and of conforming to integrated management system requirements

v. Ensuring that the IMS achieves its intended outcome(s)

vi. Directing and supporting persons to contribute to the effectiveness of IMS

vii. Promoting continual improvement

viii. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

LambdaTest is committed to:

i. Ensure Confidentiality, Integrity, Privacy, and Availability by adequately protecting the information and information systems against unauthorized access, modification, or alteration.

ii. Establish and implement security policies and processes while considering the protection of information and information systems from internal and external threats.

iiii. Comply with legal, regulatory, and contractual security & privacy obligations as may be applicable.

iv. Ensure security and privacy awareness and competency amongst associates to enable them to meet their security & privacy obligations.

v. Provide a framework to manage and handle security incidents, privacy breaches, violations, and business disruptions.

vi. Ensure continuous improvement of the security & privacy posture to consistently meet its objectives.

LambdaTest shall adopt leading industry security & privacy standards and practices to design and develop robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.

At LambdaTest, the executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all LambdaTest commitments to Customers and stakeholders are upheld. The ISSC considers ensuring the security & privacy of Customer information and applying the right processing methods of any personal information in line with privacy regulations should be a way of working at LambdaTest.

While information security and privacy are an organization-wide responsibility, the ISCSC has established a dedicated information security and privacy team as independent custodians of the vision. Both teams directly report to ISCSC and independently manage the governance aspects of information security and privacy. The Information Security team is headed by the Information Security Officer (ISO) and the Privacy team is headed by Data Protection Officer (DPO) both directly report to the ISCSC. This committee is headed by the Chief Executive Officer (CEO).

The ISCSC is committed to constantly aligning its information security & privacy posture to ensure data security and assure non-repudiation for Customers' data, ensure secure and stable products that provide consistent output, ensure delivery of products and services that are highly resilient to internal and external threats and interruptions, ensure that its people are oriented to the principles of security & privacy by design as it applies to them in their respective job roles, and business processes are designed and implemented based on risk and control considerations.

On a half-yearly basis, the ISCSC reviews Information Security and Privacy in a structured manner. Following are the broad objectives of such reviews:

i. Road map: Ensure that the information security and privacy road map is well thought through after factoring in all Customer, regulatory and contractual requirements and is in sync with the internal and external threat vectors.

ii. Initiatives: Take stock of the various information security and privacy initiatives or programs and provide recommendations.

iii. Expertise: Ensure that adequate expertise is available for all information security and privacy initiatives. The ISCSC provides necessary technical inputs and ensures that LambdaTest leverages adequate expert opinions from various industry sources.

iv. Resources: Ensure that adequate people and financial resources are made available to various initiatives for effective execution.

v. Performance Evaluation: Ensure information security performance and the effectiveness of the information security management system and integrated management system.

In order to ensure proper internal controls and mitigate the risk of fraud and errors, LambdaTest is committed to maintaining a segregation of duties. The duties and responsibilities are divided among different individuals or teams to prevent any single person from having complete control over critical processes or systems.

LambdaTest has a dedicated Information Security Officer, and Data Protection Officer, an independent team that runs information security and privacy functions. LambdaTest Information Security Office has the following teams:

• Security Product & Engineering (App Sec): Responsible for ensuring that information security requirements are adhered to in the platform application architecture, and technology landscape. This team ensures that all the technology components are hardened, access controlled, and monitored and ensures that all internal and external threat vectors are structurally mitigated and managed.
• Security Operation Center: Responsible for performing proactive monitoring of information security events and alerts and providing situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warnings and alerts. The team works on a 24/7 basis to identify, analyze, communicate, investigate and report on critical information security events.

LambdaTest Data Protection & Risk Office has the following teams:

• Governance, Risk and Compliance (GRC): Responsible for Risk Management ensuring the appropriate design of controls, effective implementation, and consistent operation of controls, perform and coordinate for internal and external audits, and manage information security incidents. The team ensures compliance with various information security & privacy frameworks and works towards continuous control maturity.

Also, GRC is responsible for ensuring that the company operates within the established legal, and regulatory frameworks. They are responsible for creating and implementing policies, procedures, and controls related to information security and privacy that are essential for the organization's compliance with laws and regulations, as well as mitigating risks associated with business operations. The policies and standards are reviewed by relevant stakeholders and approved by document owners at least annually. The policies and standards are made available to all LambdaTest employees on a centralized document repository.

• GRC Team: Responsible for providing a single-window channel to communicate with Customers regarding the information security & privacy posture at LambdaTest. The team would also provide feedback regarding trends that they see about the market’s expectations or requirements from an information security and privacy compliance perspective.

At LambdaTest, we pride ourselves on building a powerful Cloud Testing Platform application that’s secure, reliable, easy to use and high-performance. We believe that customers and employees are the foundation of a successful business.

Recruitment

We are constantly on the lookout for smart people who are passionate about building great products, designing great experiences, building scalable platforms, and making customers happy.

All intents for the recruitments are raised to the HR department along with a description of the job, roles & responsibilities. The intents are approved by the respective department or pod heads based on their function’s specific recruitment plan. The HR and respective POD managers are responsible for conducting interviews. Depending upon the seniority of the role, the HR team sets up interviews with appropriate stakeholders. Candidates are selected based on validation of both culture and skill set fitment.

Background Verification

All employees joining LambdaTest undergo a mandatory background verification check that is initiated once their employment offer is rolled out. LambdaTest engages empaneled third-party service providers to perform background verifications covering identity, whereabouts, education history, employment history, and criminal history. Risks, if any, identified from background verification checks are analyzed and are approved or rejected by the respective function HR in association with the respective business manager.

On-boarding

All new joiners are batched and they join on Mondays. They undergo a 2-3 days onboarding schedule. During the onboarding process, employees are provided with an overview of the values lived at LambdaTest, the vision and key objectives, the organization structure and key stakeholders, and various processes that all employees are required to follow. As a part of the employee on-boarding process, all new joinees are provided with awareness training on information security, data privacy requirements, adherence to Code of Conduct and applicable compliances, and practices followed at LambdaTest. This includes appraising and training the employee on their responsibilities with regard to information security, privacy and compliance requirements.

Confidentiality Undertaking

All new joinees sign a confidentiality agreement as part of their employment agreement while being on-boarded as an employee. The agreement specifies their obligations and responsibilities as an employee while handling confidential information that the employee has access to during the course of their employment.

Code of Conduct

The Code of Business Conduct and Ethics (this Code) flows directly from the commitment of LambdaTest Inc., a Delaware corporation (together with its subsidiaries, “LambdaTest”, “we”, “our”), to our mission and core values. We consistently aim for excellence and to provide value for our customers, partners, and stockholders, and it is critical that we do so with integrity and high ethical standards. It is unacceptable to cut legal or ethical corners for the benefits of LambdaTest or for personal benefits. The purpose of this Code is to promote ethical conduct, serve as a guide, and to deter both wrongdoing and the appearance of wrongdoing. Doing the right things is more important than winning while risking our reputation or the trust of our customers, partners, and stakeholders.

The Code is designed to ensure:

• We operate our business ethically and with integrity
• The avoidance of actual or apparent conflicts of interest
• Compliances with the letter and spirit of all laws and policies of LambdaTest, including accurate and clear language in our reports, advertising and public communications
• The prompt internal reporting of suspected violations of this Code

The Code of Conduct (“Code”) applies to all employees, officers, directors and independent contractors of LambdaTest Inc., and all its subsidiaries. Every employee will be required to confirm their acceptance and understanding of this Code in our annual review cycle. All employees are required to abide by this Code, which comprises the following policies:

• Promoting Diversity and Respect
• Conflict of Interest
• Anti-Bribery, Antitrust, and Anti-Corruption
• Insider Trading
• Fair Dealing
• Gifts and Entertainment
• Acceptable use of Company Assets
• No Retaliation
• Privacy and Confidentiality
• Health and Safety
• Equal Employment Opportunity
• Prevention of Harassment at Workplace
• Policy on Media (including Social Media)
• Policy on Intellectual Property Rights

Disciplinary Process

As part of the onboarding process, employees are appraised about the internal policies and process as it applies to them. Employees are also informed about the complaint reporting mechanism and the disciplinary process that may ensure. Any violation of the policies is reported as an incident and isinvestigated by the HR team. Any violation, if proved results in a warning, payment of compensation, withdrawal of promotion, suspension, or termination of employment, based on the nature of the violation.

Transfers and Movements

When associates are transferred internally, the HR Manager finalizes the last day of service along with the reporting manager which is then communicated to the new respective manager as well. Accordingly, a request is raised for aligning the access needs in line with the new job role.

Employee Exits

All resignation notices will be submitted to the reporting manager and HR. The reporting manager shall, with the consent of HR, recommend and confirm the date of relieving. The exit process will be initiated and the exit form needs to be signed off by the respective associate’s reporting manager, Cloud Infrastructure team, Administration, IT, and HR team will ensure that the accesses to all information and assets granted to the employee are returned and revoked.

Remote Working

Employees while working remotely must adhere to LambdaTest’s policies and procedures to protect confidential information. This includes using secure networks, ensuring passwords are strong and regularly updated, and following best practices for data protection.

LambdaTest’s employees are security and privacy-minded through its continuous educational activities and practical exercises about evolving threats, compliance obligations, and secure workplace practices.

• i. Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance.
• ii. All employees shall complete their annual information security, privacy, and compliance awareness and training program.
• iii. As part of this program, personnel with specific job functions shall receive additional training tailored to their roles and responsibilities, emphasizing the specific security & privacy risks and controls relevant to their positions.
• iv. Information security and privacy compliance training guide is provided as a quick reference to all employees.
• v. Training logs identifying the training class, attendee, and date are kept by the HR department.

LambdaTest has established a formal Asset Management Policy; and the process is necessary to facilitate effective management, control, and maintenance of the assets/information in its operations environment by classifying assets as per the functionality or criticality.

We are committed to sustainable asset management practices that promote environmental responsibility and efficiency. The objective of our asset management program is to effectively monitor, track, and optimize the utilization of all company assets to ensure maximum efficiency, cost-effectiveness, and return on investment. Through strategic planning, proactive maintenance, and accurate data analysis, LambdaTest minimizes downtime, extends asset lifespan, and reducesreduce operational expenses. By implementing best practices and leveraging technology, we aim to maximize productivity, improve asset performance, and ultimately enhance overall business performance and profitability. LambdaTest has defined process phases for Asset Management such as Planning, acquisition, operation, maintenance, disposal and performance monitoring.

This policy is to identify, classify, label, and handle Information Assets of LambdaTest, and to apply protection mechanisms commensurate with the level of confidentiality and sensitivity.

• i. The confidentiality and sensitivity of the information will be maintained through an Information Asset classification scheme. The level of security to be accorded to the information of LambdaTest depends directly on the classification level of the asset, which is associated with that information.
• ii. All new assets will be acquired in accordance with LambdaTest's procurement policies and procedures. A risk assessment will be conducted prior to acquiring any new asset to ensure that it aligns with the organization's strategic objectives. Asset acquisition decisions will be based on cost-effectiveness and strategic alignment with organizational goals. Asset performance metrics will be tracked and analyzed to evaluate asset ROI and inform strategic decision-making.
• iii. The Information Asset Inventory must contain the following information as a minimum:
  • Information Asset Identification
  • Information Asset Description
  • Information Asset Location
  • Information Asset Owner/Custodian
  • Information Asset Classification
  • Information Asset Value

Acceptable Usage of Assets

Employees are educated on being responsible and exercising good judgment regarding the reasonableness of personal use. For security and network maintenance purposes, authorized individuals within LambdaTest, monitor equipments, systems, and network traffic. We reserve the right to suspend or disable employee network accounts for an actual or suspected security breach or policy violation. Any IT resource assigned to an employee is not transferred to another employee or group without first following a procedure of intimating IT so that the transfer is recorded. The transfer should be made post a sign-off from IT. In the event of loss of an asset post an un-intimated transfer for any purpose, the employees are held liable and appropriate fines are levied.

Information at LambdaTest

LambdaTest information may include, but is not limited to:

• All computer equipment, software, operating systems, storage media, network accounts, electronic mail, etc… (“IT resources”), are the property of LambdaTest. These systems are to be used for business purposes in serving the interests of the company, and of our customers in the course of normal operations
• All proprietary information that belongs to LambdaTest, such as user manuals, training materials, operating and support procedures, business continuity plans, and audit trails.
• Personnel information relating to employees of LambdaTest.
• All customer information & product research-related data held by LambdaTest.
• All software assets such as application software, system software, development tools, and utilities.
• All physical assets, such as computer equipment, communications equipment, removable media, and equipment relating to facilities.
• All services, such as power, lighting, and HVAC associated with LambdaTest information systems.
• People assets.
• Intangibles assets such as the reputation and image of LambdaTest.

LambdaTest maintains an inventory of all virtual devices (including servers and networking components), and physical devices. All the devices are labeled and tracked in an asset register with information about the asset owner, asset custodian, and asset location. The asset register is kept current and is updated whenever the assets are moved or retired or serviced.

LambdaTest has developed and implemented a formal procedure for the information classification and handling standard consisting of distinct levels which must be followed by all LambdaTest employees. The protection level and requirements for data processing are defined for each classification category. LambdaTest classification model into four levels of categories:

• Restricted
• Confidential
• Internal
• Public

The classification levels of all information or data is identified, both on the data and in the asset inventory. Accessibility will enable LambdaTest to focus information or data protection mechanisms on those assets that are most susceptible to specific risks. Information Assets may be assigned security based on their susceptibility to risk.

LambdaTest has adopted Zero Trust model for Identity and Access Management (IAM) to ensure the concept of “never trust, always verify”, and access rights would be provisioned on the basis of "least privilege”, “need-to-know”, and “need-to-have or need-to-do-principles”. As a part of the user lifecycle management, defined processes for adding, changing, and removing users and their access rights are applied across all information systems, applications, services and regular periodic reviews of those access rights are conducted.

IAM is paramount to protecting LambdaTest information resources and requires the implementation of controls and continuous oversight to restrict access.

Product Access

By default, LambdaTest adopted the least access privileges and role-based access principle provision in its all information system. Few employees of LambdaTest from Customer Success and Solution engineering have access to Customer accounts as they need this access for any configuration or troubleshooting. These privilegeaccesses are reviewed on a regular basis.

LambdaTest provides a role-based administration for all user accounts. There are 3 roles: admin, user, and guest, each with different permissions. The administrators of the account can control the user’s permission and activity.

Sub-Processor Access

LambdaTest partners with organizations like itself to adhere to global standards and regulations. These organizations include sub-processors or third-parties that LambdaTest utilizes to assist in providing its products and services.

This means, like LambdaTest, by default no sub-processors have access to any Test execution data of Customer. Incidents and support tickets are handled by LambdaTest.

Further, on a case-to-case basis, if an incident/support requirement arises that only the sub-processors can handle, access is provided by the Customer’s admin through the product as a temporary user and immediately revoked once the issue has been resolved.

Internal Systems Access

Access to LambdaTest internal systems are based on the principles of least privilege for access. Accordingly, all information systems and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. Strong identification, authentication, and logging systems are deployed and provide a centralized control to administer, monitor and review all critical access events.

Access Control Environments

At LambdaTest, different environments are established from a product standpoint. The product has different environments for development, testing and production purposes. Each of these environments is shielded and controlled from interactions with the other environments. Developers do not have access to the production environment (including no access to migrate changes). Access to migration changes is limited to only designated and authorized individuals.

Authorization Process

All access requests are logged, tracked, and managed through Jira (Atlassian suite). All-access requests are approved by the reporting manager and product owner. Also, the requests are approved by the respective department head or their delegated set of approval. Once approved, the request is routed to the respective system administrators for provisioning the access. Logs of all access requests raised, approval obtained and provisioning made in the systems are maintained to establish an end-to-end audit trail.

Access to all environments (development, test, and production) and resources within it are centrally managed using IAM system. The user IDs follow our internal guidelines for naming convention and are managed such that it is identifiable to a user. We have implemented strong password parameters that apply to all the systems. All accesses are permitted only from registered user systems and only from the whitelisted IP addresses of LambdaTest. All the access is routed through the bastion host, where the IAM solution enforces role-based access and two-factor authentication. System access logs for access to Customer data are maintained and subject to review by NOC and SOC team that operates on a 24x7 basis.

Remote Access

Accordingly, access to the LambdaTest production environment is limited to authorized users from the development or testing teams. All access to the LambdaTest production environment is allowed only from within the LambdaTest corporate network that’s behind VPN. For handling business continuity, disaster recovery, and pandemic scenarios, administrative and management users (Cloud Infrastructure, Database administrators, On-call Support, 24x7 Monitoring teams) have been provided with VPN access to connect to the office network. All the access is protected via Single Sign On (SSO) or Two-factor authentication and all accesses will be logged.

Access Reviews

On a quarterly basis, the ownership of all user accounts in the production environment is reviewed by the product owner. For sensitive and critical accounts, the review is performed on a monthly basis. The information security team tracks the process of user access reviews and reports the findings to the ISCSC.

Password Management

The complexity and length of passwords are set according to best practices and adapted if necessary. With processes designed to enforce minimum password requirements for LambdaTest products, we utilize the following requirements and security standards for user passwords on the LambdaTest Service:

• Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
• Five multiple logins with the wrong username or password will result in a locked account, which will be disabled to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
• Passwords need to be changed after 60 days
• Employees need to raise a request to reset the password and the IAM administrator would send an email-based password reset links to a user's pre-registered email address and employees mobile with a temporary link
• LambdaTest rate limits multiple login attempts from the same email address
• LambdaTest prevents reuse of recently used passwords
• Passwords must be stored securely in password vaults using encryption methods approved by LambdaTest.
• Password hashing: User account passwords stored on LambdaTest Service are bcrypt hashing with a random salt using industry-standard techniques.

Single sign-on

LambdaTest lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to the LambdaTest platform using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility.

LambdaTest has developed and implemented a formal process for the cryptographic protection standard and ensures the confidentiality, authenticity, and integrity of the information that is transferred through a third-party network and protects against unauthorized access or malicious activities.

i. Cryptographic controls can be used to achieve different security objectives, e.g:

a. Confidentiality: Using encryption of information to protect restricted or critical information, either stored or transmitted.

b. Integrity/Authenticity: Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information.

c. Non-Repudiation: Using cryptographic techniques to obtain proof of the occurrence or nonoccurrence of an event or action.

ii. Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.

We use cryptographic methods and industry standards to protect customer data in transit and at rest. For example, all communications with LambdaTest platforms and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and LambdaTest is secure during transit. By default, encryption is also enabled on all our services that contain data at rest using AES-256 bit standards with keys being managed by key management services.

Key Management

At LambdaTest, we prioritize the security and integrity of our cryptographic keys through stringent key management practices. Our approach follows industry standards and best practices, encompassing key generation, distribution, storage, updates, and disposal. We maintain strict controls over key access and usage, promptly addressing any compromises or incidents. Additionally, we ensure compliance with legal requirements and safeguard key authenticity alongside integrity. Our commitment extends to protecting keys against unauthorized access and physical threats.

The following section provides an overview of the physical and environmental security safeguards at LambdaTest Product Development center in India and the data center where LambdaTest products and data are hosted.

Perimeter Security at LambdaTest office

LambdaTest operates out of a multi-tenant building where perimeter security is centrally provided by the Building Management System team. The building is continuously patrolled by security guards on a 24x7 basis. The guards only allow employees with a valid ID card inside the building.

Access to the LambdaTest office is restricted only to LambdaTest’s employees and authorized support staff. CCTVs are installed across all vantage points within the office including all the entry and exit points. The administration and facilities team is responsible for monitoring the CCTV footage and these are retained for a minimum of 90 days.

24x7 dedicated security guards are deployed at entry and exit points. All the entry points are further secured using a proximity-based access card system. Access reviews are carried out by the LambdaTest Administration team on a regular basis to ensure only authorized LambdaTest employees or support staff have access.

Visitor Management at LambdaTest office

All visitors are registered at the entrance at LambdaTest with details of host and purpose of visit. The visitors are provided an ID tag and are always escorted by a host while inside the premises.

Material Movement at LambdaTest office

LambdaTest has procedures established for equipment’s seiting and identifications. At the entrance, the security personnel tracks the movement of equipment and consumables and verifies relevant authorizations for bringing in or removing any classified materials. The IT team ensures that all equipment movements are approved and sent to authorized recipients. Dedicated loading and unlocking areas have been identified for the movement and disposal of electronic media and equipment. Such movements are authorized by the IT Manager and tracked by the Facilities Administration team.

Environmental Safeguards at LambdaTest office

The office workspace has multiple controlled entry and exit points with visible markings and floor maps displayed that assist in speedy evacuation from anywhere in the office. Smoke detectors are installed throughout the facility and are supported by sprinkler-based fire suppression systems that run throughout the facility. Further, appropriate types of fire extinguishers are placed at various locations in the facility with clear markings. The facility is covered with a public address system that helps to provide any flash announcements in case of any emergency.

A centrally managed Heating, Ventilation, and Air-Conditioning system (HVAC) has been installed and managed by the facilities administration team. The power supply received for the facility is integrated with an Uninterrupted Power Supply (UPS) and Diesel-based power generator. In case of any power interruptions, automatic and uninterrupted switch-over will happen to ensure that there is no impact on the facility and its systems or equipment. All power cables and network cables are secured and shielded from interferences and are identified for supporting maintenance and troubleshooting work.

All the equipment and systems providing environment safeguards are covered under warranties and annual maintenance contracts and accordingly, these are covered under regular preventive maintenance checks to ensure its proper functionating.

Physical and Perimeter Security at Data Center

LambdaTest hosts its products and associated data in AWS and Microsoft Azure data centers that provide cutting-edge security and resilience and are compliant with a plethora of information security standards and frameworks. The data centers are hosted in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, motion detectors, intrusion alarm systems, and other electronic means. Authorized staff must pass through two-factor authentication a minimum of two times to access data center floors.

Physical access to the hub room located at LambdaTest’s corporate office is restricted by professional security staff and video surveillance. Access can only be granted through the combination of access card and biometrics. Along with that, a physical logbook is also maintained where details like name of the person, purpose, in and out time are recorded.

LambdaTest prioritizes the resilience and reliability of its utility infrastructure to support uninterrupted business operations. Our approach includes strict adherence to manufacturer specifications, regular appraisal, proactive inspection, and testing. We employ alarm systems for early detection, redundancy measures for continuity, and network segregation for security. Emergency provisions, including lighting, communications, and contact details, ensure swift response during outages or emergencies. This commitment underscores our dedication to safeguarding operations and personnel safety.

Cabling security is ensured by implementing measures such as underground installation where possible, segregation of power and communication cables, use of armoured conduit and locked rooms, electromagnetic shielding, regular inspections, controlled access to cable and hub rooms, and proper labeling of cables for physical identification.

Environmental Safeguards at Data Center

All critical IT equipment is hosted in AWS and Microsoft Azure data centers. Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments including the mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems as suitable based on the types of combustible materials in the respective zones.

Submersible pumps are installed and maintained as a safeguard against a flood event. The data centers get power from two different feeder channels and are additionally supported by the power generators and UPS all having automated switch over in case of any rare instances of power outages. The data center’s electrical power systems are designed to be fully redundant and maintainable without impact on operations, 24 hours a day, seven days a week. UPS units provide backup-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate controls are required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Equipment Maintenance

LambdaTest prioritizes equipment maintenance to safeguard our information assets. We adhere to supplier recommendations, implement a robust maintenance program, and restrict access to authorized personnel. Records are kept for all maintenance activities, and security measures are enforced for on-site maintenance. We comply with insurance requirements and conduct thorough inspections before reactivating equipment. Our goal is to ensure equipment reliability, security, and confidentiality.

Secure Disposal or reuse of equipments

LambdaTest prioritizes the secure disposal and re-use of equipment and storage media containing confidential information. All employees must adhere to thorough verification processes, physical destruction of storage media, removal of identifying labels, and consideration of security control removal when moving premises. These measures are essential for maintaining information security and compliance.

LambdaTest maintains a formal information security management program with dedicated security personnel reporting to LambdaTest's Head of Security. LambdaTest has established a formal policy and process for the requirements and key information security considerations for information technology operations, including the definition of standard operating procedures, change management, configuration management, release management, information backup, and restoration and cloud computing.

There are a number of security controls in place to achieve the protection of data, information, information system, and monitoring LambdaTest for suspicious activity.

• Documented operating procedures: Document procedures have been formally laid down for operational activities associated with information processing and communication facilities and maintained to ensure the correct and secure management of information processing facilities.
• Malware and spam protection: Anti-malware systems and services are in use to detect, prevent and report malicious software and activity. All in-scope systems are configured with malicious code protection and detection software, systems are kept up-to-date and definitions are updated regularly.
• Logging: LambdaTest outlines the criteria for creating and managing logs, specifying the data to be collected and logged, and procedures for protecting and handling log data. All systems, devices, and applications generating logs must adhere to these guidelines. Key logging criteria include capturing user IDs, system activities, event details, and network information. Events such as access attempts, system configuration changes, and file access must be logged. Time synchronization across systems is essential for effective log correlation and analysis.
• Monitoring: LambdaTest is dedicated to upholding a robust monitoring framework to safeguard the security and integrity of our systems, networks, and data, in alignment with our business objectives and legal obligations. These guidelines delineate the scope and protocols for monitoring activities, encompassing the determination of scope, inclusion criteria, establishment of baselines, anomaly detection, and specific measures for web monitoring. Monitoring records are maintained in accordance with organizational policy and complying with relevant laws and regulations.
  Additionally, LambdaTest Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems to detect potential threats. If any of the criteria thresholds or suspicious event logics are triggered, an alert is generated that notify the security team based on correlated events for investigation and response.
  After the potential risk has been determined, the security team begins incident handling and response, which includes gathering data (e.g., logs and forensic images) to help determine the root cause of the incident as well as the best course of action for mitigation.
  After an incident has been resolved, the security team enters the final phase of the incident response lifecycle, which includes processes and feedback loops, such as a port-mortem analysis. The incident post-mortem analysis is designed to highlight what was done well and what could be improved on, how to better defend LambdaTest from similar incidents, and where LambdaTest should focus resources going forward. Through this process, the security team can provide proactive guidance to and drive improvements across the entire LambdaTest organization and, when required, to supporting processes.
• Threat Intelligence: LambdaTest is dedicated to maintaining robust threat intelligence practices to protect our assets and stakeholders. We have established clear objectives, vet and select relevant information sources, collect and process data, analyze findings, and communicate them effectively. Continuous improvement will be prioritized to adapt to evolving threats and organizational needs. We have tools combined with threat intelligence to detect any anomalies in our product and our infrastructure.
• LambdaTest subscribes to industry threat feeds and email lists, which provide threat intelligence information from industry peers as well as adjacent industries. Information is received in a structured format that enables easy distribution into our SIEM systems. LambdaTest has a multi-faceted threat intelligence program using a combination of automation using industry standard tools and employee reviewers to filter through the intelligence we receive. The information derived from these external and internal sources is used by LambdaTest’s Incident Response team members to aid in determining any necessary course of action.
• Backup: All data hosted on the cloud is synced in real-time (with cross-regional network latency) across the AZs or to a separate AWS and Azure region other than the one which hosts Customer serving infrastructure. Each AWS AZ / Azure AZ or region is designed to be completely isolated from the AWS /Azure regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in an active-active model and is equipped to independently handle the load in case of any failures.
• Technical Vulnerability Management: LambdaTest has a standard for vulnerability management that is CVSS based on severity (critical, high, medium, and low) as reported by our scanning vendor(s). Vulnerability scans are conducted on all production systems and endpoints on a regular basis. Remediation timeframes are determined through a combination of CVSS level, impact analysis of remediation options on our customers and business, and contractual SLAs.
• Control of operational software: Applications and operating system software should only be implemented after successful testing, the tests should cover usability, security, effects on other systems and user-friendliness and shall be carried out on separate systems. And, operational systems shall only hold approved executable code and not development code or compilers.
• Information system audit: The required guidelines are already defined internally and must be followed by all LambdaTest employees.
• Web Filtering: LambdaTest is dedicated to protect the organization’s personnel and digital assets from the threats associated with accessing malicious or illegal websites. This outlines measures to mitigate risks, including blocking access to websites known for illegal content, viruses, or phishing materials. We have employed techniques such as IP and domain blocking, categorize websites based on risk, and restrict access to specific categories of sites. Furthermore, we utilize browser and anti-malware technologies to automatically block prohibited sites, safeguarding our network and data integrity.
• Installation of software on operational systems: LambdaTest prioritizes the security of our operational systems. To ensure secure management of software changes and installations, we adhere to strict guidelines:
• Approved executable code, rigorously tested, is installed, with no development code or compilers.
• Old software versions are archived for contingency, and upgrades consider business needs and security implications.
• Vendor-supplied software is kept up-to-date, and open-source software is maintained to the latest release.
• Access to external software is monitored to prevent unauthorized changes, and strict rules govern user-installed software.

By adhering to these guidelines, we ensure the integrity and security of our operational systems.

LambdaTest management believes in establishing a cross-functional working model based on the size, nature of activities and emerging business realities for product development, support and maintenance. LambdaTest uses the Scrum model from the agile framework in combination with the Continuous Integration and Continuous Deployment (CI/CD) approach to ensure faster delivery of functionalities to its Customers. Members from various teams form the “Squad” to work on the core functionality or features of the product and the underlying infrastructure. Secure Coding standards and guidelines have been published to the Squad and Development teams by the Application Security team.

Change Squad Composition

A Squad consist of the following members:

• Product Manager
• Squad Lead
• Tribe members
• Tribe leads

Code Version Management

To get the “CI” working of the CI/CD cycle, continuous integration is paramount to faster development cycles. Every block of code is unit tested before it is checked-in on the code repository using a source control tool. Any changes to the uncompiled source code is tracked for its code integrity and most updated library is maintained for the subsequent sprints. Once the code is approved by the Quality Assurance team, the code is committed for promotion to the staging and production environments.

All product inputs are accumulated including enhancements, bugs and fixes in a central repository owned by Product owners. SLAs are defined for fixing the issues and priorities are assigned. Once they prioritize what gets into each sprint based on our priority criteria. All security fixes are considered as high priority and bundled into the earliest possible sprint. Our DevOps sprints are powered by a Squad of members that includes the Product owner, Squad Lead, Tribe Lead, and Tribe Members.

Change Verification and Approval

Following the principles of Security by Design, at LambdaTest, product security is a part of the blueprint and design consideration in every build cycle. Accordingly, the Application Security and Cloud security team is a part of the build cycles. Multiple security checks including code reviews, web vulnerability reviews, and advanced security tests are performed in every build. Source code analysis is performed using adopted tools. Vulnerabilities are identified, fixed and revalidated before the code is promoted to production. That apart, the builds are put through stringent functionality tests, performance tests, stability tests, and UX tests before the build is certified as “Good to go”. Static code analysis is carried out during unit tests, before compiling it in a runtime environment. The “Good to go” flag serves as a gating mechanism for code promotion to the production environment.

Change Deployment

To reduce a possible downtime, code promotions take place using the Blue-Green Deployment model, which reduces the risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. During a product update, deployment and the final stage of testing take place in the environment that is not live (Green). Once the deployment and acceptance criterions are fully tested the updated build in Green is switched to Blue. While the Green goes live, Blue is pushed to an idle state. In addition, if something unexpected happens with the new version of Green, we can immediately roll back to the last version by switching back to Blue.

The capacity management process is established to ensure there is continuous harmony between Business capacity management (strategic and forecasting) and service capacity management (tactical).

The capacity management process carried out by Cloud Infra is to make sure the application is available 24x7 round the year, except during the planned downtime.

The capacity management process applies to the following:

• Products offered by LambdaTest
• Network components
• Server components
• Applications
• Services (system processes)
• Other critical information systems as identified by the LambdaTest team based on Risk Assessment.

We maintain at least a maximum of 20% headroom for unexpected traffic. Following are the typical parameters that are used for managing capacity:

• CPU and Memory load
• IO load and job queue length
• Concurrent connection (RPM- Requests per minute)
• Error rate in the system
• App specific parameters

Stress-Testing of Cloud Infrastructure: LambdaTest prioritizes the integrity and performance of our cloud systems and services. As part of our commitment to maintaining a secure and reliable environment, we conduct regular stress-tests to ensure that our systems have the capacity to meet peak performance requirements. These tests are essential for identifying any potential vulnerabilities or weaknesses in our cloud infrastructure and allow us to take proactive measures to address them. By continuously evaluating and optimizing our cloud system capacity, we strive to deliver a seamless and efficient experience for our customers while safeguarding against potential threats.

The capacity management has two approaches:

• i. Proactive Approach: This is primarily accomplished by having a regular stream of communication between the Customer facing teams and the operations teams. Based on the projections made for new customers, the operations team would be able to arrive at various capacity requirement specifications and would go about following their standard operating procedures (SOP) for provisioning the additional capacity to the fleet. All business-critical components are also provisioned with autoscaling [Auto Scaling the capacity once the headroom is breached]
• ii. Relative Approach: The Production environment is monitored 24x7 by a NOC team. The NOC teams use a multitude of tools to monitor the production environment. When any of the parameters crosses the threshold then the NOC team has a SOP that they will use to commission additional capacity. The alerting system displays the exact cluster of the machines that are either underperforming or have a failure. The NOC team makes use of this information to use a SOP to mitigate the situation.

LambdaTest has ensured sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability, and safety of the organization’s network infrastructure that enforces the concept of “least functionality” through restricting network access to system, applications, and services, as well as to provide situational awareness of activity on the organization’s networks.

LambdaTest has deployed an information technology network to facilitate its business and make it more efficient for various risks. It has established management direction, principles, and standard requirements to ensure that the appropriate protection of information on its networks is maintained and sustained. Few controls which are in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction are as follows:

• Network Controls: LambdaTest monitors and updates its communication technologies periodically to provide network security as per industry-best practices. Cryptographic techniques are used to protect the confidentiality, integrity, and authenticity of sensitive and confidential information. Firewall rules and access restrictions are reviewed regularly.
• Infrastructure Controls: LambdaTest uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the LambdaTest product service. Notifications from these tools are sent to the Security Team so that they can take appropriate action.
• Secure Communication: All data transmissions to LambdaTest services are encrypted using TLS protocols, and we use certificates issued by SHA 256 based CA ensuring that our users have a secure connection from their browsers to use our service. We use the latest and updated cipher suites.
• LambdaTest Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
• Retention and disposal guidelines for all business correspondence including messages, under the defined standard.
• Segregation of the network shall be done by establishing V-LAN/ DMZ architecture. In either case, the Testing, Production and Development environment shall be segregated as well.
• Agreements have been established for the secure transfer of business information to external parties (such as customers, suppliers, and other interested parties).
• The roles and responsibilities for management of network security shall be clearly defined, communicated and reviewed regularly to ensure optimum operative effectiveness and necessary segregation of duties shall be done to attain the said objective.

LambdaTest’s Software Development Lifecycle (SDLC) standard has been established and adopted for planning, requirement analysis, design, development, testing, and maintenance of the product platform. The SDLC process was designed from the ground up and integrated into multiple stages of the development lifecycle to help keep Customer information safe and secure.

LambdaTest ensures that security and privacy principles are implemented into each of the products /platforms that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated and the development process for any acquired or developed system, application or service ensures secure engineering principles.

There are controls which are in place to achieve the information security and data protection requirements:

i. LambdaTest product security practices are measured using industry standards and methodologies. LambdaTest follows an Agile and DevOps SDLC model with focus on process adaptability, Customer satisfaction, and Quality delivery.

ii. The products are broken into small incremental builds, provided in iteration. Every iteration involves cross-functional teams /PODs working simultaneously on various areas like planning, requirements analysis, design, coding, unit test and acceptance testing.

iii. LambdaTest product Services includes many activities to enhance security and privacy posture:

• Defining security and privacy requirements
• Design (threat modeling and analysis, security design review)
• Development controls (static analysis, manual peer code review)
• Testing (dynamic analysis, 3rd party security vulnerability assessments and Pen Test)

iv. It comprises a rigorous set of comprehensive industry best practices and framework spanning software development practices, processes and tools per ISO 27001, ISO 27034 guidance and applicable OWASP and CIS standards.

LambdaTest is taking a fresh approach to building and delivering software-as-a-service (SaaS) that’s affordable, quick-to-implement, and designed for end user developers and QA.

Security by Design and Shift Left Security are core principles of building our products, securing our customers’ data, and providing a highly resilient environment.

Security Automation

At LambdaTest, automation enables application security to scale across the company and provide continuous security coverage while also keeping up with the rapid pace of innovation. Our static and dynamic analysis initiatives, which target software code, collections of configuration data, request/response traffic, and application logs, help LambdaTest to secure the entire software development lifecycle.

• Static code analysis — Our automated code analysis platform leverages both open source and commercial tools to scan code repositories. We provide feedback directly to our developers in line with their development workflows, when issues are easiest to mitigate. These tools, along with capabilities unique to our environment, help LambdaTest deliver the highest possible security in our source code.
• Dynamic analysis — Similar to our approach to static code analysis, LambdaTest uses custom-built and commercial tools to identify security vulnerabilities at runtime.
• Software composition analysis — We closely monitor the usage of third-party components in our products and services and regularly review the security posture of these components using both in-house and commercial solutions. When we find a vulnerable or end-of-life component, we alert our developers, helping ensure timely mitigation.
• Asset inventory and metadata — A rich set of company-wide metadata helps our application security team gain deeper insights into LambdaTest products and services.

Security Testing in Development

LambdaTest prioritizes the security of newly developed information systems, upgrades, and new versions through comprehensive testing and verification practices. Our approach includes:

• Thorough testing of new systems, upgrades and new versions, integrating security testing at every stage.
• Testing against predefined functional and non-functional security requirements.
• Development of detailed test plans and utilization of automated tools for defect remediation.
• In-house testing by development teams followed by independent acceptance testing.
• Rigorous testing for outsourced development, with contracts addressing security requirements.
• Testing in environments mirroring production settings to ensure reliability and prevent vulnerabilities.

Separation of Development, Test and Production Environment

LambdaTest enforces a strict policy to ensure the separation and protection of our production, testing, and development environments. We employ robust measures to prevent unauthorized access and changes, including strict granular access controls, rigorous testing procedures, and continuous monitoring. Our policy mandates the segregation of duties, prohibiting any single individual from making changes to both development and production without prior review and approval. We are committed to maintaining a secure and resilient environment while facilitating efficient development and deployment processes. Regular reviews of access controls and updates are conducted to align with evolving technology and regulatory requirements.

LambdaTest production environment is logically segregated from the development, testing, and staging environment with concepts of virtual private cloud and subnets. No customer data and test execution data are used in our development or test environments.

Network Infrastructure Overview

LambdaTest network architecture is designed using a multi-tired security framework with each tier complementing the other to provide a fault-tolerant architecture. All the services and data are hosted in Virtual Private Cloud (VPC) and are mirrored across multiple availability zones.

The application makes use of the core infrastructure elements from AWS and Microsoft Azure:

• Load Balancer for network load balancing service
• Elastic Compute Cloud Component (EC2)/ Virtual Machines as virtual servers.
• Relational Database System / Azure SQL as database
• Transform and Load capabilities
• Key Management System (KMS) for component encryption key management
• VPC / Vnet for dedicated network within the cloud space
• S3 buckets / Storage Blobs for storage service
• SQS for message queuing and batch processing service
• Cache layer is hosted using CDN and Cloudflare
• Geo-proximity using route 53 and Cloudflare

The Load Balancer is where all the external connections are terminated. The Load Balancer and Cloudflare WAF provide DDoS protection from the external network. The Load Balancer transfers the incoming connection to the private subnets that contain the application stack.

The platform integrates with a set of external technology components as well and these are specifically called out as sub-processors. In addition, we provide the ability to integrity with a few third-party apps or API-based integrations with custom apps that are within our Customer’s environment.

Networking Security Overview

The network has been decoupled and has multiple firewall rules that reduce the surface of attacks in case of any breach. We have configured our firewall in deny-all mode, which allows only explicit traffic that meets the specific criteria set in our firewall security groups. Further, we have configured advanced routing rules and criteria across the network security groups to secure our network and services from advanced web application exploits that could compromise the application security, or availability or consume more network resources.

All inbound HTTPS calls hit the reverse proxy that acts as the first level of application load balancer. The high availability zones are made resilient with Load balancers. Cross network access is disallowed due to security reasons.

Using a combination of Load Balancer, network firewall, and highly scalable DNS services we have implemented strong DDoS mitigation capabilities. Cloudflare WAF (web application firewall) has been deployed to block Layer 7 and layer 4 attacks and also to protect against Distributed Denial of Service (DDoS) protection service along with rate limiting.

The VPC’s / Vnet features and associated capabilities are:

• Security groups act as a firewall, controlling both inbound and outbound traffic at the instance level.
• Network Access Control Lists (ACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic for each subnet (private network) within VPC.
• Administrative access is secured using SSH connection between Bastion host and individual platform components.

Muti-Tenancy

Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in-tenant. Per this design, no customer has access to another Customer’s data.

Configuration Management

LambdaTest prioritizes the secure configuration of all our systems and networks. We have established templates based on industry best practices, regularly updating them to address evolving threats. Our detailed configuration records, managed through a robust change management process, ensure accountability and traceability. Continuous monitoring allows us to promptly address any deviations from our target configurations.

With clear roles and responsibilities in place, we are committed to maintaining the integrity and security of our infrastructure to safeguard our assets and uphold data confidentiality, integrity, and availability.

LambdaTest is governed by a set of technical documents that specify a security hardening and baseline configuration to safeguards customer data. LambdaTest’s security hardening and baseline configuration standards are based on industry-leading practices defined by the Center for Internet Security. Security hardening and baseline configuration standards apply to servers and network devices throughout the production environment. These standards are reviewed and updated as part of any significant change to the production environment, including introducing new technology that was not previously covered. Each of the tracks has developed hardening checklists for devices/applications under their scope and incorporated the same in the production environment.

Encryption and Tokenization

Data at rest is encrypted using AES-256 bit standards with keys being managed by key management services.

All data in transit is encrypted using HTTPs with TLS 1.2 and above over a secure socket connection for accounts hosted in the LambdaTest domain (LambdaTest.com). For accounts hosted on independent domains, an option to enable a secure socket connection is available.

We use (DigiCert) certificates for domain management and ISRG Root X1 (chain of trust Let’s Encrypt) is the certificate authority. We are using email-based verification to obtain certificates. These certificates are managed via AWS ACM and Digicert panel. The certificates are set to renew every 365 days. Only dedicated members of the cloud infrastructure team will will view and download the certificate details.

All passwords at storage are one-way hashed and salted using bcrypt.

All third-party API calls are authorized using OAuth 2.0, and the access tokens are secure in an encrypted database.

Code Security

At LambdaTest, we prioritize secure coding principles to safeguard our systems, applications, and services. It applies to all development activities. OWASP Secure Coding Guidelines are shared with the engineering team, and Developers are also trained on the secure coding guidelines by the Security Engineering team at least on an annual basis.

Code repositories are secured with strong access control and permission to prevent unauthorized access and modification. Regular backup of code repositories and version control histories areis performed to minimize data loss.

We adhere to the following guideline:

Planning and before coding:

• Identifying and addressing common vulnerabilities
• Configuring and maintaining development tools for secure coding
• Qualifying developers in secure coding practices
• Integrating secure design and architecture
• Adhering to established coding standards
• Conducting development activities within controlled environments

During coding, we:

• Utilize secure coding practices
• Employ structured programming techniques
• Document code thoroughly
• Conduct testing throughout the development lifecycle, including SAST processes

Before operational deployment, we assess the attack surface and adhere to the principle of least privilege and perform an analysis of common programming errors and document mitigation strategies.

For review and maintenance:

• We ensure secure packaging and deployment of updates
• Promptly address reported vulnerabilities
• Safeguard source code against unauthorized access
• Prioritize management and updating of external tools and libraries
• Carefully evaluate modifications to software packages considering risk, maintenance, and compatibility.

Static code analysis is performed for new code that is developed.For every code commit, automated static code analysis (SAST and SCA) is performed using SNYK and GitHub SCA for quality and security issues. All the Code is also scanned via trufflehog security for the hardcoded secrets and credentials.

Bugs Reporting

LambdaTest takes the security of its systems seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps LambdaTest in ensuring the security and privacy of its users. Bugs can be reported through email at security@lambdatest.com

Application Security

We take steps to securely develop and test against threats to ensure the safety of our customer data. LambdaTest maintains a Secure Development Lifecycle, in which training our developers and performing design and code reviews take a prime role. In addition, LambdaTest employs third-party security experts to perform detailed penetration tests on different applications within our family of product platforms.

Protection from Zero-day exploits

LambdaTest prioritizes protection against zero-day exploits within its Zero Trust model, employing strict access controls, micro-segmentation, continuous monitoring and a robust incident response.

LambdaTest partners with organizations that like itself adhere to global standards and regulations. These organizations include sub-processors or third parties that LambdaTest utilizes to assist in providing its products. The list of sub-processors along with their roles in processing and their processing location are disclosed in the following link: https://www.lambdatest.com/legal/sub-processor

Third Party Onboarding

Based on the nature of data involved, vendors are classified into 5 categories:

• Category 1 – Handles Customer Data (store, process, transmit. (eg – Microsoft Azure, AWS)
• Category 2 – LambdaTest internal critical production tools (eg – SIEM, CRM)
• Category 3 – LambdaTest internal business tools or applications (eg – Slack, Google Suite)
• Category 4 – LambdaTest internal business tools involving employee PII (eg – HRMS)
• Category 5 – LambdaTest internal business tools not involving PII (eg – anonymous feedback)

All vendors will have to fill up a questionnaire and undergo information security and privacy compliance review. External audit reports and compliance certificates are mandated for Category 1. For all Category 1 applications, LambdaTest will provide 15 days advance notice to existing customers prior to introducing the vendor in the production environment. Sign-off from the Legal team and MSA/DPA and /or BAA as applicable will be executed with the application /vendor as part of the contracting process.

For all others, while the audit reports are requested, however in the absence of it, internal audit reports and policy procedures are reviewed and audited for deciding the security and compliance clearance. This is handled by the LambdaTest vendor management team.

Third-Party Risk Management

Regular assessments are conducted on such service providers to ensure data is processed in a fair manner, and that data is processed only for the purposes it was collected. Apart from evaluation for technical requirements, an examination for data protection measures, compliance with LambdaTest’s security and privacy requirements and audits reports review is conducted before on-boarding the service provider. Various checks on the service provider’s vulnerability, patch management processes for intrusion protection capabilities are reviewed. Copies of the access management process, third-party vulnerability testing reports, SOC 2 reports, ISO 27001 /27701 reports, PCI DSS AOC etc. are shared by the service partner and reviewed by LambdaTest as a part of due diligence.

Data Governance

Requirements regarding breach notifications and reporting obligations flowed down to LambdaTest sub-processors through the Data Processing Addendum executed with such sub-processors. All the contracts are reviewed by the Legal team (and by GRC team re: breach notification and reporting obligations, rights to audit, support for subject access requests and other security and privacy safeguards) prior to execution and the GRC team reviews the service providers on a periodic basis as per its Risk Management Process.

LambdaTest makes it easy for businesses to delight their customers and employees. We do this by taking a fresh approach to building and delivering a software-as-a-service (SaaS) cloud Testing platform that’s affordable, quick to implement, and designed for the end user developers and QA.

LambdaTest follows the ISO 27001 control standard framework cross-reference with NIST SP 800-53 Rev 5, SOC 2, CSA, PCI DSS, HIPAA, GDPR, CCPA, etc. LambdaTest has comprehensive privacy and security assessments and certifications performed by third parties. Such certifications include SOC 2 Type II, ISO 27001:2022, ISO 27017:2015, and ISO 27701:2019 standard certifications.

Cloud Resiliency powered from Architecture

LambdaTest hosts all its applications (products) and Customer data (hosted data) in AWS (Amazon Web Services) and Azure data centers. Being a SaaS product, availability along with smooth functioning to the users is one of the key objectives.

Architecture: LambdaTest network security architecture consists of multiple security zones. More restricted systems like database servers are protected in our most trusted zones. Other systems are hosted in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the internet and internally between the different zones or trusts.

Protection: Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Redundancy: LambdaTest employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery service offering allows us to deliver a high service availability, as customer or test data is replicated across availability zones.

LambdaTest has defined the security incident management process to classify and handle incidents and security breaches. A dedicated incident management team has been established, consisting of individuals with the necessary technical expertise and authority to respond to information security incidents. The information security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating about the incidents to appropriate parties in a timely manner. The process is reviewed, updated as part of periodic internal audit and is audited as part of ISO 27001 and SOC 2 Type II assessment.

The plan outlines the procedures to be followed in the event of an information security incident, including the roles and responsibilities of the incident management team. Information security incidents shall be classified based on their severity and impact on the organization's operations. This classification will determine the appropriate response actions and escalation procedures.

You may contact our 24x7 hotline at security@lambdatest.com to report complaints/breaches.

Breach Notification

LambdaTest has processes established for early identification and reporting of incidents/breaches. Accordingly, as data controllers, we notify the concerned Data Protection Authority of breach within 72 hours after we become aware of it. Depending on specific requirements, we will notify to Customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay. The Data Protection Officer is responsible for reporting to Customers about security incidents/breaches.

Customers will have a dedicated Customer Success Manager who will be the SPOC for reporting. The account owner/admin of the Customer’s LambdaTest platform will be notified of any security incident that has an impact on the Customer. If there are any email DLs, we will also be able to report the same. We are happy to contractually agree on such requirements with a mutual concurrence.

Business Continuity Plan

LambdaTest has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people, process, and technology support during any crisis or business interruptions. Appropriate roles and responsibilities have been defined and documented. LambdaTest Customer Success team will be responsible for communication and notification during a crisis. In case of a crisis, the BCP team shall contact relevant authorities such as service utilities, emergency services, electricity and health and safety for support in connection with business continuity. Information security shall be maintained across appropriate levels during disruption.

Recovery Time Objective (RTO): LambdaTest will aim to restore its normal operations within four hours from the time a disaster is declared, unless a disaster or multiple disasters or impacts all of the Availability Zones used on an account.

Recovery Point Objective (RPO): LambdaTest has configured its infrastructure to provide one hour or less of data loss. This is calculated from the point of the disruption, and not from LambdaTest’s disaster declaration.

LambdaTest would continually review the business continuity program based on lessons learned from actual events, exercises, and audits. This includes updating BCPs, refining response procedures, and enhancing training and awareness efforts.

Business Impact Analysis

Business Impact Assessment (BIA) is carried out for all applicable processes which form the basis for BCP & DRP. All critical operations, processes, and facilities are included as part of BIA, and accordingly BCP and DRP requirements are planned. Dependencies are identified and all strategies that are applicable have been considered as part of BCP and DRP requirements.

Crisis Management

LambdaTest had established a Crisis Management Team (CMT) responsible for coordinating response efforts during emergencies. The CMT will be composed of senior leaders from key functional areas and will be tasked with decision-making, communication, and resource allocation during crises.

ICT Readiness

LambdaTest is dedicated to ensuring the resilience of its ICT services by maintaining an organizational structure equipped to prepare for and respond to disruptions, regularly evaluating and approving continuity plans aligned with business objectives, and outlining comprehensive performance, recovery time, and recovery point objectives

Real-Time Back-Up

All data hosted on the cloud is synced real-time (with cross-regional network latency) across the AZs or to a separate AWS and Azure region other than the one which hosts Customer serving infrastructure. Each AWS and Azure AZ or region is designed to be completely isolated from the AWS and Azure regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in active -active model and is equipped to independently handle the load in case of any failures. Backup and restore testing are conducted on an annual basis for ensuring the integrity of backup and effectiveness of restore processes within the organization.

Fault Tolerance using High Availability & Redundancy

LambdaTest uses high availability solutions to provide continuous service to its Customers. LambdaTest provides the highly available/ high availability (HA) services using AWS and Azure Availability Zones (AZ) within the AWS and Azure region in which LambdaTest hosts the application for the Customers. Each AWS and Azure Data Center (DC) region has multiple isolated AZs. LambdaTest places resources and data in multiple of these locations within the region.

Each AZ is physically separated within metropolititan region, connected through low latency links, located in lower risk flood plains, supported by different grids for power supply and multiple tier-1 transit providers, UPS, and on-site backup generators, reducing Single Points of Failure (SPOF).

Testing and Exercise

The BC and DR Plan is tested and reviewed on a yearly basis by the LambdaTest Information Security Officer (ISO) and approved by ISCSC (Information Security & Compliance Steering Committee). On a yearly basis, training on BCP and DRP requirements is provided to all relevant workforce members involved in the process. The BCP and DR plan of LambdaTest is reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service principles.

In light of the evolving threat landscape and the increasing sophistication of cyberattacks, it is imperative for LambdaTest to adopt a robust security framework to safeguard our digital assets. Recognizing the criticality of endpoint security in protecting our systems and data, we have implemented a Zero Trust model to fortify our defenses and mitigate potential risks.

All devices including but not limited to computers, laptops, and mobile devices shall be considered untrusted by default. Access to resources, applications, and data shall be granted based on continuous authentication, least privilege access principles, and contextual factors rather than implicit trust in the network or device.

All employees have company provided assets (ie. Laptops) for carrying out their responsibilities. These endpoints will have standard builds deployed with MDM solutions for control and management of devices and are authenticated via single sign on (IAM) and two factor authentication(2FA).

Antivirus is deployed in all endpoints for protection against viruses and malware. On a periodic basis, signature updates are pushed to all systems. SentinelOne is an AI and ML supported antivirus and antimalware which implements multiple methods of protection at critical phases of an attack lifecycle to prevent the execution of malicious programs and stop the exploitation of legitimate applications. It proactively detects and defends against zero-day exploits by identifying and analyzing patterns and behaviors indicative of exploitation techniques and malicious software. The system stops malware, known exploits and ransomware before they can compromise the endpoints and provides protection both during online and offline modes.

All employees have company provided assets (ie. Laptops) for carrying out their responsibilities. These endpoints will have standard build deployed with MDM solutions for control and management of devices and are authenticated via single sign on (IAM) and two factor authentication.

All laptops and workstations are secured via full disk encryption and are provisioned off a centrally managed image. We apply updates to employee machines on an ongoing basis and monitor employee workstations for malware. We also have the ability to apply critical patches or remote wipe a machine via device manager. Wherever possible, we use two-factor authentication to further secure access to our corporate infrastructure.

User Endpoint Devices

LambdaTest have established and communicated a comprehensive procedure for secure configuration and management of user endpoint devices, addressing information handling, device registration, physical protection, update requirements, network connections, access controls, encryption, malware protection, remote management and, partitioning user and organizational data.

Use of Personal Devices

Our organization prioritizes the security of business information on personal devices (BYOD) by enforcing separation of personal and business use, acknowledging user responsibilities, implementing remote data wiping measures, addressing intellectual property rights disputes, and ensuring compliance with software licensing agreements and relevant legislation.

Email Security

All emails are signed by the LambdaTest.com domain. The email are encrypted at transit.

LambdaTest has developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022 standard. The information security and GRC team assess security risk annually and on an ongoing basis when any major internal changes occur or when significant events occur in the industry. LambdaTest identifies and documents potential risks to its assets, including but not limited to information systems, data, facilities, and personnel. LambdaTest has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks.

Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. When developing software or systems LambdaTest performs thorough testing and verification during the development process. The risk management process shall be integrated into the change management process at all levels. Risks associated with proposed changes shall be identified, assessed, and addressed in a timely manner to minimize potential negative impacts. A formal acquisition process which includes risk assessment, is followed for purchased commercial products, and supplier contracts include the identified security requirements.

LambdaTest continuously monitors and reviews the effectiveness of risk management processes and controls. This includes regular reviews of risk assessments, incident reports, and security controls to ensure they remain adequate and up-to-date. Risk assessments include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems.

Information security risks associated with the execution of projects, such as security of internal and external communication aspects are considered and treated throughout the project life cycle.

RA shall be performed on a recursive manner bi-annually or whenever any of the following changes occur:

• Technology, infrastructure or process-related changes
• Introduction/change of suppliers
• Change the leads to exceptions to LambdaTest polices
• Changes that affect the legal or regulatory requirements of the system
• Any other changes that are considered to be significant by the management of LambdaTest

Sources for risks can be of the following nature, but not limited to:

• Self-Assessment includes security and process risks
• Customer Complaint /Feedback
• Internal /External Audit
• Regulatory Requirement
• Security Incident /Event
• Technology /Geo-Political Change

Key enablers such as people, premise, process, and technology shall be documented for each risk identified in the risk register to ensure appropriate control implementation. Risk register includes strategic, financial, environmental, safety, people and reputation risks.

Mitigation strategies shall be developed and implemented to address identified risks effectively. These strategies may include technical, administrative, and physical controls aimed at reducing the likelihood and impact of potential incidents.

​​The risk treatment plan identifies risks and nonconformities, corrective actions, resources, responsibilities and priorities for managing information security risks is regularly reviewed and updated.

Appropriate Risk treatment plans (Reduce Risk, Avoid Risk, Transfer Risk, Retain Risk) will be considered and approved by the CEO and Risk Owner. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the ISCSC.

LambdaTest has the below process and control for handling vulnerabilities on our products and infrastructure.

Source Code

Secure coding guidelines based on OWASP Secure Coding Guidelines are shared with the engineering teams. The guidelines shall include but are not limited to Input Validation, Output Encoding, Session Management, Error Handling and Logging. Developers are also trained on the secure coding guidelines by the Application Security team at least on a yearly basis.

Product

On an annual basis, external VAPT for the product is performed by external third-party audit firms. This is a gray box testing where the external vendor is provided with an application walkthrough; automated scans for any identifying weakness in the application, OWASP top 10 vulnerabilities and manual tests covering application features such as authorization, authentication, session management, injection, input validation, transmission security.

Issues identified on all these activities are logged as tickets (internal tool) and are fixed by the respective teams as per defined vulnerability management process SLA. ( Critical -01 to 7 days | High – 15 days | Medium -30days | Low – 45days). Delays if any are notified to the respective department head and for exceptions to the CEO through risk tracker.

Cloud Infrastructure

LambdaTest uses AWS and Microsoft Azure for our infrastructure. All our network w.r.t to the product is managed by the LambdaTest cloud infrastructure team. The network components include EKS, Application server, Web server, cache, background servers, database servers, S3 are other components making up the application and data layer. Only the necessary traffic required for business are allowed, the rest all are blocked via security groups and NACL (network access control).

We use Docker containers, which are scanned internally daily via security hub and SNYK, and scans are performed for identifying security misconfigurations against CIS benchmarks.

LambdaTest application security team and DevOps team perform hardening on servers and network components against the CIS benchmark and ensure necessary hardening is in place.

LambdaTest runs quarterly scans using automated and manual test methods. We have subscribed to a vulnerability database for our environment and trigger alert notifications. SIEM tool is used for continuous monitoring. Vulnerabilities identified are logged as tickets in internal tools and are fixed by the respective teams as per defined vulnerability management process and SLA.

Monitoring & Operations

The NOC (Network Operation Center) and SOC (Security Operation Center) teams are responsible for performing proactive monitoring of information security events and alerts and provide situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warning and alerts. The team works on a 24x7 basis to identify, analyze, communicate, investigate, report on critical information security events.

Early warning signals have been configured that trigger alerts to our NOC and SOC teams based on event patterns and strict thresholds. The scope of monitoring is exhaustive and covers the network perimeter, all the service zones and we recognize events based on signatures, patterns, and corrections that catch false negatives and eliminate false positives. We are equipped to detect and mitigate persistent threats or DDOS, session hijack, login spoofs or any other data extraction strategies.

Patch Management

LambdaTest patch management process is governed by the applicable policy and standard to ensure that all patches, security and otherwise, are deployed in accordance with defined SLAs.

Testing and Scanning

• LambdaTest conducts multiple types of security scans.
• Those scans include internal, external, authenticated and unauthenticated scans.
• These processes are conducted both by LambdaTest and third-party resources.

Note: Customers are not allowed to conduct their own scans without explicit permission. To request permission customers must work with their LambdaTest account teams in order to receive the appropriate authorization from the LambdaTest security team.

Data Leakage Prevention

At LambdaTest, we prioritize data security through robust policies and tools encompassing identification, prevention, and monitoring of data leakage, backed by stringent measures, user accountability, data leakage prevention and strategies to thwart adversarial intelligence.

Mechanism is in place to prevent leakage of sensitive information. All external USB ports on LambdaTest machines are restricted by default. Removable mass storage is restricted by default on the workstations and are enabled only after the appropriate approval & business justification.

LambdaTest does not deploy a standard DLP solution. LambdaTest collects logs from infrastructure systems and endpoints containing details about installed software packages and network traffic. Traffic is monitored at different points in the network. Network, host, and application level anomaly detection is in place, leveraging custom built applications and services working in conjunction with centralized logging and system monitoring platform. LambdaTest has a centralized device management solution and other supports solutions in-place that provides LambdaTest's capability to remote wipe the data on BYOD and/or mobile devices when necessary. Hard drive encryption solution is deployed on laptops for protection of data. Content filtering is enabled and user access is monitored continuously as per defined policies. Access to public email IDs like Gmail and shared drives are blocked from LambdaTest network and laptop . LambdaTest Corporate published mobile applications & mail access on mobile devices are protected using passcode or biometric (based on device support). Additional security controls viz secured container screen shot prohibition etc. are enabled on mobile applications.

No documents are stored in print and further access to printers is restricted only to senior management. Any document printouts (if required) are to be shredded and disposed-off once the requirement is over for which clearly marked shredders are installed next to printers.

Encryption of Data in Transit and at Rest

LambdaTest encrypted Restricted and Confidential data in transit and at rest. Restricted information is the most sensitive form of information. It is so sensitive that disclosure or usage would have a definite impact on LambdaTest’s business. Extremely restrictive controls need to be applied (e.g., very limited audience and those who are authorized to have such a form of information Examples include employee personal information, Personal identity information (PII), Financial Account Data (on individuals), strategic plans, investment decisions, etc. Confidential information is distributed on a “Need to Know” basis only. It is so confidential that disclosure or usage would have a definite impact on LambdaTest’s business. Examples include System Security Parameters and Risk Assessment or Audit records, Intellectual Property, Customer Data, business plans, unpublished financial statements, Firewall and Router Configurations, Service Contracts, etc. LambdaTest restricted and confidential data is encrypted during transmission outside LambdaTest-owned or managed networks. Network communications between customers and LambdaTest platform are encrypted until the session is terminated or the user logs out of the session.

Information Deletion

At LambdaTest, we prioritize the timely and secure deletion of confidential & restricted information, adhering to stringent policies and procedures to mitigate risks and uphold data integrity throughout its lifecycle.

LambdaTest adhere to guidelines for securely deleting confidential /restricted information, including selecting appropriate deletion methods based on business needs and regulations, documenting deletion results, obtaining evidence of deletion from third-party service providers, configuring systems for secure destruction, removing obsolete copies, using approved deletion software, employing certified disposal services for physical media, and choosing appropriate disposal mechanisms based on storage media type, to mitigate the risk of unauthorized access or disclosure.

Privacy and Protection of PII

At LambdaTest, we prioritize the privacy and protection of personally identifiable information (PII). We have established clear policies and procedures, communicated to all stakeholders, to ensure compliance with relevant laws and regulations. Our designated privacy officer provides guidance on individual responsibilities, and we implement robust technical and organizational measures to safeguard PII. By adhering to these measures, we uphold the trust of our customers, employees, and stakeholders.

Data Retention and Disposal

LambdaTest processes and stores Test execution data from its Customers while providing LambdaTest Services or transmitted via the LambdaTest platform by or on behalf of our Customers.

These data include reports, tests, networks, browser process logs, other artifacts, authentication, licensing, and test execution metadata (e.g. test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing.

All the Test execution data from executed VM or Real Device gets deleted as soon as the test is completed, which means if you run any test twice, you will get a new clean, and sanitized machine or device. This means the VM where the test gets executed gets deleted as soon as the test ends. While real devices will only be put into the public pool after the clean-up process is complete.

All test execution data reports are available from the LambdaTest platform interface. Test execution data reports and other Test execution data are stored for 30 days and then automatically deleted. Customers who require longer data retention periods are encouraged to download their data directly.

We will retain your LambdaTest Account data and personal information only for as long as it is necessary. Personal Information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. If you have an association with us, we will only keep the data while your association is active or for as long as needed to provide services to you and, as further needed for us to comply with our legal and contractual obligations.

Disposal of Data - Test execution data is disposed of in a method that renders the data unrecoverable, to the​ ​​extent reasonably possible, in accordance with industry best practices for wiping off or cleaning up electronic media (e.g.​ ​NIST SP 800-88).

Protection of information systems during audit testing

At LambdaTest, we prioritize information security to safeguard our systems and data. Our policy ensures that audit access and testing are conducted with precision and caution:

i. All audit requests are approved by management.

ii. Technical audit tests are scoped and controlled.

iii. Tests are limited to read-only access or supervised execution by experienced administrators.

iv. Tests affecting system availability are scheduled outside business hours.

v. Access is monitored and logged for accountability.

By adhering to these guidelines, we maintain robust security while facilitating necessary audits. Periodic reviews ensure alignment with evolving needs.

LambdaTest’s control environment provides the foundation for all components of internal controls, including the ability to operate and manage logical and physical access, data security, incident response, change management, security and privacy operations and monitoring. These are further described in the control activities section below. LambdaTest’s control environment reflects the philosophy of Top management concerning the importance of well-designed security and privacy controls operating in environments where computer processing is performed.

LambdaTest is committed to conducting business with the highest ethical standards and integrity. Employees are expected to conduct their work in accordance with governing documentation as defined by LambdaTest. The LambdaTest Code Conduct addresses the many situations that may raise ethical issues in business transactions, including compliance with law, regulation, and governing documentation. The Code of Conduct outlines the principles that guide LambdaTest’s interactions with employees, customers, partners, stockholders, and communities.

LambdaTest is led by the Chief Executive Officer (CEO) with the assistance and corporate oversight of the Board of Directors. The CEO and Board of Directors provide the overall corporate oversight, strategic direction, and review of management for LambdaTest. The CEO and Board of Directors meet at least quarterly and perform management review in regards to the overall company risk, audit and governance. LambdaTest has an Information Security & Compliance Steering Committee (ISCSC) which is governed by a Charter. The ISCSC Charter specifies requirements for independence and oversees the following functions.

• Enterprise Risk Management
• Regulatory, Contractual and Legal Compliance
• Internal Audit Functions
• Information Security Functions
• Privacy and Compliance Functions
• External Audit Function

The GRC team within LambdaTest performs internal audits on a yearly basis for all the processes and controls defined. The audits findings are reported directly to the ISCSC. The GRC team tracks and reports the remediation of the audit findings till its closure.

The Security Product & Engineering (Application Security) team within LambdaTest provides the necessary training and guidelines for the Development and QA testing team on Secure coding and testing practices. Development team uses static code analyzers for performing code review. Issues or vulnerabilities, if any identified, will be fixed by the development team and will be handed over to the QA team. The QA team will perform security testing manually and using tools and report the issues in the tracking tool (Atlassian-Jira). Development team will fix the issues. This cycle of revalidation will continue until all the issues are addressed.

The Application Security team will perform vulnerability assessment and Penetration testing (VA & PT) on all LambdaTest products platform production environment in an iterative cadence cycle. As per cadence, the security team does Quarterly manual and automated web application penetration testing for LambdaTest platforms. For all other remaining environments (Staging, Pre-pod, development, testing), manual and automated penetration testing will be performed semi-annually. Application security team will report identified security vulnerabilities in the internal tool (Atlassian-Jira) and the respective product team will be notified to resolve the reported vulnerabilities within the defined SLA.

External cyber security organizations are engaged to perform the independent VA & PT annually. Also, LambdaTest has been independently audited by one of the global audit firms based on the SOC 2 Type II framework covering security, confidentiality, process integrity, availability and privacy trust service principles.

LambdaTest ensures controls are in place to be aware of and complies with all applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.

LambdaTest is committed to providing secure products and services by implementing and adhering to requirements under GDPR,CCPA and other privacy & data protection acts, both as a data controller and processor. LambdaTest is ISO 27001:2022, ISO 27701:2019, ISO 27017:2015 and SOC 2 Type II standard certified and has a comprehensive privacy & data protection program headed by the privacy team with assistance from the information security team. Key privacy principles support that - Accountability, Privacy by Design and Default, Data Minimization, and Subject Access Rights etc.

i. LambdaTest has established a formal Compliance Policy and Procedure, which addresses aspects of compliance required to be adhered to and fulfilled to LambdaTest’s Information Security, and Privacy Policies. This policy also addresses the legal and compliance requirements of relevant statutory legislation and contractual and regulatory obligations to which LambdaTest is supposed to adhere to protect its documents, records, and assets, thereby preventing the misuse of information processing facilities. Such efforts would help LambdaTest establish, maintain, and sustain the desired information security and privacy posture aligned with the LambdaTest strategic business plan, based on the best practices, standards, and principles.

ii. LambdaTest is committed to and conducts its business activities lawfully and in a manner that is consistent with its compliance obligations. The Legal and Regulatory Compliance (Compliance Policy) establishes the overarching principles and commitment to action for LambdaTest to achieving compliance by:

• Identifying a clear compliance framework within which LambdaTest operates.
• Promoting a consistent, rigorous, and comprehensive approach to compliance throughout LambdaTest.
• Developing and maintaining practices that facilitate and monitor compliance within LambdaTest.
• Seeking to ensure standards of good corporate governance, ethics, and community expectations.

iii. LambdaTest has been identifying all relevant regulatory and legislative requirements as per its contractual requirements and organization’s operational requirements and defining, documenting, and updating it on a regular basis.

iv. All records, as mandated by statutory/legal/regulatory authorities in India or of foreign origin, for which LambdaTest is responsible for compliance, will be protected from loss, destruction, falsification, unauthorised access, unauthorised release and intentional or unintentional damage through natural causes.

v. The retention limit of statutory records will be as mandated by the applicable legislation. However, for business records/documents, the business group heads and or HODs shall determine the retention limit with justification.

vi. LambdaTest will always seek to protect the privacy of the personal information of its customers, employees, and third parties with whom LambdaTest has signed the third-party agreement. Divulging of facts will be done only in keeping with statutory /contractual /regulatory / legal requirements. Such information will always be protected from getting misused, leaked, or falsified or traded with any interested party knowingly or unknowingly.

vii. Where logs are required to be maintained as per contractual/regulatory/statutory/legal requirement, these will be maintained for a specified duration.

viii. Manufacturing guidelines shall be followed for storing and handling the data. Data or records that are no longer required for business, legal, and/or regulatory purposes will be disposed of securely.

ix. Legal restrictions on the use of assets in respect of which there are IPRs (such as copyright, software license, trademarks, design rights, and others) will be complied with.

x. Intellectual Property Rights of software programs, documentation and other information generated by or provided by LambdaTest users, consultants, and contractors for the benefit of LambdaTest, will be the property of LambdaTest.

xi. Intellectual Property Rights will be included in all contracts. LambdaTest shall clearly define and document its intellectual property rights, including copyrights, trademarks, patents, trade secrets, and other proprietary information and shall maintain a register of its intellectual property assets, including ownership information, expiration dates, and any licensing agreements.

xii. Relevant statutory, regulatory, and contractual requirements for LambdaTest ’s information assets will be defined explicitly. Such requirements will include, but are not limited to:

• Information Technology Laws (IT Act 2008/2011 Amended)
• Software Licensing Requirements
• Intellectual Property Rights (IPR) Laws
• Labor and General Employment Laws
• Health and Safety Laws
• Environmental Laws

xiii. As part of the information security audits by independent consultants or body, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external party shall be restricted immediately after completion of the audit.

xiv. Compliance requirements are used to enforce a minimum level of security and privacy within LambdaTest. These are by no means a “finish line” for security and privacy. The primary compliance standards will be:

• EU GDPR
• CCPA
• LGPD
• HIPAA
• ISO 27001:2022
• ISO 27017:2015
• ISO 27701:2019
• SOC 2 Type II assessment
• Cloud Security Alliance STAR Level 1

xv. Information Security Program: LambdaTest agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data, Employee and third-parties data, as required by the Applicable Data Protection Law(s). Further, LambdaTest agrees to regularly test, assess, and evaluate the effectiveness of its Information Security Program to ensure the security of the Processing.

xvi. Any employee found to have violated this policy may be subject to disciplinary and/or legal action according to the LambdaTest Code of Conduct policy and Disciplinary process.

Please feel free to share your questions at security@lambdatest.com, grc@lambdatest.com