LILT Trust center

All administrative and cloud console accounts require MFA, adding a second verification step that blocks credential-only attacks.

Customers may enforce SSO for their users, simplifying onboarding while keeping credentials under their own identity provider’s governance.

Permissions are assigned to roles aligned with job duties so users receive only the minimum rights needed to perform their work.

Access to production and sensitive data is reviewed at least annually (quarterly for PHI/PII) and revoked immediately when no longer required.

All customer data stored in databases, file systems and backups is protected with AES-256 encryption managed by Lilt-controlled keys.

TLS 1.2+ with HSTS secures every connection to the platform, preventing eavesdropping and downgrade attacks.

A published policy defines restricted, confidential, internal and public data tiers so appropriate security controls are consistently applied.

Customer data is deleted 90 days after account closure and corporate records follow a documented retention table, ensuring information is not stored longer than necessary.

Developers follow an Agile SDLC with peer code review, branch protection and ticket-based change tracking to prevent defects from reaching production.

Tools such as Trivy and Wiz scan every build for known CVEs so vulnerable components are remediated before release.

External security specialists perform comprehensive penetration tests each year and engineering promptly fixes any findings.

All changes pass unit, integration and regression tests in staging and require managerial approval before they can be deployed to production.

Workloads run in ISO 27001 and SOC 2 compliant regions with multi-zone redundancy to ensure high availability and physical security.

Processing, storage and content delivery are separated so an issue in one layer cannot compromise the others.

Datadog, Stackdriver and Prometheus collect logs and metrics, raising real-time alerts to engineers for abnormal activity.

Encryption keys are stored in hardware-backed modules, access-controlled per user and rotated at least annually.

Independent auditors test the security, availability, confidentiality, integrity and privacy controls each year and issue an attestation report.

Data processing agreements, DPIAs and data subject rights procedures ensure personal data handling meets EU requirements.

All administrative actions, access events and system changes are recorded in immutable storage for forensic and compliance purposes.

Penetration tests, vulnerability scans and policy audits by external firms validate that controls remain effective and mature.

Production workloads run across multiple regions so a data-centre outage does not interrupt customer operations.

Leadership reviews preparation measures every quarter to confirm they remain current and effective.

The team executes tabletop and live recovery drills each year, measuring RTO/RPO and refining procedures.

System and customer data is snapshot-backed up each day to a separate region, encrypted and monitored for success.

Clear procedures define roles, escalation paths and communication protocols for handling security events.

Named personnel, including an incident response lead, are on-call to investigate and remediate 24 × 7.

Processes meet GDPR 72-hour and HIPAA 60-day requirements, ensuring customers and regulators are informed promptly.

Every incident triggers a lessons-learned session to address root causes and strengthen defences.

Final candidates undergo background screening proportional to their role before they are hired.

All staff complete onboarding and annual refresher training covering phishing, data handling and policy requirements.

Company laptops and mobile devices must use full-disk encryption, auto-lock and approved antivirus software.

Physical documents and unattended screens are protected and technology resources may only be used for authorised business purposes.

Security questionnaires and InfoSec checklists evaluate vendors before they gain access to data or systems.

Legal templates ensure suppliers commit to confidentiality and privacy obligations aligned with Lilt and customer requirements.

Only suppliers that pass security, legal and procurement reviews are authorised for production use.

A public list of subprocessors and contractual flow-downs give customers visibility and assurance over downstream providers.

Highly restricted data categories may not be entered into standalone AI tools unless explicitly approved by Legal.

All AI-generated content is reviewed and fact-checked by employees before it is shared externally, preventing hallucinations or bias.

The policy mandates opt-in only training and requires model-training features to remain disabled by default.

Staff may only use company-provided accounts for vetted AI solutions, ensuring usage is auditable and compliant.

Critical and high findings are fixed within 30 business days, medium within 90 and low within 180, providing predictable risk reduction.

Trivy, Wiz and AWS scanners run against code, containers and cloud resources to surface newly published CVEs.

SonarQube enforces coding standards and flags security smells before code can merge to the main branch.

Researchers can report vulnerabilities via a dedicated email and are guaranteed safe harbour, expanding defensive coverage.

Keys are held in tamper-resistant modules, preventing extraction even by privileged insiders.

The key management service rotates encryption keys at least annually or sooner when required.

Distinct user roles separate key administration from key usage, limiting potential misuse.

Secure escrow ensures encryption keys can be recovered during disaster recovery without exposing them during daily operations.