LastPass is an online password manager and form filler that makes web browsing easier and more secure. LastPass is based in Fairfax, Virginia USA and has been providing its cloud service since 2008. You can contact real live people through their online support portal or directly via email. They use encryption to protect your data while in transit between your computer and their servers, and they encrypt all data on your device before sending it to their servers where it is stored encrypted. This means that only you can decrypt your data, LastPass cannot access it. LastPass stores encrypted user data on its servers in Virginia, USA. The LastPass data centres have been independently audited to ensure that your data is stored securely while still being easily available to you. These measures help LastPass maintain its expected availability of over 99.9% (the LastPass service is expected to be inaccessible less than 0.1% of the time). LastPass provides tools to import you from other programs/providers and allows for easy exporting in a range of formats. LastPass recognizes you as the owner of all data uploaded to your account and makes no claims to it. Once your LastPass account is terminated, though, all of your data stored by LastPass will be deleted.

This disclosure was provided by LastPass and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name LastPass
Company Website
Company Phone Number +1 (703) 542-1885
Company Email Address
Physical Address LastPass Corporate Headquarters
8315 Lee Hwy Suite 501
Fairfax, VA 22031

What services does this disclosure apply to?
LastPass Premium

LastPass Enterprise

What country holds legal jurisdiction over the service(s)?

How long has your company been operating?
Since April 2008

How long has your company been providing the service(s) covered in this disclosure?
Since April 2008

Is your company currently profitable?

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
8am to 5pm ET Monday – Friday

What channels are available for communication with clients?

Onsite Support Page

Which is your preferred channel for client communications?
Ticket system:

Do you collect any information from client communications?
We collect the email address. The data is never utilized for any purpose other than communicating with the customer.

What is your standard response time for customer support inquires?
Premium and Enterprise: less than 8 business hours.

Do you proactively communicate information about future planned outages and maintenance to clients?
We don’t typically experience outages due to maintenance or otherwise.

Do you proactively communicate information about current unscheduled outages and incidents to clients?

Do you make incident reports available to clients after major incidents?
Summaries of incident reports are avalible at:

What is the expected uptime of the service?
Over 99.9%

Has the service experienced any outages in the last 12 months?
May 24th, 2012 – Website outage from 6:48-7:18pm US Eastern time

Does the SLA guarantee service uptime?
No, but the service runs locally on the device. So, even in the event of an outage, the impact to the customer experience is negligible (almost undetectable.)

return to the top


Are logs kept of client logins and locations?
We don’t store personal information on our servers unless required for the on-going operation of one of our services. (For example: If you choose to store login history, we keep login history, if you choose not to, we don’t)

Does your service support password/account recovery?

Does the service monitor for any suspicious account activity?
Yes, LastPass has multiple layers of protection in place that will lock down the device in cases of a brute force attack based on a deep and diverse set of criteria. To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any one password is the correct master password during a brute-force attack. The standard implementation of PBKDF2 uses SHA-1, a secure hashing algorithm. SHA-1 is faster, but its speed is a weakness in that brute-force attacks can likewise be performed faster. LastPass has opted to use SHA-256, a slower hashing algorithm that provides more protection against brute-force attacks. LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key. By default, LastPass performs 500 rounds of the function to create the encryption key, before a single additional round of PBKDF2 is done to create your login hash. We’ve taken every step to ensure our user’s security and privacy.

Does your service offer two-step or multi-factor authentication?
Yes, two step authentication is available via:
Google Authenticator
Grid Multifactor Authentication
Fingerprint or Card Reader Authentication

Does your service offer login via other services?
No, however the enterprise edition can integrate with Active Directory.

Does your service secure all client data in transit?
LastPass uses SSL exclusively for data transfer even though the vast majority of data you’re sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic — the amount of data is trivial so the extra encryption doesn’t hurt.

Does your service secure client data at rest?
LastPass uses 256-bit AES encryption that is applied clientside so that all data stored by LastPass is safetly encrypted.

Does your service allow clients to collaborate with 3rd parties?
LastPass uses public key cryptography specifically RSA from Crypto++ and jsbn to allow you to share your accounts with trusted parties, without ever sharing it with LastPass.

Does your primary system reside in a data center with a security certification?
Yes, SAS 70.

Does your backup/disaster recovery system reside in a data center with a security certification?
Yes, SAS 70.

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?

Does client use of your service generate any metadata or other statistical information?
LastPass may collect aggregated statistics about the behavior of visitors to its websites. For instance, LastPass may monitor the most popular website account on the site. LastPass may display this information publicly or provide it to others. In addition, LastPass may use your behavioral data and other data you provide to LastPass to customize advertisements on its site to its users. In this way we try to keep the majority of our services free. However, LastPass does not disclose personally-identifying information other than as described below.
For further information, please refer to the Privacy Policy.

return to the top

Data Location

Where are the primary systems that host client data located?
Virginia, USA.

Where are the backup/disaster recovery systems that host client data located?
Virginia, USA.

Are there any other systems that host client data on behalf of your service?

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?

Can the client freely download their data from the service during the contract period?
Yes. Clients can export their data via the LastPass browser addon (Tools>Export).
LastPass can export saved data either as a CSV file (unencrypted) or as a LastPass Encrypted File.

Can the client easily import/upload their data from a competing service provider into your service?

Does your services include an API to access client data?

Following termination of the service, will the client be able to access their data?
Not once the account has been deleted by the end user.

Following termination of the service, is all client data deleted?
Following deletion, yes.

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
No one at LastPass can ever access your sensitive data. We’ve taken every step we can think of to ensure your security and privacy.

Does your company use client data or information for any business function (other than the provision of the service)?

Does your company use client data or information to generate revenue (other than the provision of the service)?

Do you access client data in any additional circumstance not yet specified in this disclosure?

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Yes, we would to the degree possible. We practice total transparency with our end users.

return to the top

Backup and Maintenance

Does your service support data versioning?
Yes. Users have records of their previous passwords, but these are only accessable through the web interface.

How often are service/client data backups performed?

What method is used to perform service/client data backups?
Not available

How long is backup data retained for?
Not available

return to the top


The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.