Security Operations#
How Lens Agents is run, protected, and supported as a platform — internal access controls, incident response, key management, backups, and the operational commitments that back enterprise deployments.
This page describes what the platform provides publicly. Deployment-specific commitments (SLAs, support tiers, data residency guarantees, encryption-key management options) depend on your chosen deployment model — SaaS or self-hosted — and are agreed during the evaluation engagement.
Deployment models determine scope#
Most operational controls differ by deployment model. Decide which you are evaluating, then look for the corresponding row:
| Concern | SaaS (Lens-hosted) | Self-hosted |
|---|---|---|
| Infrastructure ownership | Lens Agents | You |
| Data residency | Lens-hosted region (selectable) | Your cloud, your region, your VPC |
| Operator access to customer data | Audited, role-gated Lens Agents staff access; details on request under NDA | Zero — runs entirely within your environment |
| Encryption-key management | Platform-managed encryption keys; customer-managed key options available for enterprise | Customer-managed end-to-end |
| Backup and disaster recovery | Lens-operated, with documented RPO/RTO shared under NDA | Your backup/DR policy applies |
| Monitoring, uptime, and incident response | Lens-operated, SLA per evaluation agreement | Your ops team operates; Lens Agents provides support per evaluation agreement |
| Change management | Controlled deployment, customer notification for breaking changes | You control upgrade cadence |
| Compliance scope | Covered by Mirantis's organizational controls (SOC 2 Type 1 for Lens K8S IDE; ISO 27001 corporate) while Lens Agents' own SOC 2 report is pending | Deployment is covered by your own compliance program; Lens Agents components are attested independently |
What we document publicly#
The following are covered in the public documentation in detail — follow the links:
- Threat model — what Lens Agents protects against, what it does not
- Sandbox isolation — kernel-enforced isolation for every agent action
- Credential isolation — server-side injection, ephemeral CA, zero credentials in agent process
- Audit trail — what is recorded, across which surfaces, with what schema
- Identity and authentication — user and agent identity models, token handling
- Policy engine — authorization semantics for every agent action
- Compliance posture — certifications, audit scope, regulatory readiness
- Data sovereignty — where data resides, per deployment
- Privacy controls — PII detection and masking, domain controls, credential isolation
What we share during evaluation#
The following are available on request, typically under NDA, as part of an evaluation engagement:
- SOC 2 Type 1 attestation letter for Lens (K8S IDE), the product Lens Agents inherits controls from; Lens Agents-specific audit timeline shared on request. SOC 2 Type 2 audit covering Lens is under way.
- ISO 27001 certificate (Mirantis Inc., corporate level) and scope statement.
- Third-party penetration test reports (annual engagement).
- Vulnerability disclosure history and published CVEs.
- Incident response runbook summary — detection, escalation, customer-notification timelines, and post-incident review practices for Lens-hosted customers.
- Internal access controls — role separation at Lens Agents, audited operator access paths, and customer-data boundaries.
- Encryption-key management details — algorithms, rotation cadence, customer-managed-key options.
- Backup and disaster-recovery specifications — RPO, RTO, failover and restoration tests for Lens-hosted customers.
- SLA commitments — uptime, response times by support tier.
- Data-processing addendum (DPA) and sub-processor list.
- Data retention and deletion policies per data type, including GDPR data-subject request handling.
- Business continuity plan summary.
Much of this material is organization-specific — self-hosted deployments have a different threat surface than SaaS, and enterprise support tiers differ. We prefer to discuss specifics with context on your environment and requirements rather than publish a one-size-fits-all answer that won't match your actual evaluation.
How to request specifics#
During an evaluation engagement, your Lens Agents account team is your point of contact for any of the above. Contact us to start an evaluation.
For security disclosures or vulnerability reports outside an active engagement, email security@lenshq.io.
Related#
- Security whitepaper — the full architectural detail this page links out to
- Compliance — certification and audit scope
- Data sovereignty — deployment-specific data residency