Security Practices

In transit: All connections to Lyrie services use TLS 1.2 or higher. This includes the dashboard, APIs, WAF proxy, agent communication, captcha verification, and webhook callbacks. We enforce HSTS with a max-age of 2 years including subdomains, with preload.

At rest: All data stored in databases, object storage, and backup volumes is encrypted with AES-256. Database-level encryption is always on and cannot be disabled.

Passwords: User passwords are hashed using Argon2id with per-user salts. We never store plaintext passwords.

API keys: API keys are stored as SHA-256 hashes. The full key is shown once at creation and cannot be retrieved afterward.

Secrets management: Internal secrets (database credentials, third-party API keys, signing keys) are stored in encrypted environment variables and rotated on a regular schedule.

Multi-factor authentication: TOTP-based 2FA is available for all accounts and enforced for admin accounts. Email OTP is provided as a fallback. Backup codes are generated at 2FA enrollment.

Session management: Sessions use signed, HttpOnly, Secure, SameSite=Strict cookies. Session tokens are rotated on refresh. Concurrent session limits are enforced per plan tier.

Role-based access control: The platform implements RBAC with User, Admin, and Investor roles. Each role has explicitly defined permissions. Admin actions are logged in the audit trail.

OAuth: Social sign-in (Google, GitHub, Apple) uses authorization code flow with PKCE. OAuth users with 2FA enabled must complete 2FA before session cookies are issued.

Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks. Repeated failures trigger progressive delays and account lockout notifications.

Hosting: The platform is deployed on Vercel with AWS-backed infrastructure. Production environments are isolated from staging and development.

Network security: WAF proxy infrastructure uses dedicated IP ranges with DDoS mitigation. Internal services communicate over private networks. No database ports are exposed to the public internet.

Dependency management: Dependencies are audited regularly. Automated vulnerability scanning runs on every deployment. Critical vulnerabilities are patched within 24 hours of disclosure.

Security headers: All responses include Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy headers.

Input validation: All user input is validated and sanitized server-side. Parameterized queries prevent SQL injection. Output encoding prevents XSS.

CSRF protection: All state-changing operations require a valid CSRF token verified server-side.

Content Security Policy: A strict CSP is enforced to prevent unauthorized script execution, including restrictions on frame ancestors, object sources, and base URI.

File uploads: The platform does not accept general file uploads. Scan configurations and agent policies are validated against strict schemas.

Every security-relevant action is logged with:

• Timestamp (UTC, millisecond precision)
• Actor identity (user ID, IP address, user agent)
• Action performed (login, configuration change, scan initiated, API key created, etc.)
• Affected resource
• Result (success or failure, with error details for failures)

Audit logs are immutable and retained for the duration of the account. They can be exported via the dashboard or API in JSON or CSV format.

Lyrie maintains a documented incident response plan covering:

• Detection: Automated alerting on anomalous patterns, failed authentication spikes, configuration changes, and infrastructure health metrics.
• Triage: Incidents are classified by severity (P1–P4) with response time targets defined in our SLA.
• Containment: Kill-switch capabilities allow immediate isolation of compromised components.
• Communication: Customers are notified via the status page and email. Data breach notifications are sent within 72 hours per GDPR requirements.
• Post-mortem: Root cause analysis and remediation plans are published for significant incidents.

Internal testing: We use our own LyrieHEX and OMEGA scanners to continuously test the platform. Security reviews are part of every deployment pipeline.

Penetration testing: External penetration tests are conducted at least annually by qualified third-party firms. Findings are remediated and retested.

Bug bounty: We maintain a Responsible Disclosure program. Security researchers can report vulnerabilities and are recognized for valid findings.

Lyrie AI maintains alignment with:

• SOC 2 Type II: Controls mapped across security, availability, and confidentiality trust service criteria.
• GDPR: Full data subject rights implementation, DPA availability, and region-lock capabilities.
• PCI DSS: WAF alignment with requirements 6.6, 10.1, 10.2, 10.6, 11.2, and 12.10.
• OWASP Top 10: Comprehensive coverage in scanning and WAF detection capabilities.

All Lyrie team members with access to production systems:

• Undergo background checks before gaining access to customer data.
• Use hardware security keys for production system authentication.
• Complete annual security awareness training.
• Operate under least-privilege access principles — access is granted only as needed and reviewed quarterly.

Security inquiries: [email protected]
Vulnerability reports: Responsible Disclosure
Compliance documentation requests: [email protected]