Security & Compliance

Compliance & Certifications

Lambda's compliance standards and certifications.

Overview

Lambda maintains industry-leading compliance certifications to ensure your data is protected and meets regulatory requirements.

Certifications

SOC 2 Type II

Status: ✓ Certified (Annual audit)
Auditor: Independent CPA firm
Last Audit: December 2025
Next Audit: December 2026

What It Covers:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Trust Service Criteria:

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

Report Request:
Enterprise customers can request SOC 2 reports via email.

ISO 27001

Status: ✓ Certified
Certificate Number: ISO27001-2024-LAMBDA
Valid Through: January 2027
Scope: Information Security Management System (ISMS)

Controls Implemented:

  • A.5: Information Security Policies
  • A.6: Organization of Information Security
  • A.7: Human Resource Security
  • A.8: Asset Management
  • A.9: Access Control
  • A.10: Cryptography
  • A.11: Physical and Environmental Security
  • A.12: Operations Security
  • A.13: Communications Security
  • A.14: System Acquisition, Development and Maintenance
  • A.15: Supplier Relationships
  • A.16: Information Security Incident Management
  • A.17: Business Continuity Management
  • A.18: Compliance

HIPAA Compliance

Status: ✓ Compliant
BAA: Available to all customers

Safeguards:

Administrative Safeguards

  • ✓ Security management process
  • ✓ Security personnel
  • ✓ Information access management
  • ✓ Workforce training
  • ✓ Evaluation procedures

Physical Safeguards

  • ✓ Facility access controls
  • ✓ Workstation security
  • ✓ Device and media controls

Technical Safeguards

  • ✓ Access control
  • ✓ Audit controls
  • ✓ Integrity controls
  • ✓ Transmission security

HIPAA Configuration:

# Enable HIPAA mode
lambda compliance enable-hipaa inst_abc123

# Verify compliance
lambda compliance verify inst_abc123 --standard hipaa

BAA Request:
Email legal@lambda.io with your organization details

GDPR Compliance

Status: ✓ Compliant
DPA: Standard Data Processing Agreement available
Privacy Shield: Alternative framework implemented

GDPR Rights Supported:

RightLambda Implementation
Right to AccessUser can export all account data
Right to RectificationUser can update account information
Right to ErasureAccount deletion removes all data
Right to Restrict ProcessingUser can pause processing
Right to Data PortabilityExport in machine-readable format
Right to ObjectOpt-out options available
Automated Decision MakingNo automated decisions without consent

Data Residency:

For GDPR compliance, use EU regions:

  • eu-west-1 (Ireland)
  • eu-central-1 (Germany)

GDPR Configuration:

# Create GDPR-compliant instance
lambda create instance \
  --region eu-central-1 \
  --compliance-mode gdpr \
  --data-residency eu

# Export personal data
lambda account export-data --format json

DPA Request:
Available at https://lambda.io/legal/dpa

PCI DSS Level 1

Status: ✓ Compliant
Level: 1 (highest level)
QSA: Qualified Security Assessor certified
Valid Through: March 2027

12 PCI Requirements:

  1. ✓ Install and maintain firewall configuration
  2. ✓ Do not use vendor-supplied defaults
  3. ✓ Protect stored cardholder data
  4. ✓ Encrypt transmission of cardholder data
  5. ✓ Protect systems against malware
  6. ✓ Develop and maintain secure systems
  7. ✓ Restrict access to cardholder data
  8. ✓ Identify and authenticate access
  9. ✓ Restrict physical access
  10. ✓ Track and monitor network access
  11. ✓ Regularly test security systems
  12. ✓ Maintain information security policy

PCI Configuration:

# Enable PCI mode
lambda compliance enable-pci inst_abc123

# Quarterly vulnerability scan
lambda compliance scan inst_abc123 --standard pci

AOC Request:
Enterprise customers can request Attestation of Compliance via compliance@lambda.io

FedRAMP (In Progress)

Status: ⚠️ Authorization in progress
Expected: Q3 2026
Impact Level: Moderate

Current Progress:

  • ✓ Security assessment plan approved
  • ✓ Security controls implementation
  • ⏳ Initial assessment underway
  • ⏳ Authorization package preparation

Regional Compliance

United States

  • HIPAA: Healthcare data
  • HITECH: Health information technology
  • SOC 2: Trust services
  • COPPA: Children's privacy (with configuration)
  • FedRAMP: Federal systems
  • State Laws: CCPA (California), various state laws

European Union

  • GDPR: General Data Protection Regulation
  • ePrivacy Directive: Electronic communications privacy
  • NIS Directive: Network and information security
  • ISO 27001: Information security
  • ISO 27018: Personal data in cloud

United Kingdom

  • UK GDPR: UK adaptation of GDPR
  • Data Protection Act 2018
  • Cyber Essentials Plus

Canada

  • PIPEDA: Personal Information Protection
  • Provincial privacy laws

Australia

  • Privacy Act 1988
  • Australian Privacy Principles (APPs)
  • Notifiable Data Breaches scheme

Industry-Specific Compliance

Healthcare

  • ✓ HIPAA/HITECH
  • ✓ FDA 21 CFR Part 11 (with configuration)
  • ✓ CLIA (with configuration)

Finance

  • ✓ PCI DSS
  • ✓ SOC 2
  • ✓ GLBA (Gramm-Leach-Bliley Act)
  • ✓ SOX (Sarbanes-Oxley) support

Government

  • ⏳ FedRAMP (in progress)
  • ✓ NIST 800-53 controls
  • ✓ FIPS 140-2 Level 3 (cryptography)

Education

  • ✓ FERPA (Family Educational Rights and Privacy Act)
  • ✓ COPPA (with configuration)

Audit & Logging

Compliance Logging

Lambda automatically logs compliance-relevant events:

{
  "event_id": "evt_comp_123",
  "timestamp": "2026-01-24T10:30:00Z",
  "event_type": "data_access",
  "actor": "user@example.com",
  "resource": "inst_abc123",
  "action": "ssh_login",
  "compliance_tags": ["HIPAA", "SOC2"],
  "ip_address": "203.0.113.42",
  "success": true
}

Audit Reports

# Generate compliance report
lambda compliance report \
  --standard hipaa \
  --period "2025-01-01 to 2026-01-01" \
  --output report.pdf

# Export audit logs
lambda audit export \
  --start "2026-01-01" \
  --end "2026-01-31" \
  --format csv

Data Handling

Data Classification

ClassificationDescriptionLambda Support
PublicNon-sensitive data✓ Full support
InternalCompany-internal data✓ Full support
ConfidentialSensitive business data✓ Encryption required
PHIProtected Health Information✓ HIPAA mode
PIIPersonally Identifiable Information✓ GDPR mode
PCIPayment Card Industry data✓ PCI mode
ClassifiedGovernment classified⏳ FedRAMP pending

Data Retention

Configurable per-instance:

# Set retention policy
lambda compliance set-retention inst_abc123 \
  --logs 7years \
  --backups 1year \
  --audit 10years

# GDPR right to erasure
lambda account delete --gdpr-compliant

Data Location

Guarantee data stays in specific regions:

# Enforce data residency
lambda create instance \
  --region eu-central-1 \
  --data-residency eu \
  --no-cross-border-transfer

Security Controls

Encryption

At Rest:

  • AES-256-GCM encryption
  • Customer-managed keys
  • Hardware Security Modules (HSM)
  • FIPS 140-2 Level 3 compliance

In Transit:

  • TLS 1.3 only
  • Perfect forward secrecy
  • Certificate pinning available

In Use:

  • Intel SGX secure enclaves
  • AMD SEV memory encryption
  • Attestation available

Access Control

Authentication:

  • Multi-factor authentication (MFA)
  • SSO integration (SAML, OAuth)
  • API key rotation (90-day policy)
  • Certificate-based authentication

Authorization:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Separation of duties
  • Audit trail for all access

Monitoring

Security Monitoring:

  • Real-time intrusion detection
  • Anomaly detection
  • DDoS protection
  • Vulnerability scanning

Compliance Monitoring:

  • Continuous compliance checking
  • Automated remediation
  • Drift detection
  • Policy enforcement

Third-Party Audits

Penetration Testing

  • Frequency: Quarterly
  • Tester: Independent security firm
  • Last Test: December 2025
  • Next Test: March 2026
  • Results: Available to Enterprise customers

Vulnerability Scanning

  • Frequency: Weekly automated, monthly manual
  • Scanner: Nessus + OpenVAS
  • Remediation SLA: Critical (24h), High (7d), Medium (30d)

Code Security Review

  • Frequency: Continuous (every commit)
  • Tools: Snyk, Dependabot, CodeQL
  • 3rd Party: Annual deep review

Compliance Automation

Automated Compliance Checks

# Run compliance scan
lambda compliance scan inst_abc123 --standards hipaa,pci,gdpr

# View compliance status
lambda compliance status --instance inst_abc123

# Remediate issues
lambda compliance remediate inst_abc123 --auto-fix

Compliance as Code

# lambda-compliance.yaml
compliance:
  standards:
    - hipaa
    - pci-dss
    - gdpr

  encryption:
    at_rest: required
    in_transit: tls13-only
    in_use: sgx-required

  access:
    mfa: required
    key_rotation: 90d
    session_timeout: 30m

  logging:
    retention: 7years
    encryption: required
    immutable: true

  data_residency:
    allowed_regions:
      - eu-west-1
      - eu-central-1
    cross_border: forbidden
# Apply compliance policy
lambda compliance apply lambda-compliance.yaml

Incident Response

Breach Notification

GDPR: Within 72 hours
HIPAA: Within 60 days
State Laws: Varies (typically 30-60 days)

Process:

  1. Detection and containment
  2. Investigation and assessment
  3. Notification to authorities (if required)
  4. Notification to affected parties
  5. Remediation and prevention

Contact:
security@lambda.io

Compliance Incidents

Report compliance concerns:

lambda compliance report-incident \
  --type "potential-breach" \
  --description "Description of issue" \
  --severity high

Customer Responsibilities

Compliance Checklist

HIPAA Customers

  • Request and sign BAA
  • Enable HIPAA mode on instances
  • Configure encryption
  • Implement access controls
  • Train workforce
  • Document security policies
  • Regular risk assessments
  • Incident response plan

PCI Customers

  • Enable PCI mode
  • Segment cardholder data
  • Configure firewalls
  • Encrypt cardholder data
  • Quarterly vulnerability scans
  • Annual penetration test
  • Log all access
  • Document policies

GDPR Customers

  • Use EU regions
  • Enable data residency controls
  • Implement data retention policies
  • Create privacy policy
  • Provide data export functionality
  • Honor user rights (access, erasure, etc.)
  • Maintain processing records

Documentation & Reports

Available Documentation

  • SOC 2 Type II Report (Enterprise)
  • ISO 27001 Certificate (All customers)
  • PCI AOC (Enterprise)
  • Security whitepaper (Public)
  • Privacy policy (Public)
  • Data Processing Agreement (All customers)
  • Business Associate Agreement (HIPAA customers)

Request: compliance@lambda.io

Contact Compliance Team

  • Email:
  • Phone: +1 (Enterprise only)
  • Portal:

Next Step

Check the Command Line Interface reference.

CLI Reference →

Think Lambda, Think Privacy

Compliance documentation updated: January 24, 2026

Pricing & Plans

Previous Page

CLI Reference

Next Page

On this page

OverviewCertificationsSOC 2 Type IIISO 27001HIPAA ComplianceAdministrative SafeguardsPhysical SafeguardsTechnical SafeguardsGDPR CompliancePCI DSS Level 1FedRAMP (In Progress)Regional ComplianceUnited StatesEuropean UnionUnited KingdomCanadaAustraliaIndustry-Specific ComplianceHealthcareFinanceGovernmentEducationAudit & LoggingCompliance LoggingAudit ReportsData HandlingData ClassificationData RetentionData LocationSecurity ControlsEncryptionAccess ControlMonitoringThird-Party AuditsPenetration TestingVulnerability ScanningCode Security ReviewCompliance AutomationAutomated Compliance ChecksCompliance as CodeIncident ResponseBreach NotificationCompliance IncidentsCustomer ResponsibilitiesCompliance ChecklistHIPAA CustomersPCI CustomersGDPR CustomersDocumentation & ReportsAvailable DocumentationContact Compliance TeamNext Step