Lyft’s security program is supported by management
Lyft Business maintains an information security program to protect the confidentiality and integrity of our users’ data, based on the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”). The program is supported by Lyft management, is continuously improved by Lyft’s Security team, and is audited against the SOC 2 standard.
Data is protected in our secure infrastructure
Lyft services operate in a dedicated Amazon Web Services (“AWS”) Virtual Private Cloud. Hosts launch with secure configurations and employ security groups to filter connections. Connections to the Lyft services are via secure protocols, e.g. HTTPs (TLS 1.2) and SFTP. Databases that contain user information are encrypted at rest.
Only Lyft personnel have administrative access to our systems and applications; our hosting provider, Amazon Web Services, does not have access to Lyft applications or user data. AWS manages the infrastructure and physical security and allows only strictly limited pre-approved physical access, enforced by mechanisms including access cards and biometric readers. On-site 24x7 security staff monitor the access control systems and video surveillance.
Access to user information is controlled and monitored
Access is based on the Principle of Least Privilege. Authorization to work with user information is granted only to roles with a job requirement; personnel must complete Privacy training prior to being granted such access.
Access to Lyft’s production environment requires multi-factor authentication, as does access to the AWS console. Host management is via SSH. Activity with user information is monitored and suspicious behavior is alerted to the security team for follow up.
New personnel are assigned basic access during the onboarding process, for which they are assigned unique accounts and workstations. Additional access must be requested via support case and approved by system owner.
Access to Lyft systems is rescinded promptly when no longer needed. Access reviews are conducted regularly.
Customer access is limited to our applications, secure file transfer (for uploads), and APIs; there is no database or operating system level access available for Customers.
Personnel are qualified and trained
Lyft personnel are screened for criminal convictions, employment history, and academic credentials prior to hire. Privacy and Security Awareness training are presented as part of the onboarding process, and Security Awareness training is repeated annually.
The Lyft security team also provides secure coding education to engineering teams.
Vulnerabilities are managed
New code is automatically scanned for security vulnerabilities.
Lyft’s Security team performs regular internal and third-party external infrastructure scans and code base scans, evaluates the identified vulnerabilities, and prioritizes remediation according to risk.
Applications are externally tested via a bug bounty program, which requires responsible disclosure and confidentiality by the testers.
Workstations are remotely managed and have endpoint protection utilities. Automatic screen lock requires a password, and updates are pushed centrally by IT.
Vendor Risk Assessments
Lyft conducts risk assessment on vendors and third parties before using their products or services. Assessment is repeated annually.
Data Privacy
Data collected are used only for the purpose of providing the service to our users. Lyft recognizes that personal information we process is affected by various privacy regulations. We have a full-time, dedicated Privacy team that analyzes our access and use of personal information and continuously improves the authorization process, treatment guidelines, incident response, and policies for handling personal information in our systems. The Privacy team is part of our Security organization and contributes to security controls that ensure privacy compliance, including monitoring Lyft personnel activity when accessing personal information.