Log in through the extension

LastPass is best experienced through your browser extension. Install LastPass for Firefox to automatically login to sites as you browse the web.

Install LastPass Close

TRUST CENTER

Privacy

LastPass provides password and identity management solutions that are easy to manage and effortless to use for individuals and businesses. With users in nearly every country around the world, we maintain a global data privacy program designed to secure and protect the data entrusted to us by our customers and users.

Quick Reference Guides

Privacy Policy

Global Data Privacy Program

LastPass’ data privacy program is designed to respond to today’s applicable privacy rules and regulations and takes into account many of the world’s major data protection regimes, including, but not limited to:

  • Australia’s Privacy Act (1988)
  • Brazil’s General Data Protection Law (LGPD)
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • Singapore’s Personal Data Protection Act (PDPA)
  • United Kingdom’s Data Protection Act (2018)

Privacy Policy

TRUSTe Enterprise Privacy & Data Governance Practices Certification

LastPass has obtained the TRUSTe Enterprise Privacy & Data Governance Practices Certification to further demonstrate our ongoing commitment to data protection. To view our certification status please click here.

Data Transfers

APEC CBPR and PRP Certifications

LastPass has obtained Asia-Pacific Economic Cooperation ("APEC") Cross-Border Privacy Rules ("CBPR") and Privacy Recognition for Processors ("PRP") certifications. The APEC CBPR and PRP frameworks are the first data regulation frameworks approved for the transfer of personal data between APEC-member countries, and were obtained and independently validated through TrustArc, an APEC-approved third-party leader in data protection compliance. To learn more about our APEC certifications, please click here. To review our APEC commitments, please consult our Privacy Policy.

 

TRUSTe
TRUSTe
TRUSTe

Data Processing Addendum

In addition to maintaining Terms of Service and Privacy Policies designed to support and adapt to changing regulatory requirements and industry standard practices, LastPass is pleased to offer a comprehensive global Data Processing Addendum (“DPA”), available here (in multiple languages), which is designed to meet the requirements of applicable data privacy laws and regulations, including the CCPA, GDPR, and LGPD. Key features of our DPA include:

  • CCPA

    We are dedicated to ensuring that our services continue to comply with the applicable provisions of the CCPA (and the CPRA, once in effect), and that our privacy and security measures are meeting or exceeding industry standard practices. To account for CCPA, our global DPA includes: (a) definitions which are mapped to CCPA; (b) applicable access and deletion rights; and (c) warranties that LastPass will not sell our users’ ‘personal information.’

  • GDPR

    Our DPA incorporates several GDPR-focused data privacy protections, including: (a) data processing details, sub-processor disclosures, etc. as required under Article 28; (b) the revised 2021 Standard Contractual Clauses (the “SCCs”) to permit lawful transfer of ‘personal data’ under Chapter 5; and (c) the incorporation by reference of LastPass' technical and organizational measures documentation.

  • LGPD

    LastPass has taken steps designed to ensure that our Brazilian customers can benefit and use our products in compliance with the LGPD. These steps include provisions in our DPA that: (a) address LastPass’ compliance with LGPD; (b) support lawful transfers of personal data to/from Brazil; and (c) ensure that our users enjoy the same privacy benefits as our other global users.

  • Standard Contractual Clauses

    The SCCs are standardized contractual terms, recognized and adopted by the European Commission, drafted to help ensure that any personal data leaving the EEA will be transferred in compliance with EU data protection law. LastPass’ DPA offers customers the latest SCCs, issued by the European Commission on June 4, 2021, that make specific guarantees around transfers of personal data for in-scope LastPass services as can be found here. Execution of the SCCs helps ensure that LastPass customers can freely move data from the EEA to the rest of the world.


Privacy Controls, Procedures, and Disclosures

Processing Locations

To help ensure sufficient service availability, uptime, and redundancy to provide our global user base with the best possible experience, LastPass uses a combination of geographically distributed physical co-location facilities and cloud hosting providers that perform replication in near-real-time.

To learn more about LastPass’ data centers and locations of processing, consult the LastPass Sub-processor Disclosure and Affiliate Disclosures located in the Product Resources section of our Trust and Privacy Center at Trust Center.

Data Retention, Deletion, Export, and Access Controls

LastPass' product offerings feature comprehensive technical privacy controls and capabilities which include data retention, deletion, export (into a machine-readable format), and access functionality. Please consult the Technical and Organizational Measures (“TOMs”) documentation available in the Trust and Privacy Center for more details.

Technical and Organizational Measures

LastPass’ technical and organizational security measures are designed to prevent the unauthorized access to personal data, and to ensure the ongoing confidentiality, integrity and availability of LastPass’ products and services. Detailed information regarding LastPass’ zero-knowledge encryption capabilities and other comprehensive security measures can be found in the Trust & Privacy Center’s Product Resources page.

Sub-processor Disclosures

LastPass engages with first and third-party sub-processors to provide and operate our services. Please consult the Trust & Privacy Center’s Product Resources page to review service or hosting and processing locations, including affiliate and third-party sub-processor disclosures.

Government Requests

LastPass maintains a comprehensive Government Request Policy and will only provide customer information if a government request is supported by applicable law. While detailed information about how LastPass handles government requests may be found in the policy linked above, it is LastPass' position that absent a valid warrant, subpoena, court order, or equivalent legal process, LastPass will not disclose customer information. In addition, LastPass may seek to narrow requests that we believe are overly broad in scope, request additional context if the nature of the investigation is unclear, or push back on the request for other reasons.

img_icon_illustrative_security-shield-svg

Trust Center

Your single source for the latest security, privacy, compliance, and system performance information.

Go to Trust Center
img_icon_illustrative_system-status-svg

Product Status

Learn about any known issues and potential service interruptions affecting LastPass products and services.

View Product Status
img_icon_illustrative_faq-svg

Trust Center, Privacy & Security FAQ

Visit our FAQ page to find answers to your product compliance-related questions.

Go to FAQ

Get started with LastPass

LastPass makes it easy to improve employee password habits and endpoint security. See for yourself with a free 14-day trial. No credit card required.