LastPass

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: To check supported versions, Go to LastPass Icon > More Options > About LastPass, where you will find the version number and the build date. Our release notes can be found here https://lastpass.com/upgrade.php. We do not have breakdown of users per version to share publicly. .We have previously built versions of LastPass for platforms that we no longer develop for. Users are welcome to install and use them, but we cannot offer technical support for these versions.Windows Mobile 5+Symbian S60 3rd+Palm webOSUsers are strongly recommended to download and run the installer from our website on all browsers you regularly use.
System requirements: https://support.lastpass.com/help/system-requirements-for-users-lp010008

User support

Email or online ticketing support: Email or online ticketing
Support response times: 24x7 Phone Support with an average answer time of 30-60 seconds
24x7 Email Support with an intial response within 24hours
Our support is rated #1 across competitive sites and reviews from numerous customers.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: Web chat
Web chat support availability: 24 hours, 7 days a week
Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
Web chat accessibility testing: We conducted 3rd party independent assessments to train our teams on development practices and tools required to achieve WCAG 2.1 Level AA compliance for our web chat tool, which powers the support chatbot. These include the following testing methods:
•JAWS 15 (or above) screen reader with Internet Explorer 11
• NVDA screen reader with Firefox
• Dragon naturally speaking 12+ with IE
• ZoomText 10+ with Internet Explorer
• Ensure the service can be used without a mouse – Chrome
• Ensure the service is accessible to people who have a disability but do not require
assistive technology – Chrome/Safari
Colour Blind, Dyslexic, Learning Disabilities, Deaf, Aspergers, and Anxiety/Panic
disorder
• Testing on iPad and iPhone using native browser
• VoiceOver with Safari on iPhone
• Zoom with Safari on iPad
• TalkBack on Android

These were conducted both via automated and manual testing approaches
Onsite support: Yes, at extra cost
Support levels: Phone Support 24x7. The support number is exclusively for LastPass Admins in the Admin consolte; LastPass Teams admins and end users can request a call back from support through the Support Center.
Ticket support: You can submit a ticket via our support center at any time; approporiate priority levels are given.
Online Support center and knowledge base: search and find solutions for FAQs, get 24/7 acess to our extensive online knowledge base and engage in user-to-user support in the LastPass community
Support available to third parties: Yes

Onboarding and offboarding

Getting started: As you begin your deployment, various self-help guides will activate within the Admin Console, walking you through the tool's basic features and pointing you to additional resources. LastPass utilizes Embark, an online e-learning resource that hosts recorded and live sessions on all aspects of LastPass, for Admins and employee end-users. This is always available throughout the length of your subscription.

LastPass Business is a premium product with premium support. Through the LastPass Community, Support Site, or by contacting support, which is available 24/7. Your LastPass Business account may also qualify for a Customer Success Manager (CSM) based on the size of your account. In this case, a CSM will be assigned to you and is available to support your implementation and provide ongoing product updates. Additional VIP Support is also available for purchase through your sales representative.
Service documentation: Yes
Documentation formats: HTML

PDF

Other
Other documentation formats: Video
End-of-contract data extraction: LastPass users can delete their own accounts and associated Content via the “Delete your Account” page located at https://lastpass.com/delete_account.php. Users without access to their LastPass vault and/or email address can submit a service request to the Care team, who will authenticate the user and delete the account and Content within 30 days of the request.
Free accounts, including the Content located therein, shall automatically be deleted after two (2) years of inactivity (i.e., no logins).
End-of-contract process: As specified in the "End-of-contract" process, each customer may delete or export relevant Customer Content, and in any regard, such Content would be subject to reasonable retention periods (as specified in the "end-of-contract data extraction" section above). Additional information can be found at the product-specific Technical and Organizational Measures Resource (https://www.goto.com/company/trust/resource-center). GoTo is always seeking feedback and areas for improvement, both throughout the contract lifecycle, as well as thereafter; this may include, if permitted to do so, soliciting input from our users.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: Yes
Compatible operating systems: Android

IOS

MacOS

Windows
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: Please reference:
https://support.lastpass.com/help/lastpass-for-android-lp060001

https://support.lastpass.com/help/lastpass-for-ios-lp060002
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: The Admin console provides admins the capability to add/remove users or groups from the service. In addition it allows them to change settings that affect the users in the account. Most prominently these are the policy settings where functionality or behaviour of the product can be controlled for the end users. Key features are:

* Manage users and groups
* Manage policies
* Change account settings
* Configure integrations such as directory synchronizations ore federated login
* Manage email notifications
* Reporting of user and admin activity
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: • We regularly self-assess (2 times in 2021) against WCAG AA, Section 508 and EN 301 549
• We are building a component based design and frontend system in 2022 and beyond that has accessibility as a requirement
• We are advocating for a culture (in design and engineering too) that has accessible software as a base need rather than an afterthought
API: Yes
What users can and can't do using the API: LastPass has an provisioning API (https://support.lastpass.com/help/use-the-lastpass-provisioning-api-lp010068) which is not accessible for end-users, only for admins to create, modify or delete users and groups for individual directory integrations.

The LastPass command line application is an open source project that allows you to create, edit, and retrieve passwords in your online LastPass Vault via the terminal on Mac, Linux, and Windows using Cygwin. You can also generate passwords for every server you use, and securely store those passwords directly in LastPass, as well as use subcommands. Additionally, LastPass Enterprise users can automate sharing using shared folders.
https://support.lastpass.com/help/use-the-lastpass-command-line-application-lp040011
API documentation: Yes
API documentation formats: HTML

Other
API sandbox or test environment: Yes
Customisation available: No

Scaling

Independence of resources: GoTo leverages a multi-tenant architecture which is logically separated at the database level based on the organization’s GoTo account. Only authenticated parties are granted access. Solution is built with full redundancy of our data centers, reducing the risk of downtime and single-point-of-failure.

Analytics

Service usage metrics: Yes
Metrics types: LastPass Enterprise offers extensive reporting to help you safeguard your organization’s data and build compliance. Available in the Admin Console, the Reports feature offers admins an audit trail that can also be exported to be shared with key stakeholders as needed.
https://support.logmeininc.com/lastpass/help/generate-enterprise-reports-lp010040
Can run security audit on your own account or your users' account.
Reporting types: API access

Real-time dashboards

Regular reports

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard

Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding

Other
Other data at rest protection approach: The LastPass browser extension or mobile application utilizes PBKDF2 with SHA-256 to derive a unique encryption key from user's master password. This encryption key remains on the user's device and is used to encrypt vault data with the AES-256 algorithm. On Windows devices, Windows CryptoAPIs are used to add an extra layer of protection. The encrypted vault is transmitted over TLS to LastPass, and stored server-side in this encrypted state. This locally encrypted vault is cached on the user's device, enabling offline access if needed. Other user information (e.g. phone# for SMS account recovery) is encrypted server-side using a HSM.
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: You can export your LastPass Vault data (including passwords, secure notes, form fills, Wi-Fi passwords, etc.) as a CSV or XML file, then print your data if you'd like to keep a copy for your own records. If you have set up Vault identities, you can export data for all or individual identities.

Even if LastPass has been uninstalled from your computer, a locally cached and encrypted copy of your data is stored by default when you use the LastPass web browser extension and/or mobile apps, as long as your LastPass cache hasn't been cleared since your last login session.
Data export formats: CSV

Other
Other data export formats: Through our API

.XML
Data import formats: CSV

Other
Other data import formats: XML files

https://support.logmeininc.com/lastpass/help/import-passwords-from-other-sources-lp040003

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

Other
Other protection between networks: LastPass encrypts user data with the trusted algorithm Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode with a 256-bit key generated from each user’s master password.

LastPass supports up to TLS 1.2 (or above, if supported by the customer) for secure data transfer even though the vast majority of user data is already
encrypted with AES-256. This protocol protects the data from any party listening in to the network traffic.
TLS ensures that the user is connecting directly to LastPass to protect against man-in-the-middle attacks.

https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf
Data protection within supplier network: TLS (version 1.2 or above)

Other
Other protection within supplier network: LastPass encrypts user data with the trusted algorithm Advanced Encryption Standard (AES) in Cipher
Block Chaining (CBC) mode with a 256-bit key generated from each user’s master password.

LastPass uses TLS 1.2 exclusively for secure data transfer even though the vast majority of user data is already
encrypted with AES-256. This protocol protects the data from any party listening in to the network traffic.
TLS ensures that the user is connecting directly to LastPass to protect against man-in-the-middle attacks.

https://enterprise.lastpass.com/wp-content/uploads/LastPass-Technical-Whitepaper-3.pdf

Availability and resilience

Guaranteed availability: GoTo strives for high redundancy and availability of our services and infrastructure. Publicly available status updates are available at: https://status.lastpass.com/. Service Level Agreements are mutually agreed upon and covered in the Terms of Service and/or written agreement for the GoTo services with our customers.
Approach to resilience: LastPass operates, based on data residency preference in: fully redundant, active-passive datacenters in the United States or Europe; or world-class cloud hosting provider data centers in Australia or Singapore. LastPass Password Manager and LastPass SSO functionalities are separated in distinct data centers. Each datacenter is capable of handling all user traffic.
All user data is stored in a redundant manner with automatic disaster recovery and failover using multiple datacenters.
LastPass backs-up Customer Content within the same datacenter in 24-hour and seven-day intervals. In addition, a corresponding back-up is made in a geographically distant datacenter every seven days and is retained for four weeks.
To ensure the safety of your data the LastPass SSO database leverages 7-day point-in-time restore (PITR) capability. Additionally, Long-Term Retention (LTR) backup will keep the first backup of a week for four weeks and the first backup of each month for three months as an additional safety feature.
If enabled, a secure, encrypted, local copy of a user’s vault is stored automatically when a user connects to LastPass via a browser extension or mobile application. This cached version is designed to allow the user offline access to their data and vault when no internet connection is available.
Outage reporting: A public dashboard available at status page. Status updates can be provided via phone, e-mail, RSS Feed, etc. through the Trust Center webpage.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Username or password

Other
Other user authentication: User name and password in combination with 2-factor authentication options:
LastPass Authenticator
Google Authenticator
Microsoft Authenticator
Toopher Authentication (no longer available for new users)
Duo Security Authentication
Transakt Authentication
Grid Multifactor Authentication
YubiKey Multifactor Authentication
Fingerprint Authentication
Smart Card Authentication
Sesame Multifactor Authentication
RSA SecurID Multifactor Authentication
Symantec VIP
SecureAuth Authentication
https://support.logmeininc.com/lastpass#Supported

Identity federation with AD FS
https://support.logmeininc.com/lastpass/help/federated-login-experience-for-lastpass-enterprise-users-lp010056
Access restrictions in management interfaces and support channels: Logical Access Control procedures are in place, designed to prevent or mitigate the thread of unauthorized application access and data loss in corporate and production environments. Employees are granted minimum (or "least privilege") access to specified LastPass systems, applications, networks and devices as needed. Further, user privileges are segregated based on functional role and environment. Users shall only be provided with access to the network and services that they have been specifically authorized to use.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Identity federation with existing provider (for example Google Apps)

Dedicated link (for example VPN)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: No audit information available
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: AICPA SOC2 Type II

BSI C5

SOC 3

EU-U.S. and Swiss Privacy Shield Certified

TRUSTe Verified Privacy

APEC CBPR and PRP Certification

In the process of being ISO 27001:2013 certified

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: SOC2 Type II, SOC 3
BSI C5
EU-U.S. and Swiss Privacy Shield Certified
TRUSTe Verified Privacy
APEC CBPR and PRP Certification
LastPass is in the process of being ISO certified this year (2022) For additional certifications, please visit the Product Resources page of our Trust & Privacy Center at www.goto.com/trust
Information security policies and processes: An Information Security Policy has been established at GoTo and assist in defining the role of technology and management at our organization. It is aligned to ISO27001:2013.
At least annually, applicable policies are reviewed by management to ensure that any procedures or standards are updated in accordance with contractual and legal commitments and company requirements/standards. In order to ensure the confidentiality, integrity, and availability of GoTo Information and IT systems we do not send customers these documents.
Security Policies are relayed to employees at the time of hire and available in the Employee Handbook. They are also communicated to all Global Employees on a regular basis. Additionally, they are hosted on our internal site. GoTo employees and temporary workers are informed on a continuous basis, as determined by the company, about security and privacy guidelines, procedures, policies and standards through various mediums of communication such as awareness campaigns, new hire on-boarding kits, webinars with the CISO, annual policy compliance, security training targeting specific roles (such as software developers), security champion programs, as well as visual media campaigns.
Please reference our Trust Center for further details: https://www.goto.com/company/trust

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: A Change Management Policy has been developed in accordance with relevant commitments and requirements detailing the procedures for infrastructure and development changes, including design, implementation, configuration, testing, modification, and maintenance of systems, Further, processes and procedures are in place in order to verify that changes have been authorized, approved and tested before being applied to a production environment. Policies are in place to provide guidance for the management, modification, and implementation of system changes to infrastructure and supporting applications.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Internal and external system and network vulnerability scanning is conducted quarterly. Dynamic and static application vulnerability testing, as well as penetration testing activities for targeted environments, are also performed periodically. These scanning and testing results are reported into network monitoring tools and, where appropriate and predicated on the criticality of any identified vulnerabilities, remediation action is taken. Vulnerabilities are also communicated and managed with monthly and quarterly reports provided to the relevant development teams, as well as management.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: GoTo collects identified anomalous or suspicious traffic into relevant security logs in applicable production systems. They are received/reviewed by our NOC team, who respond immediately.
GoTo incorporates vulnerability management and intrusion detection programs into its production and corporate IT environments, as well as perimeter devices designed to protect the network from external attacks. GoTo regularly reviews relevant risks that may threaten the achievement of service commitments and updates to existing control activities and infosec policies are performed as deemed needed. The system is architectured to be able to identify, respond to and recover from potential availability events or security incidents.
Incident management type: Supplier-defined controls
Incident management approach: Our SOC is responsible for detecting and responding to security events using security sensors and analysis systems to identify potential issues.
The Incident Response Plan has been developed to include appropriate security incident response process and is aligned with GoTo's communication and information security incident management polices and procedures. It is designed to manage, identify, and resolve relevant suspected, and/or identified security events across its systems and Services. Personnel are in place to identify, document, escalate, and triage potential information security-related events
and vulnerabilities, based on criticality, as well as escalate relevant events to management, where appropriate.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

At GoTo, we are fully committed to committed to maintaining carbon neutrality and building sustainable practices for both our offices as well the thousands of home offices our employees work out of as a part of our remote-centric organization. GoTo's Corporate Social Responsibility program, GoTo Gives, unlocks its people, products, and culture to create long-term, sustainable social and environmental impact that positively affects change in the world. To lessen our overall impact on the environment, we’re engaging boldly in sustainability activities that include:We procure 100% renewable electricity for our global operations by purchasing Green-e certified renewable energy credits (RECs) to match our global electricity usageWe contract with data centers powered by renewable energy, have high energy efficiency standards, an A rating by GreenpeaceResponsibly managing and disposing of our electronic waste and using our recycling credits to support organizations partnered with GoTo GivesCreating office environments that promote conservation through water efficiency, source reduction, recycling, composting and the use of sustainable productsEngaging in sustainable procurement practices when possibleFostering employee awareness and active participation in sustainability efforts through communications, campaigns and best practicesOur portfolio of products, solutions and services also help our users reduce their own environmental impact by enabling them to work and collaborate from anywhere and engage with each other and the world around them to drive meaningful insights, deeper relationships and better outcomes for all. To learn more, visit https://www.goto.com/company/corporate-responsibility For our Social & Environmental Responsibility Principles, please log on tohttps://www.goto.com/-/media/pdfs/legal/finalgotosocialandenvironmentalresponsibilityprinciples12522pdf.pdf
Tackling economic inequality: Tackling economic inequality

Further details can be found at: https://www.goto.com/company/corporate-responsibility
Equal opportunity: Equal opportunity

Culture is both the foundation and glue of GoTo that holds the company together across teams, geographies and timezones. Just as GoTo works to deliver connectivity and collaboration for our customers, we apply that same focus internally, emphasizing the importance of human connection and meaningful relationships to ensure all feel engaged, valued and motivated. It's our mission to create a workforce where everyone feels empowered to bring their full selves to work. We know that when our employees are thriving, they’re doing the best work of their lives and we recognize that thought leadership, community building, knowledge sharing, and personal development are key aspects to building an inclusive workforce.
Our Employee Resource Groups (ERGs), a cornerstone of our employee engagement programs, seek to bring increased focus to the importance of growing our diversity and inclusion initiatives, fostering an inclusive work environment and community service to all employees. Employee run ERGs at GoTo include a women’s leadership group, a group for the LGBTQ+ community and their allies, a group for Black Employees and friends with a mission is to promote diversity, celebrate our intersecting identities, and bring to life the vision of inclusive excellence, an ERG for employees of Pan-Asian and/or Pacific Islander descent and friends - the mission is to embrace our cultural differences and foster an environment of education, humanitarianism, and empowerment; a quarterly book club, gardening club, photography club, run club, and more. Through the GoTo Corporate Social Responsibility program, Mission Possible, employees are given 16 hours a year to volunteer within our local communities.
From fostering an energetic atmosphere, to providing professionally challenging opportunities and stimulating day-to-day experiences, GoTo has focused on building an exceptional culture and work environment to ensure employees have everything they need to thrive, both on the clock and off.
Wellbeing: Wellbeing

Faced with the ongoing and dynamic global pandemic, GoTo has doubled-down on employee health and safety. Our workforce is now remote-centric, so we have reimagined our support in this area. Thrive, GoTo’s corporate wellness program, emphasizes the mental and physical well-being of employees, providing support and building resilience during these challenging times. Our monthly Self Care Days allow employees the opportunity to recharge, spend time with family, or take up new hobbies. Giving back is a key ingredient to employee wellbeing. GoTo Gives is the vehicle through which we fulfill our mission to create a more sustainable world by connecting the next generation workforce to the power of possibilities. Our three impact areas are: Education & Youth, Environmental Stewardship, and Community Action. Through financial support and direct service, GoTo employees lead with purpose. For this, employees are given 16 hours a year to volunteer within our local communities.

Pricing

Price: £42.84 a licence a year
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: Free features:
Secure password vault
Access on all devices
One-to-one sharing
Save and fill passwords
Password generator
Secure notes
Security challenge
Multi-factor authentication
LastPass Authenticator

30 Day Free Trial
Link to free trial: https://www.lastpass.com/password-manager

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

LastPass

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents