01Security posture
LENS builds and operates AI products for cities, enterprises and critical infrastructure. We treat security as a precondition for that work, not a feature. Our posture is published; our claims are auditable; the sub-processor list below is the exhaustive list of who else can touch data we process.
02Certifications & audits
| Standard | Status | Last assessment |
|---|---|---|
| ISO/IEC 27001:2022 | Certified · BSI | Feb 2026 |
| ISO/IEC 27701:2019 (PIMS) | Certified · BSI | Feb 2026 |
| SOC 2 Type II | Reported · Big Four | Mar 2026 (12-month period) |
| NIST CSF 2.0 | Self-assessed Tier 3 | Apr 2026 |
| STQC (India MeitY) | Empanelled vendor | 2025 |
| HIPAA Security Rule | Aligned (BAA-ready) | Continuous |
Reports under NDA: trust@lenscorp.ai.
03Selected controls
Encryption
TLS 1.2+ in transit (TLS 1.3 preferred). AES-256 at rest using FIPS 140-2 validated modules. Key custody via AWS KMS / Azure Key Vault with annual rotation.
Access
SSO with hardware MFA for production. JIT elevation with reviewer approval. Quarterly access reviews. No standing root access.
Logging
Immutable audit logs for every production action. 1-year hot retention; 6-year cold retention for PHI/regulated workloads.
Network
Zero-trust internal model — every service-to-service call is mutually authenticated. Public ingress only via Cloudflare with WAF + bot management.
SDLC
Required code review by a second engineer. SAST (Semgrep) and SCA (Snyk) on every PR. Dependency upgrade SLA: 7 days for high, 30 days for medium.
Incident response
24×7 on-call. Page-tested every quarter. Customer notification within 72 hours of confirmed incident; 5 business days for HIPAA Breach.
04Sub-processors (current list)
| Processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure (general) | ap-south-1, eu-central-1, us-east-1 |
| Microsoft Azure | Cloud infrastructure (UK / UAE / Saudi) | uksouth, uaenorth, saudicentral |
| Cloudflare | WAF, DNS, edge | Global |
| Postmark | Transactional email | us-east-1 |
| HubSpot | CRM & sales engagement | EU instance |
| Plausible | Cookieless analytics | EU (Germany) |
| Linear | Engineering tracking (internal) | us-east-1 |
| Slack | Internal communications | us-east-1 |
Customers receive 30 days’ written notice of any addition. Subscribe to trust@lenscorp.ai to receive notices.
05Vulnerability disclosure
Found something? We want to hear from you. We commit to:
- Acknowledging your report within 2 business days.
- Triaging within 5 business days.
- Not pursuing legal action against good-faith researchers operating under this policy.
Scope
In scope: *.lenscorp.ai, the LENS-operated demo endpoints listed at /security.txt, and our published mobile apps. Out of scope: customer-operated deployments (contact the customer), social engineering, physical attacks, denial of service.
How to report
PGP-encrypted email to security@lenscorp.ai (key fingerprint: 4F2A 8C19 6E3D 7B91 5C42 A0E8 3F27 9D14 6B8E 5A3F). Or via our HackerOne private programme — request an invite at the same address.
06Bug bounty
We pay for valid, novel reports on a sliding scale: USD 100–250 (low), 250–1,000 (medium), 1,000–5,000 (high), 5,000–15,000 (critical). Duplicates and out-of-scope reports are not eligible.
07Contact
- Trust & compliance: trust@lenscorp.ai
- Vulnerability reports: security@lenscorp.ai
- 24×7 incident hotline (customers): +91 11 4117 0170
Need a region-specific notice?
We publish supplemental notices for India, EU/UK, US health, California and Brazil.