Sign Up

Passwords Don't Match

The two passwords that you entered did not match eachother.

Weak Passwords

PCI requires that passwords be at least 7 characters long and include alphabetic and numeric characters.

Name

E-mail Address

I consent to Lavawall® using cookies

Read Details

I agree to Lavawall® privacy policy

Read Details

Password

Password Confirmation

PCI requires that passwords must be at least 7 characters long and include numbers and letters. We do not allow passwords that have been in more than 1 breach. For this reason, we recommend using a password manager like LastPass with a password generator.
There may be a delay when you leave the password field while your browser encrypts your password.

Lavawall® Account Type

Access Key / Serial Number What's this?

Access Key

If you just received your Lavawall® the Access Key or Serial Number is printed on the bottom of the device.It's also on the Quick Start Guide in the cardboard box.

If you are a Lavawall® partner, the Access Key was in the email that you received after your partnership application was approved.

Already have an account? Sign In!

This console's servers and data are located in Canada

Lavawall Cookies

Every time you sign in, we create, check, or update a cookie on your computer to reduce the need for extra security codes during subsequent logins. This cookie is configured to expire after one year of your last login and is used in combination with other data to keep you logged into the system. We store your last login time in our database to enforce PCI idle time re-authentication requirements. This process is not managed through cookies. We reduce the likelihood of interception of these cookies by requiring them to be transmitted by HTTPS and reduce cross-site scripting attacks by requesting that your browser not provide them to web site scripts or to domains other than Lavawall.com.

This site also uses some cookies for AMP and other services provided through Cloudflare and other security- and reliability-related tools. It also includes content, fonts, cookies, and scripting from Google to provide fonts, analytics, and additional features. ThreeShield Information Security Corporation may also enable third-party chat and support tools that use third-party cookies.

Lavawall Privacy Policy

TL;DR
✔ We comply with all provisions of GDPR and PIPEDA
✔ We collect as little information as possible about you. If requested, we encrypt information that we don't require for automated functions in such a way that it can only be accessed using your password. (This is opt-in, since only companies with multiple authorized individuals will be able to recover this information if the password is reset.)
✔ We'll give you all of the information we can access about you; however, since we encrypt some of it with keys that are further hashed with a salted hash of your password, you will have to log in to access all of the information.
✔ We store your information in Canada, but send email from Ireland and route your traffic through Cloudflare.
✔ Your passwords, session keys, and cross-site request forgery mitigation tokens are all stored using salted slow hash algorithms. We hash your password on your computer before it hits the Internet so ThreeShield, Cloudflare, AWS, and any other companies that may have access to the traffic never have access to your password.

Your information is yours
In compliance GDPR, PIPA, and PIPEDA, we will provide you all of the information that we store about you, respond to requests to change the information, and will delete it on request. However, in addition to encrypting our entire database at rest, some business contact and position information is encrypted to prevent ThreeShield Information Security Corporation staff from accessing it without your consent. As such, you will need to be able to log into your account to view, modify, or delete your information.

Data Residency
All information on the Canadian Lavawall® console is stored and processed on servers physically located in Canada. However, the data goes through Cloudflare between your computer and our servers. Depending on your location, Cloudflare may route your data outside of Canada. In addition, we use Irish email servers for all emails sent from the Lavawall® console. This includes the additional security verification emails and notifications.

Minimal Information
In compliance with Canada's PIPEDA, Europe's GDPR, and various other privacy regulations, ThreeShield Information Security Corporation collects the minimum amount of personal data required to run the Lavawall® console. We also use one-way hash encryption techniques to allow us to secure your session from hijacking and cross-site request forgery without storing your IP address, cookie information, or browser fingerprint in a way that could be decrypted or accessed in connection with your account.

Third Parties
ThreeShield Information Security Corporation, Amazon Web Services, Cloudflare, Google, or one of our other security or hosting partners my include your IP address in web, firewall, or other logs. These logs do not include cookie or user information. However, these logs could be used to determine which Lavawall® and ThreeShield web pages you visited.
Additional information about Google is provided below.

Google
We use some Google services to understand traffic flow and to prevent abuse of the system as yet another security measure. This includes Google Analytics and Google reCAPTCHA. We have only implemented reCaptcha on login, signup, and other pages that don't have prior authentication. You can see if it is loaded on each page by looking for the blue and grey Recaptcha logo in the bottom right corner of your browser's window. ReCaptcha works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google. By using the Lavawall® console, you consent to the collection and sharing of this data with Google.

Information Sharing
We do not share any information that we collect other than for billing, collection, and operational purposes. However, we do use third-party cookies for data analytics and support purposes. These cookies are not associated with information that we collect on the Lavawall® or other ThreeShield Websites. However, third-party support tools allow you to optionally provide your name and email information for support purposes.

How We Avoid Querystrings From Identifying You
The unique querystring parameter that is included in links within the console is one of our cross-site request forgery protection techniques. That querystring parameters may be included in logs. However, that parameter is encrypted using a salted one-way hash in our database. As such, it cannot be directly queried without knowledge of other information stored in our database, a cookie on your computer that is hashed with the querystring parameter and not independantly stored in our database, your browser fingerprint, and other random information. In addition, we only store the salted hash of that parameter in our database for up to the last five pages that you visited within the console. For this reason, excessive use of the refresh or back buttons in your browser will force you to log back into the conosole.

Personal and Business Information
We collect business contact information, including your name, business address, telephone number, business function, and email address solely for the purpose of configuring the Lavawall® service communicating with you in relation to your use of the Lavawall® and related services, including billing, and customer relationship management. We may determine your country or approximate geographic location in order to provide geographically-appropriate information and for billing purposes. We do not collect other personal information except for personal email addresses and names from people who send us email from personal accounts.

Tracking
We store a cookie on your computer to keep you logged into the service. It expires after one year, is only accessible by Lavawall.com through secure web access by HTTPS with script access disabled. We also give your computer a unique identifier that lasts until you visit another Lavawall® console page. This identifier is passed through links and web forms and provides additional protection against some attacks that may be able to access your cookies.

IP Address
Although your IP address is not stored as part of your Lavawall® account, your IP address may appear in our web logs, which may include the unencrypted version of a random number that we assign to every page access in your account. This number is stored in our database using a one-way hash that is salted with many other factors. As such, it is very unlikely that your IP address would be tied to your account through this value. We also store IP addresses associated with failed login attempts. However, once you successfully log in from that IP address, it is dissassociated from your account. Finally, we do store IP addresses on the same network as your Lavawall® hardware devices as you request within the console.

Denied Access
We do not deny products or services to individuals who fail to consent to the collection and use of the above Personal and Business Information beyond what is required for this console to work. However, since email addresses are used through some of our authentication methods, it is not possible to log into the Lavawall® console without authorizing the use of this information.

System Information
The Lavawall device (as opposed to this console) collects information about data and systems on your network for security and PCI compliance purposes. This includes the MAC and IP addresses of systems on the network, open ports, DNS names, IP addresses and FQDNs of accessed sites (such as payment gateways), and frequency of access. The training system uses names and email addresses along with your busisness function (such as front desk cashier, IT, or managemetn) in order to customize training for your position.

Legal Stuff
We might disclose personal or business information if we're required to do so to comply with court orders or when your actions violate one or more agreement that you have with us. However, we do not sell or otherwise provide your information to other companies for the marketing of their own products or services.

Questions or concerns?
Contact our designated privacy officer through the ThreeShield contact form at https://www.threeshield.ca/contact.

Lavawall Consent

In effort to comply with various privacy regulations (including, but not limited to GDRP, PIPEDA, and PIPA), you must consent to Lavawall®'s cookie use and privacy policy.

The Canadian and American consoles have these boxes pre-checked, because these jurisdictions do not require affirmative consent.

The European console requires you to check the boxes in order to comply with GDPR.

Where does Lavawall® store your information and how is it protected?

Privacy and Security

Your data is stored in Canadian data centres. Lavawall® emails are initiated on Canadian servers and sent through email servers in Ireland.

Passwords are hashed using multiple rounds of PBKDF2 on your computer before being sent to our servers, where they are hashed again using additional rounds of PBKDF2. There is a slight delay after you click Sign In to allow for the hashing.

Your hashed password, unique initialization vectors, and unique salts are also used to encrypt your MFA secrets, asymetric encryption keys for communications between Lavawall® servers and hardware, logs, and other sensitive data. HTTPS communications are through TLS 1.3 or TLS1.2.

In addition to internal multi-factor authentication, IP restrictions, and other safeguards, our systems are also protected by third-party denial-of-service and web firewalls.

An important tip on using this system:
Lavawall® uses a combination of cookies, IP addresses, browser fingerprints, and cross-site request forgery mitigation fields to protect your account. As such, opening two consoles windows, using a different browser, or a different Internet Service Provider may log you out of the console and trigger additional verification processes.

How is my data protected:
All data is stored in encrypted databases and all data is transmitted from your computers using TLS 1.2 or TLS 1.3. All passwords and MFA secrets are stored using one-way slow hashes with unique salts for each account. When you login, your password is hashed using multiple rounds of PBKDF2 slow hashing on your computer before they are sent to the Lavawall® servers, where they receive additional rounds of slow PBKDF2 hashing before being verified against the hashed password stored in an encrypted database. The only time your password is sent from your computer to our servers using TLS encryption without one-way hashing is on sign-up, where we verify that it meets PCI compliance rules and doesn't match any known weak passwords. We also use a variety of Cross-Site Request Forgery, session hijacking, and bot detection techniques to keep your account safe.