Skip to content

Lens Security and Compliance FAQ#

General information#

  • What company owns Lens?

    Lens, Lens Desktop application, Lens subscriptions, and Lens ID are products of Mirantis, Inc.

  • Under what jurisdiction does Mirantis, Inc. operate?

    Mirantis, Inc. is headquartered in the United States of America.

  • Does Mirantis, Inc. have employees abroad?

    Mirantis, Inc. has employees around the world.

  • Did Mirantis, Inc. experience security breaches in the last three years?

    No, Mirantis, Inc. did not experience security beaches in the last three years.

  • Does Mirantis, Inc. have a fully implemented incident response process?

    Yes, Mirantis, Inc. has a fully implemented incident response process.

  • Does Mirantis, Inc. have legal disputes related to security breaches and other similar incidents?

    No, Mirantis, Inc. does not have any legal claims towards Mirantis, Inc.

Employees, security trainings, and workplace security#

  • Does Mirantis, Inc. have a security policy?

    Yes, Mirantis Inc., has a Security Policy.

  • Does Mirantis, Inc. check criminal background of employees, contractors, and other third-parties?

    Mirantis, Inc. checks the background of employees, contractors, and other third-parties. It is a part of standard hiring procedure.

  • Do employees, contractors, and other third-parties get security awareness training and other training related to data security and compliance?

    Employees and contractors receive data security and compliance training on an annual basis.

  • How are workstations of employees secured?

    All internal workstations are encrypted and have barriers against guest entry, anti-malware software. The Mirantis security team constantly updates security for endpoints. Portable workstations such as laptops support remote hard-drive destruction (or wiping) in case of a workstation loss.

Compliance standards and other regulations#

  • Does Lens Desktop comply with FedRAMP?

    No, it does not. Lens Desktop is a desktop application, so it is not a direct subject of the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a United States federal government-wide compliance program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Lens Desktop is not a cloud service, so it is not regulated by FedRAMP. However, the application complies with the best practices of data safety and integrity.

  • Which ECCN identifier does Lens Desktop correspond to?

    Lens Desktop corresponds to the ECCN code of 5D002 (software). An Export Control Classification Number (ECCN) is an identifier used by the U.S. Department of Commerce to categorize items subject to export control restrictions.

  • Is Lens Desktop ENC Restricted?

    No, Lens Desktop is not an ENC Restricted product, as it uses ancillary cryptography. It only requires self-certification reporting.

  • Does Lens Desktop have any self-reports based on VPAT?

    Yes, it does. The Lens Accessibility Conformance Report is based on VPAT Version 2.4 and provided upon request. A Voluntary Product Accessibility Template (VPAT) is a template containing information regarding how an Information and communications technology product or service conforms with Section 508 of the Rehabilitation Act of 1973. Contact the support team to request the Lens Accessibility Conformance Report.

Audit and insurance#

  • Does Mirantis, Inc. do annual internal and external audits of the IT infrastructure and application environments?

    Mirantis, Inc. performs annual audits of the IT infrastructure and application environments. Additionally, there are external audits according to the ISO-27001 standard and Mirantis is ISO 27001 certified.

Development process security#

  • What types of authentication are used for internal services, applications, etc.?

    Employees use Google Account and YubiKey for two-factor authentication.

  • Do employees use VPN for secure access for production and non-production environments?

    Our employees use the Cato Client to access production and non-production environments.

  • How static credentials and secrets are stored?

    Static credentials are stored in the AWS Secrets Vault. Secrets are stored partially in the AWS Secrets Vault and within the Kubernetes platform.

  • Does Lens perform static security scanning?

    Lens does perform static security scanning.

  • How the dependency scanning is organized?

    All dependencies are checked for updates with the help of Dependabot.

  • How the Supply chain Level for Software Artifacts (SLSA) is applied?

    Two-person reviews of all changes are required. The build process is hermetic and reproducible. The self-hosted runners are a part of the CI/CD process for complete control over machine(s).

Lens Desktop application security#

  • Does Lens Desktop require a connection to the internet?

    No. Lens Desktop can be used offline. It requires activation which can be done offline with an activation file downloaded from the Lens ID Portal.

  • Does Lens Desktop undergo any security tests?

    Yes, Lens Desktop has undergone 3rd party penetration testing by specialists in Electron application testing. All vulnerabilities of such tests are usually immediately addressed and remediated. The penetration test results are available upon request.

  • How are critical vulnerabilities found in Lens?

    We have a vulnerability bounty program in place with a top security provider to tap into the skills of the global hacker community to uncover high-risk vulnerabilities faster.

  • Does Lens report vulnerabilities?

    Yes, we do a full disclosure of all CVEs on the NIST National Vulnerability Database that can be found here.

  • Does Lens Desktop provide application signing?

    Lens Desktop is signed for Windows and Apple to assure users that it hasn’t been modified since it was last signed by our release process.

  • Where can I find the third-party software report for Lens Desktop?

    You can find the report in a special file within the application directory. If Lens Desktop is installed to the default directory, the report is located by the following path:

    /opt/Lens/resources/LEGAL.txt

    /Applications/Lens.app/Contents/Resources/LEGAL.txt

    C:\Program Files\Lens\resources\LEGAL.txt

Data security and service availability#

  • What features require a connection to the internet?

    Lens ID, Lens Desktop Kubernetes, and Lens Teamwork are the only features requiring an internet connection.

  • What are the ways of logging/signing in Lens?

    Lens users can choose one of the following options:

    • Username and password
    • GitHub or Google accounts
    • SSO service such as Entra ID, JumpCloud, or Okta
  • Does Lens support multifactor authentication?

    No, Lens does not support multifactor authentication at this time.

  • Does Lens support concurrent sessions per user?

    No, concurrent sessions per user are not supported.

  • Does Lens support automatic logout?

    Yes, Lens supports automatic logout.

  • Does Lens have internal network firewalls for inbound and outbound traffic?

    Yes, the Lens internal network includes firewalls for inbound and outbound traffic.

  • Does the Lens internal network support monitoring, logging, and alerting?

    Yes, the Lens internal network supports monitoring, logging, and alerting.

  • Does Lens support HTTPS?

    Yes, Lens supports HTTPS.

  • Does Lens support role-based access control (RBAC)?

    Yes, Lens users have roles, and access is managed based on these roles.

  • Does Lens use the Advanced Encryption Standard (AES)?

    Yes, Lens Teamwork uses end-to-end encryption with the AES-256 standard. For details, see Cluster Connect.

  • Does Lens use customer data for backups?

    No, Lens does not include customer application data in its backup process.

  • What is Lens's retention policy for customer application data?

    Lens does not store or process customer application data, so no retention policy applies.

  • Do Lens employees have access to customer application data or metadata?

    No, Lens employees do not have access to customer application data or metadata, as this data is not used or stored by Lens.

  • What customer data does Lens store or process?

    Lens stores only basic profile information for the Lens ID. No sensitive data, such as kubeconfigs, local profiles, secrets, or config maps, is uploaded or synced from Lens Desktop to cloud services.

  • Does Lens process data related to customer applications or products?

    No, Lens does not store or process application data from customers. It only manages Lens ID data.

  • What third parties are used by Lens for hosting customer applications?

    None. Lens does not store or process customer application data.

  • Under what jurisdiction is Lens data stored?

    Lens ID data is stored and processed under European Union legislation.

  • How does Lens provide user support?

    Technical support is available for Lens Pro subscribers Monday through Friday.

  • How can users monitor the status of Lens services?

    Users can check the status of Lens cloud services at https://status.k8slens.dev/

  • How does Lens notify users of incidents or planned disruptions?

    Lens informs users via in-app notifications in Lens Desktop and announcements in the Lens Forums