Unlock more controls and instantly block unapproved apps with our newest feature, SaaS Protect—now part of Business Max.

LEGAL CENTER

Law Enforcement Request Guidelines

These guidelines provide instructions and greater transparency regarding the handling of law enforcement, national security, and other regulatory bodies requests for information about our users, customers, and/or end-users ("User Information").

LastPass will, as applicable, follow a similar process for private party legal requests.

Information We Can Provide

LastPass utilizes a "zero-knowledge" security model designed to ensure that customers' data is kept private and protected, from LastPass and from anyone else. The LastPass service features a "vault," in which sensitive user data is stored in an encrypted form, which can only be decrypted at the user and device-level by entering the user's master password. By design, LastPass has no knowledge of the user's master password and does not store or access a user's master password. Therefore, no one at LastPass has the ability to decrypt the vault data on LastPass' servers and cannot provide such information in response to a legal request.

Wherever possible, LastPass believes that the requester should first seek to obtain information directly from the user or customer who is the subject of the investigation before requesting such Information from LastPass.

Information Requesters Must Provide

To ensure that any requests for User Information be reasonable in scope and narrowly tailored to request only the information needed to complete their investigation, the request must include valid warrant, subpoena, court order, equivalent legal process, or emergency situation submitted in its original form as an unedited PDF issued by the appropriate authority.

The request should include as much detail as possible to help us respond in an effective and timely manner. Please note: Most User Information and account data can only be identified by a user's e-mail address. Therefore, the e-mail address associated with the account is the most helpful identifying information.

Each request must also include contact information for the authorized requester, including:

  • Name
  • Badge/identification number (if applicable)
  • Employer-issued e-mail address
  • Phone number, including any extension
  • Mailing address
  • Requested response date

Processing Requests

Upon receipt of a request for User Information, LastPass takes the following steps before responding:

  • Authority. LastPass will review and verify the requester has appropriate authority under applicable law to request the User Information. Absent a valid warrant, subpoena, court order, equivalent legal process, or emergency situation, it is LastPass’s position not to provide User Information to a requester.
  • Scope. Wherever possible, LastPass will seek to ensure that any request for User Information is reasonable in scope and limited to a specific account. LastPass may request additional context if the nature of the investigation is unclear and may object to the request when appropriate. In the event LastPass does provide any User Information, it will seek to share only the minimum amount of information required to comply with the demand.
  • Notice. Except in circumstances where LastPass is instructed by appropriate legal authority not to notify, is prohibited from doing so, or there is a clear indication of illegal or malicious conduct or risk of harm, LastPass will notify the customer of a request before disclosing any User Information so that the customer may seek available legal remedies.

International Requests

All requests must be issued pursuant to applicable laws and made through official channels (e.g., executed order, official e-mail address, etc.). In addition, requests must be made under appropriate legal basis, and a Mutual Legal Assistance Treaty request, a request from a country meeting the obligations under the U.S. CLOUD Act, letter rogatory, or other form of domestication may be required to establish the legal basis of an international request.

We will review all international requests on a country-by-country and case- by-case basis in order to consider and balance our local legal obligations against our commitments to promote users' safety and privacy. We may choose to respond differently to requests from different countries where these commitments conflict with local law.

Where to Submit a Request

LastPass accepts law enforcement and User Information requests via e-mail at subpoenas@lastpass.com.

While we agree to accept requests by this method, neither LastPass nor our customers waive any legal rights based on this accommodation. Additionally, e-mail requests must be made from an official government e-mail address, when applicable.

icon-s-light_illustrative_legal-scales-svg

Legal Center

Explore LastPass’ terms of service, privacy notices, and other legal policies and documents.

Go to Legal Center
icon-s-light_illustrative_trust-center-svg

Trust Center

Your single source for the latest security, privacy, compliance, and system performance information.

Visit Trust Center
icon-s-light_illustrative_family-group-svg

About Us

Leading the way in password security and identity management for personal and business digital safety.

Learn about LastPass

Get started with LastPass

LastPass makes it easy to improve employee password habits and endpoint security. See for yourself with a free 14-day trial. No credit card required.

Try Business for Free Contact Sales