Lob's website experience is not optimized for Internet Explorer.
Please choose another browser.

Lob trust & security

Industry-leading security, trusted by Fortune 500 companies, and built into every aspect of Lob.

SOC 2 Type 2 and HIPAA

Lob undergoes annual audits conducted by a third-party to ensure SOC 2 Type 2 and HIPAA compliance.

For more information regarding compliance certifications, and the standards to which Lob adheres, please reach out to your CSM or contact security@lob.com.

General Data Protection Regulation (GDPR)

For more information, please review our Privacy Policy

Security Features

SSO via SAML: Integrate single sign on with your identity provider (Okta, OneLogin, etc).
Audit Logging: Programmatically list all requests made against your account.
Role-Based Access Control: Limit user access with admin, read-write, and read-only roles.
Signed Webhooks: Verify the integrity of our webhooks with HMAC signatures.
TLS 1.2+: We only allow modern TLS and ciphersuites.

Secure Development Lifecycle: Automated linting, unit and integration testing, static analysis, and known vulnerable dependency scanning are performed against every commit.
Fix Vulnerability Classes: We structure our architecture and code in a way where entire vulnerability classes are removed by design.
Bug Bounty: We invite ethical hackers to test our products through HackerOne.Rate Limiting: All session-related actions, including logging in and verifying password reset tokens, are rate-limited.
Application Level Hashing/Encryption: Passwords are hashed and sensitive columns are stored with application level encryption.
Preloaded Strict-Transport-Security: Browsers are not capable of making plaintext requests to Lob domains.

Data Encryption: 100% of data is encrypted in transit and at rest.
Infrastructure as Code: All our infrastructure is managed as code and goes through code review.
Least Privilege: All IAM policies, credentials, permissions, and roles are scoped down to the minimum necessary permissions.
Network Segregation: Production, Sandbox and Staging accounts all live within their own separate accounts and are constrained through VPCs.
Hardened Hosts: Unused services/ports are removed, and containers are built off a minimal Alpine image running as a non-root user. Only a well-controlled set of hosts accept ingress traffic.
Intrusion Detection System: We run an IDS that alerts us on anomalous network connections (i.e. to algorithmically generated domain names, the Tor network, etc), suspicious reconnaissance activity, and more.
S3 Public Access Blocks: Due to our use of bucket-level and account-level s3 public access blocks, it is not possible for us to have s3 buckets publicly exposed to the internet.
AWS Root User Disabled: All our AWS root users are disabled through the use of service control policies.

HIPAA: Sign a Business Associates Agreement with us for even stronger data controls.
Privacy: Learn more about our privacy program and GDPR compliance by visiting our Privacy page.
3rd Party Audits: Lob undergoes a SOC 2 Type 2 audit annually by third party assessors.
Penetration Tests: Lob engages 3rd party firms to conduct penetration tests annually.
Vendor & Print Partner Evaluation: Lob evaluates and monitors the security of our subprocessors and requires them to maintain a security posture at least as strong as our own.

Endpoint Monitoring and Management: We deploy industry leading endpoint protection and device management software on all endpoints.
SSO: Employee services are authenticated with SSO, with enforced password complexity and 2FA requirements.
Security Training: All personnel complete security awareness and HIPAA training as part of onboarding and annually thereafter.
Standardized Onboarding/Offboarding: Employees receive minimum permissions by default, and are only granted additional access on an as-needed basis. When employees change roles or are offboarded, their unneeded permissions are removed immediately.
Access Review: Lob performs access reviews on a regular basis to ensure the principle of least privilege is being followed.
VPN: Accessing internal services must be completed over a secure VPN, which requires two-factor authentication.

Data in the Cloud: We don’t store any data on premise.
Office Security: Our building requires badge access to gain entry. We have CCTV and guards stationed 24/7.