Lob Security

See why customers trust us to send billions of pieces of direct mail.

Report a Security Issue

Compliance Certifications and Regulations

EU-US & Swiss-US Privacy Shield

Certification »

GDPR

HIPAA

Product Security

  • SSO via SAML: Integrate single sign on with your identity provider (Okta, OneLogin, etc).
  • Automated Data Deletion: Delete all your data as it ages out past XX days (configurable by you).
  • Audit Logging: Programmatically list all requests made against your account.
  • Role-Based Access Control: Limit user access with admin, read-write, and read-only roles.
  • Signed Webhooks: Verify the integrity of our webhooks with HMAC signatures.
  • TLS 1.2+: We only allow modern TLS and ciphersuites.

Application Security

  • Secure Development Lifecycle: Automated linting, unit and integration testing, static analysis, and known vulnerable dependency scanning are performed against every commit.
  • Fix Vulnerability Classes: We structure our architecture and code in a way where entire vulnerability classes are removed by design.
  • Bug Bounty: We invite the best and brightest to hack against us on HackerOne.
  • Rate Limiting: All session-related actions, including logging in and verifying password reset tokens, are rate-limited.
  • Application Level Hashing/Encryption: Passwords are hashed using BCrypt. Sensitive columns like bank account numbers are stored with application level encryption.
  • Preloaded Strict-Transport-Security: Browsers are not capable of making plaintext requests to Lob domains.

Infrastructure Security

  • Data Encryption: 100% of data is encrypted in transit and at rest.
  • Infrastructure as Code: All our infrastructure is managed as code and goes through code review.
  • Least Privilege: All IAM policies, credentials, permissions, and roles are scoped down to the minimum necessary permissions.
  • Network Segregation: Production/Sandbox/Staging accounts all live in their own AWS accounts. Within accounts, services’ network access is constrained through VPCs.
  • Hardened Hosts: Unused services/ports are removed, and containers are built off a minimal Alpine image running as a non-root user. Only a well-controlled set of hosts accept ingress traffic.
  • Intrusion Detection System: We run an IDS that alerts us on anomalous network connections (i.e. to algorithmically generated domain names, the Tor network, etc), suspicious reconnaissance activity, and more.
  • S3 Public Access Blocks: Due to our use of bucket-level and account-level s3 public access blocks, it is not possible for us to have s3 buckets publicly exposed to the internet.
  • AWS Root User Disabled: All our AWS root users are disabled through the use of service control policies.

Incident Detection & Response

  • Dozens of Log Sources: We ingest logs from our applications, hosts, containers, Cloudtrail, Okta, Google, and more into our SIEM.
  • Real-Time Alerting: We alert on things like new users / IAM keys being created, changing any AWS settings or SaaS tool settings, credential stuffing attacks against our API, and malware detection on employee endpoints.
  • Isolated Storage: Application level logs are retained for 30 days and audit logs are retained permanently, in a separate AWS account where limited employees have access.
  • Incident Detection & Response Policy: All incidents (security or otherwise) have postmortems and preventive action items with timelines and owners defined. Our incident detection & response policy is available upon request.

Risk & Compliance

  • HIPAA: Sign a Business Associates Agreement with us for even stronger data controls.
  • GDPR: Our Data Privacy Officer is Dan Zhao. Learn more about our GDPR compliance by emailing privacy@lob.com.
  • 3rd Party Audits: Lob hires independent assessors to measure our security and auditing controls at least annually. These results are shared company-wide.
  • Penetration Tests: Lob engages with 3rd party firms to conduct application-level and infrastructure-level penetration tests at least annually.
  • Customer-Led Audits: Our customers are welcome to perform security control assessments or penetration testing against Lob.
  • Vendor & Print Partner Evaluation: Lob evaluates and monitors the security of our subprocessors, and requires them to maintain a security posture at least as strong as our own.

Corporate Security

  • Endpoint Monitoring and Management: We run JAMF and CarbonBlack on all endpoints, with enforced policies for full disk encryption and more.
  • SSO: Employee services are authenticated with SSO, with enforced password complexity and 2FA requirements.
  • Password Managers: All employee laptops come with 1Password pre-installed. Its usage is mandatory and employees receive training on how to use it.
  • Security Training: All employees go through security training as part of their onboarding, covering topics like: data security, passwords, phishing, physical security, and more. Employees who gain access to PHI data must also undergo annual HIPAA training.
  • Standardized Onboarding/Offboarding: Employees receive minimum permissions by default, and are only granted additional access on an as-needed basis. When employees change roles or are offboarded, their unneeded permissions are removed immediately.
  • Quarterly Access Review: We do a full access review of all employees at least once per quarter.
  • VPN: Accessing internal services requires being connected to our VPN.

Physical Security

  • Data in the Cloud: We don’t store any data on premise.
  • Office Security: Our building requires badge access to gain entry. We have CCTV and guards stationed 24/7.

Contact Us

If you think you’ve found a vulnerability in Lob, please report it through our bug bounty program or email security@lob.com.

If you have additional questions about our security posture, please email security-requests@lob.com.

If you’d like to encrypt your message to us, here is our PGP key.

            -----BEGIN PGP PUBLIC KEY BLOCK-----

            mQENBF1cvQ4BCADAa1CtQh8S+8lr3hvBbO6Y2lpILSd4CBUmmUumOLoIvaxw+Xpy
            VLH5XxXdr1RkQxfG5Z1uKTpzjq6PphpZmkZx7lmVRVkyhSvJcbiK8JXS5BJC66tR
            JGFDNp1OINleVJExes6U1tYJwLfZIjHA+fFh7pUHxVQs3giS4HI+ok/NIimw8qx+
            DugKQ7UBh9jA8UTAIrsXWSsIBB0PkbsDCi18NNrfyb+TKe0RWxjj4WQG8sfAJvEv
            +RNy5KdKVPrnJTgQPSOLbzKaEbj0do1FhSK/n6quDdH5VHVbmFXsjD4xvbPuQbpw
            OBwdVliVchLHQZDlXqlt02Dk/f2+gsU3BK6VABEBAAG0H0xvYiBTZWN1cml0eSA8
            c2VjdXJpdHlAbG9iLmNvbT6JAVQEEwEIAD4WIQRSIJQIe+lNZNTgi0rF4ya7JRab
            BQUCXVy9DgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDF4ya7
            JRabBU+AB/9i0ADwPzdBx/Vv1C0OMEbYZWrScUnu24xbszYBIBLEhBEQZ4dr2oWP
            BDYPaDyaPhHH6P6yyjVNBD4I0ecHnkOodKB2V7dezAq5frVWo25/QNVzgKhNulnj
            Xhw6sEA9IbJ6yPpPH0ao0DAvNQE+Bh5eUhyt1YiTwN+eR7cTd7fur51E66xg/QIE
            0q/tYpr98k3t68MHNZhkElNvItce6JaBP2gqQ7TM/BFZBVJV9Z2ubiUvRG+sDETX
            1wv41sGNC70TuXKqd7WzvarmWQYa7wRzxV0gHHqy3dTsY9aKZkJm/kKHkvUAFJdA
            jv+bja8KKpqHzVxEnk5Ml9YPx9Uo4bbTuQENBF1cvQ4BCAC+tJwIpbFD6miTZDQt
            pggX1iD6L28ieOoD96TVmQ1MMESSaMlxPZNc+CKRqzzw4XoNFp8+E78jI0GR2nvh
            Sfll3NHUqHO+2wX39b6ovXeMZ71TXLUW+GnS7Hwp8pAXfBPhMXEwpDRFhyN9og0V
            1D+joW/4og3YqVSLJEKeT+6Gt0kybkIvaHZ8VypjwSxLVxG7jpnmy0261ArEMmYX
            rQ4O8+FD6trn7Dwjc5FzJsXTBIAi2Wah8pHtxKK71wOLyCVWv5IKE7aEx9f9vg5i
            SivxS9Qi+TPPu9acqqYFzbDCA2NRHvihMcFSipnzGkgfmTtBMrVm/XHgkwAFIWhw
            jEtNABEBAAGJATwEGAEIACYWIQRSIJQIe+lNZNTgi0rF4ya7JRabBQUCXVy9DgIb
            DAUJA8JnAAAKCRDF4ya7JRabBT/NCAC+7BIbBBOPzyPuI2v/G/hv6eVbaz9+PoID
            F+yLQ9wpmvCw49OS1tv18b5pfhPk/RPWTARPahYmIDgXlz1MizGBiOtkukKJP5tm
            UQZty5hcSQsoiI5p5K2QqoQqkBAd5h5sRqxUBn9vTrKWBqsoLWj9pEYBWHfKa/Ky
            sXJCs1Mr/dpZsnamrwvP8ygiIhGmz7Nu+Q89A6mg7V3i2c1uuIfkTN4B/r1AMDse
            QttLvM45z+6d7cDTYmROjVrXLrRsM/WB2fMEMCw1i8c0aOzxRettPRoUmlvz7A33
            AINwQcnq5CwnQSmwxZMnsyB26/M7WiilpSc3+cpacfD5HpW0M4yw
            =0M16

            -----END PGP PUBLIC KEY BLOCK-----