Lens Security and Compliance FAQ

General information

• What company owns Lens?

  Lens, Lens Desktop application, Lens subscriptions, and Lens ID are products of Mirantis, Inc.

• Under what jurisdiction does Mirantis, Inc. operate?

  Mirantis, Inc. is headquartered in the United States of America.

• Does Mirantis, Inc. have employees abroad?

  Mirantis, Inc. has employees around the world.

• Did Mirantis, Inc. experience security breaches in the last three years?

  No, Mirantis, Inc. did not experience security beaches in the last three years.

• Does Mirantis, Inc. have a fully implemented incident response process?

  Yes, Mirantis, Inc. has a fully implemented incident response process.

• Does Mirantis, Inc. have legal disputes related to security breaches and other similar incidents?

  No, Mirantis, Inc. does not have any legal claims towards Mirantis, Inc.

Employees, security trainings, and workplace security

• Does Mirantis, Inc. have a security policy?

  Yes, Mirantis Inc., has a Security Policy.

• Does Mirantis, Inc. check criminal background of employees, contractors, and other third-parties?

  Mirantis, Inc. checks the background of employees, contractors, and other third-parties. It is a part of standard hiring procedure.

• Do employees, contractors, and other third-parties get security awareness training and other training related to data security and compliance?

  Employees and contractors receive data security and compliance training on an annual basis.

• How are workstations of employees secured?

  All internal workstations are encrypted and have barriers against guest entry, anti-malware software. The Mirantis security team constantly updates security for endpoints. Portable workstations such as laptops support remote hard-drive destruction (or wiping) in case of a workstation loss.

Audit and insurance

• Does Mirantis, Inc. do annual internal and external audits of the IT infrastructure and application environments?

  Mirantis, Inc. performs annual audits of the IT infrastructure and application environments. Additionally, there are external audits according to the ISO-27001 standard and Mirantis is ISO 27001 certified.

Development process security

• What types of authentication are used for internal services, applications, etc.?

  Employees use Google Account and YubiKey for two-factor authentication.

• Do employees use VPN for secure access for production and non-production environments?

  Our employees use the Cato Client to access production and non-production environments.

• How static credentials and secrets are stored?

  Static credentials are stored in the AWS Secrets Vault. Secrets are stored partially in the AWS Secrets Vault and within the Kubernetes platform.

• Does Lens perform static security scanning?

  Lens does perform static security scanning.

• How the dependency scanning is organized?

  All dependencies are checked for updates with the help of Dependabot.

• How the Supply chain Level for Software Artifacts (SLSA) is applied?

  Two-person reviews of all changes are required. The build process is hermetic and reproducible. The self-hosted runners are a part of the CI/CD process for complete control over machine(s).

Lens Desktop application security

• Does Lens Desktop require a connection to the internet?

  No. Lens Desktop can be used offline. It requires activation which can be done offline with an activation file downloaded from the Lens ID Portal.

• Does Lens Desktop undergo any security tests?

  Yes, Lens Desktop has undergone 3rd party penetration testing by specialists in Electron application testing. All vulnerabilities of such tests are usually immediately addressed and remediated. The penetration test results are available upon request.

• How are critical vulnerabilities found in Lens?

  We have a vulnerability bounty program in place with a top security provider to tap into the skills of the global hacker community to uncover high-risk vulnerabilities faster.

• Does Lens report vulnerabilities?

  Yes, we do a full disclosure of all CVEs on the NIST National Vulnerability Database that can be found here.

• Does Lens Desktop provide application signing?

  Lens Desktop is signed for Windows and Apple to assure users that it hasn’t been modified since it was last signed by our release process.

• Where can I find the third-party software report for Lens Desktop?

  You can find the report in a special file within the application directory. If Lens Desktop is installed to the default directory, the report is located by the following path:

  Linux (deb and rpm packages)macOSWindows

  /opt/Lens/resources/LEGAL.txt

  /Applications/Lens.app/Contents/Resources/LEGAL.txt

  C:\Program Files\Lens\resources\LEGAL.txt

Data security

• What features require a connection to the internet?

  Lens ID, Lens Desktop Kubernetes, and Lens Teamwork are the only features that require a connection to the internet.

• What are the ways of logging/signing in Lens?

  Lens users can log in the system using the login-password pair and through the single sign-in mechanism (SAML) using the GitHub or Google account.

• Does Lens support multifactor authentication?

  No, it does not support multifactor authentication.

• Does Lens support concurrent sessions per user?

  No, Lens does not support concurrent sessions per user.

• Does Lens support automatic log out?

  Yes, Lens supports automatic log out.

• Does Lens have internal network firewalls for inbound and outbound traffic?

  Yes, the Lens internal network has firewalls for inbound and outbound traffic.

• Does the Lens internal network support monitoring, logging, and alerting?

  Yes, the Lens internal network supports monitoring, logging, and alerting.

• Does Lens support HTTPS?

  Yes, Lens supports HTTPS.

• Does Lens support role-based distribution of credentials?

  Yes, Lens users have different roles and credentials based on these roles.

• Does Lens use the Advanced Encryption Standard (AES)?

  When using Lens Teamwork all data is e2e encrypted using the AES-256 encryption standard. See Cluster Connect for details.

• Does the Lens environment use customer data when making backups?

  Lens does not use application data of customers in the backup process.

• What is the retention policy of Lens for application data of customers?

  Lens does not use application data of customers, so there is no retention policy regarding application data of customers.

• Do Lens employees have access to customer application data or metadata?

  Lens does not use application data of customers, so Lens employees do not have access to customer application data or metadata.

Hosting and availability

• What customer data does Lens store and/or process?

  Lens provides an identity with basic profile information through the Lens ID. No sensitive data such as kubeconfigs, local profiles, secrets, or config maps is uploaded or synced from Lens Desktop to Lens cloud services.

• Does Lens store and process data that is related to applications and other products of customers?

  No, Lens does not use application data of customers. Lens stores and processes the data only related to the Lens ID.

• What third-parties are used by Lens for hosting applications of customers?

  The Lens team does not use third-parties, as no customer application data is stored and processed by Lens.

• What jurisdiction covers the data that Lens stores?

  The Lens ID data is stored and processed according to the European Union legislation.

• How does Lens support users?

  The technical support team provides services to Lens Pro subscribers Monday through Friday.

• Does Lens have a mechanism that indicates its status?

  You can monitor status of all Lens cloud services at: https://status.k8slens.dev/ .

• How does Lens inform users of incidents or planned disruptions in service?

  When there are incidents or planned disruptions in service there are in-app announcements in the notification center of Lens Desktop as well in the Announcements section of the Lens Forums .