Security

LobstaCloud is built with security at its core. We've completed 9 comprehensive security audits and follow industry best practices to protect your data and AI operations.

Security Audits

LobstaCloud has undergone 9 comprehensive security audits covering:

• Infrastructure and network security
• Authentication and authorization flows
• API endpoint security
• Data encryption and storage
• Cloud-init and provisioning security
• Dependency vulnerability scanning
• Prompt injection attack vectors
• Rate limiting and DDoS protection
• GDPR and data privacy compliance

Encryption

Tokens at Rest

All sensitive tokens (API keys, integration credentials, OAuth tokens) are encrypted using AES-256-GCM before being stored. Encryption keys are managed separately from the encrypted data and rotated regularly.

Data in Transit

All communication uses TLS 1.2+. HSTS headers enforce HTTPS across all endpoints.

Prompt Guard

Prompt Guard is LobstaCloud's built-in defense against AI prompt injection attacks. It analyzes incoming messages and blocks attempts to:

• Override the AI assistant's system instructions
• Extract sensitive information through prompt manipulation
• Hijack the assistant's behavior with injected instructions
• Perform indirect prompt injection via tool outputs

Prompt Guard runs automatically on all instances with no configuration required.

Infrastructure

GDPR-Compliant European Hosting

LobstaCloud runs on Vultr Cloud infrastructure in the Helsinki, Finland region. This means:

• All data is stored and processed within the EU
• Full GDPR compliance for European users
• Low-latency access for European customers
• Data never leaves European jurisdiction unless explicitly configured

Server Hardening

Every LobstaCloud instance runs on a hardened server with:

• SSH key-only authentication — password authentication is disabled
• Firewall rules — only necessary ports are exposed (HTTP/HTTPS and SSH)
• Automatic security updates — OS-level security patches are applied automatically
• Minimal attack surface — only required services are installed and running

Security Headers

All LobstaCloud endpoints include the following security headers:

Rate Limiting

All API endpoints are protected by rate limiting using a dual-layer approach:

• Redis-based (primary) — distributed rate limiting across the platform
• In-memory fallback — ensures protection even if Redis is temporarily unavailable

Rate limits are applied per API key and per IP address to prevent abuse while allowing legitimate usage.

Setup Token

When a new instance is provisioned, a one-time setup token is generated. This token:

• Is required to complete initial instance configuration
• Expires after first use
• Cannot be reused or regenerated
• Ensures only the instance owner can complete setup

Cloud-Init Security

LobstaCloud uses cloud-init for server provisioning. Security measures include:

• Secrets are cleaned from logs — sensitive data passed during provisioning is scrubbed from cloud-init logs
• User-data is deleted — the cloud-init user-data file (which may contain secrets) is deleted after provisioning completes
• Minimal privilege — provisioning scripts run with the minimum permissions required

Responsible Disclosure

If you discover a security vulnerability in LobstaCloud, please report it responsibly:

• Email: security@redlobsta.com
• Response time: We aim to acknowledge reports within 24 hours
• Scope: All LobstaCloud infrastructure, APIs, and client-facing services

Summary