LastPass provides password and identity management solutions that are easy to manage and effortless to use for individuals and businesses. With users in nearly every country around the world, we maintain a global data privacy program designed to secure and protect the data entrusted to us by our customers and users.
LastPass’ data privacy program is designed to respond to today’s applicable privacy rules and regulations and takes into account many of the world’s major data protection regimes, including, but not limited to:
LastPass has obtained the TRUSTe Enterprise Privacy & Data Governance Practices Certification to further demonstrate our ongoing commitment to data protection. To view our certification status please click here.
In addition to maintaining Terms of Service and Privacy Policies designed to support and adapt to changing regulatory requirements and industry standard practices, LastPass is pleased to offer a comprehensive global Data Processing Addendum (“DPA”), available here (in multiple languages), which is designed to meet the requirements of applicable data privacy laws and regulations, including the CCPA, GDPR, and LGPD. Key features of our DPA include:
We are dedicated to ensuring that our services continue to comply with the applicable provisions of the CCPA (and the CPRA, once in effect), and that our privacy and security measures are meeting or exceeding industry standard practices. To account for CCPA, our global DPA includes: (a) definitions which are mapped to CCPA; (b) applicable access and deletion rights; and (c) warranties that LastPass will not sell our users’ ‘personal information.’
Our DPA incorporates several GDPR-focused data privacy protections, including: (a) data processing details, sub-processor disclosures, etc. as required under Article 28; (b) the revised 2021 Standard Contractual Clauses (the “SCCs”) to permit lawful transfer of ‘personal data’ under Chapter 5; and (c) the incorporation by reference of LastPass' technical and organizational measures documentation.
LastPass has taken steps designed to ensure that our Brazilian customers can benefit and use our products in compliance with the LGPD. These steps include provisions in our DPA that: (a) address LastPass’ compliance with LGPD; (b) support lawful transfers of personal data to/from Brazil; and (c) ensure that our users enjoy the same privacy benefits as our other global users.
The SCCs are standardized contractual terms, recognized and adopted by the European Commission, drafted to help ensure that any personal data leaving the EEA will be transferred in compliance with EU data protection law. LastPass’ DPA offers customers the latest SCCs, issued by the European Commission on June 4, 2021, that make specific guarantees around transfers of personal data for in-scope LastPass services as can be found here. Execution of the SCCs helps ensure that LastPass customers can freely move data from the EEA to the rest of the world.
To help ensure sufficient service availability, uptime, and redundancy to provide our global user base with the best possible experience, LastPass uses a combination of geographically distributed physical co-location facilities and cloud hosting providers that perform replication in near-real-time.
To learn more about LastPass’ data centers and locations of processing, consult the LastPass Sub-processor Disclosure and Affiliate Disclosures located in the Product Resources section of our Trust and Privacy Center at Trust Center.
LastPass' product offerings feature comprehensive technical privacy controls and capabilities which include data retention, deletion, export (into a machine-readable format), and access functionality. Please consult the Technical and Organizational Measures (“TOMs”) documentation available in the Trust and Privacy Center for more details.
LastPass’ technical and organizational security measures are designed to prevent the unauthorized access to personal data, and to ensure the ongoing confidentiality, integrity and availability of LastPass’ products and services. Detailed information regarding LastPass’ zero-knowledge encryption capabilities and other comprehensive security measures can be found in the Trust & Privacy Center’s Product Resources page.
LastPass engages with first and third-party sub-processors to provide and operate our services. Please consult the Trust & Privacy Center’s Product Resources page to review service or hosting and processing locations, including affiliate and third-party sub-processor disclosures.
Your single source for the latest security, privacy, compliance, and system performance information.Go to Trust Center
Visit our FAQ page to find answers to your product compliance-related questions.Go to FAQ
Learn about any known issues and potential service interruptions affecting LastPass products and services.View Product Status