Security Policy

Last Updated: January 20, 2025
Version: 1.0

AES-256 Encryption

Military-grade encryption for all sensitive data

SOC 2 Compliance

Enterprise-grade security infrastructure

Zero Trust Model

Verify everything, trust nothing approach

1. Data Protection

Private Key Security

  • AES-256 Encryption: All private keys encrypted with industry-standard encryption
  • Key Derivation: PBKDF2 with 100,000 iterations for key strengthening
  • Secure Storage: Keys stored in encrypted database with restricted access
  • Automatic Deletion: Keys deleted after service completion or account closure
  • No Plaintext Storage: Private keys never stored in plaintext format

Data Classification

Data TypeClassificationProtection Level
Private Keys
Critical
AES-256 + Access Controls
Wallet Addresses
Sensitive
Encrypted Storage
Email Addresses
Internal
Standard Encryption
Transaction Logs
Internal
Encrypted + Audit Trail

2. Infrastructure Security

Cloud Infrastructure

  • Supabase: SOC 2 Type II certified database infrastructure
  • Vercel: Enterprise-grade hosting with automatic HTTPS
  • DigitalOcean: Secure droplets for monitoring services
  • Multi-Region: Redundant infrastructure across multiple regions
  • DDoS Protection: Built-in protection against distributed attacks

Network Security

  • TLS 1.3: All communications encrypted with latest TLS protocol
  • Certificate Pinning: Protection against man-in-the-middle attacks
  • VPN Access: Administrative access only through secure VPN
  • Firewall Rules: Strict ingress/egress controls
  • IP Whitelisting: Restricted access to critical systems

3. Access Controls

Multi-Factor Authentication

  • Admin Access: Hardware security keys required for all admin accounts
  • Database Access: MFA + IP restrictions for database connections
  • Code Deployment: Signed commits and MFA for production deployments
  • Monitoring Systems: Separate authentication for monitoring infrastructure

Role-Based Access Control (RBAC)

  • Principle of Least Privilege: Users only have minimum required permissions
  • Regular Access Reviews: Quarterly review of all user permissions
  • Automated Deprovisioning: Immediate access removal upon role changes
  • Audit Logging: All access attempts logged and monitored

4. Monitoring & Incident Response

Security Monitoring

  • 24/7 Monitoring: Continuous monitoring of all systems and applications
  • Intrusion Detection: Automated detection of suspicious activities
  • Log Analysis: Real-time analysis of security logs and events
  • Vulnerability Scanning: Regular automated security scans
  • Threat Intelligence: Integration with threat intelligence feeds

Incident Response Plan

  1. Detection: Automated alerts trigger immediate investigation
  2. Containment: Isolate affected systems within 15 minutes
  3. Assessment: Determine scope and impact of security incident
  4. Notification: Inform affected users within 72 hours if required
  5. Recovery: Restore services with enhanced security measures
  6. Post-Incident: Conduct thorough review and implement improvements

5. Compliance & Auditing

Security Standards

Current Compliance

  • • SOC 2 Type II (Infrastructure)
  • • GDPR Compliance
  • • CCPA Compliance
  • • ISO 27001 Principles

Regular Audits

  • • Quarterly security assessments
  • • Annual penetration testing
  • • Monthly vulnerability scans
  • • Continuous compliance monitoring

6. Development Security

Secure Development Lifecycle

  • Code Reviews: All code changes require peer review before deployment
  • Static Analysis: Automated security scanning of all code
  • Dependency Scanning: Regular checks for vulnerable dependencies
  • Secure Coding: Following OWASP secure coding guidelines
  • Environment Separation: Strict separation between dev, staging, and production

7. Business Continuity

  • Backup Strategy: Automated daily backups with 30-day retention
  • Disaster Recovery: RTO of 4 hours, RPO of 1 hour
  • High Availability: 99.9% uptime SLA with redundant systems
  • Failover Testing: Monthly disaster recovery drills
  • Data Recovery: Point-in-time recovery capabilities

8. Responsible Disclosure

Security Bug Bounty

We welcome security researchers to help us maintain the highest security standards. If you discover a security vulnerability, please report it responsibly.

  • Contact: security@lidoguard.org
  • Response Time: Initial response within 24 hours
  • Rewards: Bounties available for valid security findings
  • Safe Harbor: Good faith security research is protected

9. Contact Information

For security-related questions, concerns, or to report security issues:

Security Team: security@lidoguard.org
Emergency Contact: Available 24/7 via Telegram
Telegram: LidoGuard Pro Support
PGP Key: Available upon request for encrypted communications

Security is our top priority. We continuously improve our security posture and welcome feedback from the security community to help us protect our users' assets.