Security Overview¶
Security is not an add-on at Lenzeye — it is built into every layer of the platform.
Lenzeye is handling photographers' most sensitive and irreplaceable data — wedding photos, family portraits, commercial shoots. A security failure is not recoverable. This page explains how Lenzeye approaches security at every stage of the data lifecycle.
Security at Every Layer¶
flowchart TD
A[Upload] --> B[HTTPS in transit]
B --> C[AES-256-CTR
at rest]
C --> D[HMAC-SHA256
integrity tag]
D --> E[Verified on
every download]
E --> F[OTP-protected
download links]
| Layer | Protection |
|---|---|
| Upload (in transit) | HTTPS/TLS — all connections encrypted |
| Storage (at rest) | AES-256-CTR — per-user key, per-file IV |
| Integrity | HMAC-SHA256 — computed on upload, verified on download |
| Access | OTP-protected download links, session-based auth, PIN-based lab access |
| Key storage | Per-user keys encrypted with master key — never in code or database |
| Credential isolation | Presigned URLs — no permanent S3 credentials exposed to browsers |
Security Philosophy¶
- Encrypt by default — encryption is on unless explicitly disabled per user
- Verify before decrypt — HMAC check happens before any plaintext is returned
- Least privilege — presigned URLs expire; no long-lived credentials shared with clients
- Fail closed — if HMAC verification fails, the download is rejected entirely
- No secrets in code — master key, DB credentials, and S3 keys live in environment variables only
Threat Model¶
| Threat | Mitigation |
|---|---|
| Attacker reads S3 storage | Files are AES-256 encrypted — unreadable without user key |
| Attacker reads database | User keys are encrypted with master key — useless without it |
| File tampered in S3 | HMAC mismatch on download → rejected before decryption |
| Unauthorized download | OTP required; presigned URLs are time-limited |
| Brute force upload link | Token is secrets.token_urlsafe(32) — 256-bit random |
| Session hijack | Flask sessions with 23-hour expiry, Lax SameSite cookie |
What Lenzeye Does Not Claim¶
For full transparency:
- File names are not encrypted — stored as S3 keys, visible in S3 metadata
- Lenzeye is not a certified compliance platform (not ISO 27001, SOC 2, or HIPAA certified at this stage)
- Master key custody — the master key is held by Lenzeye — users trust Lenzeye with key custody
Full encryption details: Encryption Standards → Access control details: Access Control → Integrity details: Data Integrity →