Compliance Certifications
| Certification | Status |
|---|---|
| SOC 2 Type II | ✅ Certified |
| ISO 27001 | ✅ Certified |
| GDPR | ✅ Compliant |
| HIPAA | ✅ BAA available |
| PCI DSS | ✅ Level 1 |
Request compliance documentation at [email protected].
Data Residency
Choosing a Region
All data (servers, block storage, object storage) remains within the selected region. LightYear does not replicate data across regions without explicit configuration.
| Region | Jurisdiction |
|---|---|
| Hong Kong (HKG) | Hong Kong SAR |
| Singapore (SGP) | Republic of Singapore |
| Los Angeles (LAX) | United States |
| Frankfurt (FRA) | European Union |
GDPR Considerations
For EU data subjects, deploy in Frankfurt (FRA) to keep data within the EU. Use a Data Processing Agreement (DPA) — available on request.
Encryption
Data at Rest
All block storage and object storage is encrypted at rest using AES-256.
Data in Transit
All API calls and control plane traffic use TLS 1.2+. Server-to-server traffic on private networks is not encrypted by default — use WireGuard or IPsec for sensitive workloads.
Audit Logging
All API calls and control panel actions are logged and retained for 90 days. Access logs via:
- Account → Audit Log in the control panel
- API:
GET /v1/audit-logs
HIPAA Workloads
For HIPAA-covered workloads:
- Sign a Business Associate Agreement (BAA) with LightYear.
- Deploy in a dedicated tenancy environment (contact sales).
- Enable encryption for all storage volumes.
- Restrict access via firewall rules and VPN.