Skip to content

Security Overview

Security is not an add-on at Lenzeye — it is built into every layer of the platform.

Lenzeye is handling photographers' most sensitive and irreplaceable data — wedding photos, family portraits, commercial shoots. A security failure is not recoverable. This page explains how Lenzeye approaches security at every stage of the data lifecycle.


Security at Every Layer

flowchart TD
    A[Upload] --> B[HTTPS in transit]
    B --> C[AES-256-CTR
at rest]
    C --> D[HMAC-SHA256
integrity tag]
    D --> E[Verified on
every download]
    E --> F[OTP-protected
download links]
Layer Protection
Upload (in transit) HTTPS/TLS — all connections encrypted
Storage (at rest) AES-256-CTR — per-user key, per-file IV
Integrity HMAC-SHA256 — computed on upload, verified on download
Access OTP-protected download links, session-based auth, PIN-based lab access
Key storage Per-user keys encrypted with master key — never in code or database
Credential isolation Presigned URLs — no permanent S3 credentials exposed to browsers

Security Philosophy

  • Encrypt by default — encryption is on unless explicitly disabled per user
  • Verify before decrypt — HMAC check happens before any plaintext is returned
  • Least privilege — presigned URLs expire; no long-lived credentials shared with clients
  • Fail closed — if HMAC verification fails, the download is rejected entirely
  • No secrets in code — master key, DB credentials, and S3 keys live in environment variables only

Threat Model

Threat Mitigation
Attacker reads S3 storage Files are AES-256 encrypted — unreadable without user key
Attacker reads database User keys are encrypted with master key — useless without it
File tampered in S3 HMAC mismatch on download → rejected before decryption
Unauthorized download OTP required; presigned URLs are time-limited
Brute force upload link Token is secrets.token_urlsafe(32) — 256-bit random
Session hijack Flask sessions with 23-hour expiry, Lax SameSite cookie

What Lenzeye Does Not Claim

For full transparency:

  • File names are not encrypted — stored as S3 keys, visible in S3 metadata
  • Lenzeye is not a certified compliance platform (not ISO 27001, SOC 2, or HIPAA certified at this stage)
  • Master key custody — the master key is held by Lenzeye — users trust Lenzeye with key custody

Full encryption details: Encryption Standards → Access control details: Access Control → Integrity details: Data Integrity →