This policy was created to provide greater transparency regarding the guidelines used by LastPass to determine how and when we will process demands received from law enforcement, national security, and other regulatory bodies (“Government”) for information about our users, customers, and/or end-users (“User Information”).
Additionally, although this policy is not specifically intended to address requests for User Information arising from private or commercial disputes, LastPass will, as applicable, take the same precautions for those requests as for Government requests.
Safeguarding User Information
Upon receipt of a Government request for User Information, LastPass takes the following steps before responding:
- Subject. Wherever possible, LastPass believes that the Government should first seek to obtain information directly from the user or customer who is the subject of the investigation before requesting such Information from LastPass.
- Authority.LastPass will only provide User Information if the Government has appropriate authority under applicable law to request it. Absent a valid warrant, subpoena, court order, equivalent legal process, or emergency situation, it is LastPass’s position not to provide User Information to the Government.
- Scope.Wherever possible, LastPass will seek to ensure that any request for User Information is reasonable in scope and limited to a specific account. LastPass may request additional context if the nature of the investigation is not clear and may push back on the request for other reasons. In the event LastPass does provide any user information, it will seek to share only the minimum amount of information required to comply with the demand.
- Notice.Except in circumstances where LastPass has been advised by the Government not to notify, is prohibited from doing so, or there is a clear indication of illegal or malicious conduct or risk of harm, LastPass will notify the customer of a request before disclosing any User Information so that the customer may seek available legal remedies.
All Government requests must be issued pursuant to applicable laws and made through official channels (e.g., executed order, Government e-mail address, etc.). In addition, requests must be made under appropriate legal basis, and a Mutual Legal Assistance
Treaty request, a request from a country meeting the obligations under the U.S. CLOUD Act, letter rogatory, or other form of domestication may be required to establish the legal basis of an international request.
We will review all international Government requests on a country-by-country and caseby-case basis in order to consider and balance our local legal obligations against our commitments to promote users’ safety and privacy. We may choose to respond differently to requests from different countries where these commitments conflict with local law.
Information We Can Provide
Because LastPass utilizes a zero-knowledge security model, LastPass does not have, and cannot obtain, access to the sensitive contents of customer vaults in unencrypted form. Therefore, LastPass cannot provide such information in response to a Government request.
The vast majority of requests we receive are for basic customer account-level information in connection with a Government investigation of potential fraud or other violation of law.
Information Governments Must Provide
Government officials are asked to ensure that any requests for User Information be reasonable in scope and narrowly tailored to request only the information needed to complete their investigation. If you are a Government requestor, please provide as much detail as possible to help us respond in an effective and timely manner. The following information is typically most helpful:
- User email address.Most User Information is identified using the Master Account Holder email address. Therefore, the email address associated with the account is the most helpful identifying information.
- Billing address and/or credit card information for paid accounts.In some instances, we will be able to identify an account based on the last four digits of the credit or debit card used to purchase the services and the date of the transaction. Please note that, for paid accounts, LastPass does not possess any credit or debit card information beyond the last four digits. Also, some LastPass accounts are free and therefore have no associated payment information.
Each request must also include contact information for the authorized Government official, including:
- Agency name
- Agent name and badge/identification number
- Agent employer-issued email address
- Agent phone number, including any extension
- Agent mailing address
- Requested response date
Where to Submit a Request
LastPass accepts Government requests via email at firstname.lastname@example.org.
While we agree to accept requests by this method, neither LastPass nor our customers waive any legal rights based on this accommodation. Additionally, e-mail requests must be made from an official Government e-mail address.