Security

Security

How we protect your data and infrastructure.

Security is foundational to everything we build at Lenno. As an AI agent orchestration platform, we understand that you are entrusting us with sensitive configurations, credentials, and data flows. We take that responsibility seriously.

Our security architecture is designed around the principle of defence in depth: multiple independent layers of protection ensure that no single point of failure can compromise your data or your agents.

Encryption

All data is encrypted both in transit and at rest using industry-standard protocols.

  • TLS 1.3 for all data in transit, including API calls, WebSocket connections, and inter-service communication.
  • AES-256 encryption at rest for all stored data, including database contents and file storage.
  • Field-level encryption via Cloak for sensitive fields such as API keys, tokens, and credentials.

Access Control

Fine-grained permissions ensure that only authorised users and processes can access resources.

  • Role-based access control (RBAC) with granular permissions for team members and API keys.
  • Multi-factor authentication (MFA) available for all accounts, enforced for admin roles.
  • Scoped API tokens with configurable expiry and minimum-privilege access.

Infrastructure Isolation

Every agent runs in its own isolated environment with strict resource boundaries.

  • Incus containers provide full OS-level isolation for each agent, preventing cross-tenant data leakage.
  • Network segmentation ensures agents cannot communicate with other tenants' resources.
  • Ephemeral execution environments are destroyed and recreated for task-oriented agents.

Monitoring and Detection

Continuous monitoring across all layers ensures threats are identified and addressed quickly.

  • Real-time alerting for suspicious activity, including unusual API call patterns and failed authentication attempts.
  • Anomaly detection powered by statistical baselines to identify deviations in agent behaviour and resource usage.
  • Comprehensive audit logging of all administrative actions, agent operations, and data access events.

Compliance

We maintain compliance with major data protection regulations and industry standards.

  • GDPR compliant with data processing agreements, lawful basis documentation, and data subject rights workflows.
  • PDPA compliant under Singapore's Personal Data Protection Act, with appointed Data Protection Officer.
  • Regular assessments including vulnerability scanning, dependency audits, and security reviews.

Incident Response

A documented and tested incident response process ensures we act swiftly when issues arise.

  • 72-hour notification commitment for data breaches affecting personal data, as required by GDPR.
  • Defined severity levels with escalation procedures, on-call rotations, and post-incident review processes.
  • Transparent communication with affected customers via our status page and direct notification.

Responsible Disclosure

We value the work of security researchers and welcome reports of vulnerabilities in our systems. If you believe you have found a security issue in the Lenno platform, we encourage you to disclose it to us responsibly.

How to Report

Please send your findings to security@lenno.ai. Include as much detail as possible: a description of the vulnerability, steps to reproduce, affected components, and any proof-of-concept code. Please encrypt your report using our PGP key if the vulnerability is sensitive.

Our Commitment

  • We will acknowledge receipt of your report within 2 business days.
  • We will provide an initial assessment and estimated timeline within 5 business days.
  • We will not pursue legal action against researchers who report vulnerabilities in good faith and comply with this policy.
  • We will credit you (if desired) when the vulnerability is resolved and publicly disclosed.

Scope

The following are in scope for responsible disclosure: the Lenno web application (lenno.ai), API endpoints, authentication and authorisation mechanisms, agent isolation boundaries, and data handling processes. Out of scope: third-party services, social engineering attacks, denial of service, and previously reported vulnerabilities.

For security questions or concerns, contact us at security@lenno.ai.

Hanso Pte. Ltd.
Singapore