Regulatory Compliance

Modern data protection and retention requirements can be difficult to interpret and evidence. Lightsafe is designed to support MSPs with security controls, regional storage options and auditability that help them meet client and regulatory expectations.

Lightsafe does not replace legal or compliance advice, but it does provide practical controls that support internal governance, customer due diligence and regulated backup operations.

This includes controls such as client-controlled encryption keys, MFA, immutable backup design, audit logging and storage hosted on infrastructure with established security certifications.

Lightsafe is an Official Backblaze Alliance Partner.  Backblaze (Nasdaq: BLZE) features company-wide SOC 2 Type 2 certification, HIPAA compliance support, GDPR readiness, Object Lock immutability and durability controls for over 500,000 customers worldwide. 

 

Lightsafe Security Controls

  • Client-controlled encryption keys

  • MFA for account access

  • Audit logging

  • Immutable backup design

 

Infrastructure Controls

  • Regional storage options

  • Durability and physical security of underlying infrastructure

  • Storage-provider certifications and evidence availability

 

Shared Responsibility

  • Retention choices

  • Restore testing

  • Access control within customer environments

 

Specific Compliance Standards

GDPR & UK GDPR - Lightsafe adheres to General Data Protection Regulation (GDPR) privacy policies. Data Processing Agreement Addendums (DPAs) for EEA/EU and UK residents are available for compliance standards.

 

HIPAA - Lightsafe can provide a Business Associate Agreement (BAA) upon request for business customers who are Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA).

 

SOC 2 Type 2 - Lightsafe has achieved Service Organization Control (SOC) 2 Type 2 compliance by an independent third-party firm. Lightsafe operates in data centers that are also SOC 2 compliant.

 

PCI DSS - Lightsafe utilizes Stripe to store and process card information, which, combined with internal security controls, contributes to Lightsafe’s adherence to Payment Card Industry Data Security Standard (PCI-DSS) requirements.

 

COBIT - Lightsafe is compliant with this business-oriented framework that helps organisations manage risk and compliance.

 

CYBER ESSENTIALS - Lightsafe fulfils the requirements of this UK government-backed annually assessed cyber security certification.

 

NIST - Lightsafe supports this US government framework helping businesses understand and manage cybersecurity risk.

 

HECVAT - Lightsafe's storage partner has completed the Higher Education Community Vendor Assessment Tool (HECVAT) assessment, which can be accessed via Whistic.

StateRAMP Progressing Snapshot - Lightsafe's storage provider is listed as a Progressing Product in the State Risk and Authorization Management Program (StateRAMP) Authorized Product List.

 

ISO 27000 Series - Lightsafe predominantly utilizes data centers that hold International Organization for Standardization (ISO) 27001 certificates, which can be accessed via Whistic.

  • 27001 and 27002 (information security management)
  • 27018 (cloud computing)
  • 27031 (disaster recovery)
  • 27040 (storage security)
  • 27799 (information security in healthcare)

 

TX-RAMP Provisional - Lightsafe's storage partner is listed in the Texas Risk and Authorization Management Program (TX-RAMP) Certified Cloud Products list with a Certification Status of TX-RAMP Provisional.

 

TPN - Lightsafe's storage partner has obtained Trusted Partner Network (TPN) Blue Shield status that is aligned with the Motion Picture Association (MPA) Content Security Best Practices (CSBP) framework.

 

CCPA/CPRA - Lightsafe's storage partner satisfies California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) privacy obligations, including consumer request, data inventory, and a privacy notice.

 

Internet2 - Lightsafe's storage partner has completed the Internet2 Cloud Scorecard for research and educational institutions, and connects to the Internet2's network as part of the Internet2 Peer Exchange (I2PX) program. Lightsafe works closely with leading third-party organizations to address security and privacy requirements.

 

Each organisation, wherever it operates, will have a unique perspective on the security frameworks to which it should adhere.  This will be based on a number of factors including international legal requirements, client expectation and how backup/restore protocols might impact day-to-day operations and business continuity in the event of a disaster.

Lightsafe provides a range of compliance achievements and security-related services to safeguard account access and the data within accounts.  Our storage partner has received SOC 2 Type 2 certification. Key features to keep your data secure and compliant with GDPR/UK GDPR, PCI-DSS, and ISO 27001 include multi-factor authentication, application keys, access management controls, server-side encryption (SSE), and Object Lock immutability. Data is stored in infrastructure designed for 11 nines durability.  All data centers are equipped with best-in-class security features and staffed 24/7/365.

Whatever the specific compliance environment, every organisation will certainly require the following, which Lightsafe has been expressly designed to address: 

 

  • Daily local and offsite backups - Easily managed through central Lightsafe platform.

  • 3-2-1 Backup strategy (3 copies of data, 2 local backups and one offsite) - Lightsafe's cloud solution gives you the security of knowing your offsite copy is secure; the simple Local Backup option also gives you the facility to automate further LAN/WAN copies of your data.

  • Physical security - Data is held, AES encrypted, in at least one Secure Data centre - under the control of a NASDAQ-listed corporation - in your region of choice

  • Account security - Protect your Lightsafe account with 2-factor authentication; additionally, all data is encrypted using your private encryption key.
  • Encryption - All Lightsafe data is encrypted at rest and transferred using AES-256 encryption.  It's not even possible for Lightsafe to access your original data (so keep your encryption keys secure!)

  • Retention - Simply choose your preferred Account/Profile/Machine retention periods through the Lightsafe platform

  • Auditing - Record and report of account logins / IP addresses, Account/Profile/Machine modifications.

  • Reporting - Lightsafe Platform gives a powerful at-a-glance summary of running, failed and cancelled jobs - and servers with no scheduled backups.  You configure your own level of granular reporting by Account/Profile/Machine - on every success/complete/failed/cancelled backup event.

  • Immutability - New changes are written to new blocks, ensuring your data is saved as immutable versions every time there is a change - up to your specified retention period.

  • Testing - Your Platform Account Overview details last machine restore date. It is always good practice to test-restore your backups.  Lightsafe will send monthly email restore reports - and also nag if you haven't restored a machine within the past quarter, all helping to meet your specified data compliance standards.

 

Each of these measures is designed to help you meet with your regulatory cyber security, data transfer and storage requirements.

 

how we stand out