Security Addendum

This Security Addendum is incorporated into and made a part of the written agreement between LakeSail, Inc. or its Affiliates (“LakeSail”) and Customer that references this Security Addendum (“Agreement”).

LakeSail maintains a security program consistent with industry-standard security practices (the “Security Program”), and is actively pursuing SOC 2 Type II certification. Pursuant to the Security Program, LakeSail implements and maintains administrative, physical, and technical security measures to protect the Platform Services, Support Services and the security and confidentiality of Customer Content (including any Personal Data that may be contained therein) (each as defined in the Agreement) under LakeSail’s control that is processed by LakeSail in its provisioning of the Platform Services or Support Services (the “Security Measures”). LakeSail’s compliance with this Addendum shall be deemed to satisfy any more general measures included within any Agreement.

LakeSail may review and update this Security Addendum at any time without notice, provided that such updates either make equivalent or enhance Security Measures and do not materially diminish the level of protection afforded to Customer Content by these Security Measures.

  1. Deployment Model
  2. Architecture. LakeSail is a platform-as-a-service offering. The components primarily responsible for managing and controlling the Platform Services are referred to as the “LakeSail Control Plane”. The compute resources that perform data processing operations are referred to as the “Data Plane”. For certain Platform Services, the Data Plane may either be deployed in Customer’s Cloud Service Provider account (known as the “Customer Data Plane”) or, for LakeSail Serverless Compute, in a LakeSail-controlled Cloud Service Provider account (known as the “LakeSail Data Plane”). Data Plane shall refer to both Customer Data Plane and LakeSail Data Plane unless otherwise specified.
  3. Shared Responsibility. LakeSail operates in a shared responsibility model, where both LakeSail and Customer maintain security responsibilities. This is covered in more detail in our Documentation.
  4. Data Storage. Depending on your configuration and which Platform Services features a Customer accesses, LakeSail may process Customer Content stored within Customer’s own Cloud Service Provider account and/or within LakeSail’s infrastructure. See the Documentation for details.
  5. Deployment Region. Customer may choose where their Platform Services Workspaces are deployed from any LakeSail-supported region(s). LakeSail will not, without Customer’s permission, move a Customer Workspace from the region chosen by Customer. See the Documentation for details.
  6. LakeSail’s Audits & Certifications. LakeSail is actively pursuing engagement with an independent third-party auditor to assess the LakeSail Security Program against the following attestation standard:
  • SOC 2 Type II
    To the extent that LakeSail chooses not to continue pursuing or maintaining its attestation with the standard noted above, LakeSail will adopt or maintain an equivalent, industry-standard framework.
  1. Administrative Controls
  2. Monitoring & Logging. LakeSail employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.
  3. Access Review. Active users with privileged access to the Platform Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.
  4. Systems & Network Security
  5. Platform Controls.
  6. Isolation. LakeSail leverages multiple layers of network security controls, including network-level isolation, for separation between the LakeSail development and production environments.
  7. Firewalls & Security Groups. Firewalls are implemented as network access control lists or security groups within LakeSail’s production environment.
  8. Encryption
  9. Encryption of data-in-transit. Customer Content is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the LakeSail Control Plane and (2) the LakeSail Control Plane and the Data Plane. Additionally, depending on functionality provided by the Cloud Service Provider, Customer may optionally encrypt communications between clusters within the Data Plane (e.g., by utilizing appropriate AWS Nitro instances).
  10. Encryption of data-at-rest. Customer Content within LakeSail’s control is encrypted using cryptographically secure protocols (AES-256 bit, or the equivalent or better) while at rest.
  11. Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.
  12. Customer Options; Responsibilities. Customer(s) may choose to leverage additional encryption options for data in transit within the Customer Data Plane (e.g., Customer may utilize AWS Nitro EC2 instances within the Customer Data Plane to provide additional encryption in transit). Customer shall, based on the sensitivity of the Customer Content, configure the Platform Services and Customer Systems to encrypt Customer Content where appropriate (e.g., by enabling encryption at rest for data stored within AWS S3).
  13. Monitoring & Logging
  14. Intrusion Detection Systems. LakeSail leverages security capabilities provided natively by Cloud Service Providers for security detection.
  15. Audit Logs.
  16. Generation. LakeSail generates audit logs from Customer’s use of the Platform Services. The logs are designed to store information about material events within the Platform Services.
  17. Vulnerability Management & Remediation. LakeSail regularly runs authenticated scans against representative hosts in the Software Development Life Cycle (“SDLC”) pipeline to identify vulnerabilities and emerging security threats that may impact the Platform Services. LakeSail will use commercially reasonable efforts to address the following vulnerabilities, with each measured from (a) the date of availability of a compatible, vendor-supplied patch (with respect to publicly declared third party vulnerabilities); or (b) the date such vulnerability is confirmed (with respect to internal vulnerabilities): (i) critical vulnerabilities within 14 days; (ii) high severity vulnerabilities within 30 days; (iii) medium severity vulnerabilities within 60 days. LakeSail leverages the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-Cert rating, combined with an internal analysis of contextual risk to determine criticality.
  18. Patching.
  19. Control Plane. LakeSail deploys new code to the LakeSail Control Plane on an ongoing basis.
  20. Data Plane. New Data Plane virtual machines use the latest applicable source code and system images upon launch. Customers are encouraged to restart always-on clusters on a periodic basis to take advantage of security patches.
  21. Corporate Controls.
  22. Access Controls
  23. Authentication. LakeSail personnel are authenticated through single sign-on (SSO), 802.1x (or similar) where applicable, and use a unique user ID and password combination and multi-factor authentication where applicable. Privileges are consistent with least privilege principles.
  24. Role-Based Access Controls (RBACs). LakeSail enforces RBACs (based on security groups and access control lists). Only authorized roles, which are defined based on the principle of least privilege and segregation of duties, are allowed to access production systems.
  25. Breach Detection & Response
  26. Security Breaches. “Security Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content under LakeSail control. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Content, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. LakeSail maintains a record of Security Breaches that includes description, dates and times of relevant activities, and disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Security Breaches, LakeSail will take appropriate, reasonable steps to minimize product and Customer damage or unauthorized disclosure.
  27. Communications & Cooperation. In accordance with applicable data protection laws, LakeSail will notify Customer of a Security Breach for which that Customer is impacted without undue delay after becoming aware of the Security Breach, and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.
  28. Customer Audit Rights
  29. Upon written request and at no additional cost to Customer, LakeSail shall provide Customer, and/or its appropriately qualified third-party representative (subject to confidentiality terms provided in the Agreement) , access to reasonably requested documentation evidencing LakeSail’s compliance with its obligations under this Addendum in the form of the relevant audits or certifications listed in Section 3 (LakeSail’s Audits and Certifications) above.
  30. Only to the extent Customer cannot reasonably satisfy LakeSail compliance with this Addendum through the Audit Reports , Customer may send a written request to conduct an audit of LakeSail applicable controls during the term of the Agreement on an annual basis. Following receipt by LakeSail of such a request, LakeSail and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. The Audit Report, audit, and any information arising therefrom shall be considered LakeSail Confidential Information and may only be shared with a third party (including a third party controller) with LakeSail’s prior written agreement.
  31. Notwithstanding any other audit provisions in the Agreement, Customer requests for audits are limited to once per year.
  32. Backups, Business Continuity, and Disaster Recovery
  33. Data Resiliency. LakeSail performs backups for the LakeSail Control Plane, generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure. While LakeSail backs up certain service elements that persist in the LakeSail Control Plane as part of its systems resiliency, those backups are maintained only for emergency recovery purposes and are not available for Customer.
  34. No Data Restoration. LakeSail does not back up Customer Content, irrespective of where it is stored.

Last Revised May 1, 2026.