Skip to content
lacudelph

trust

Security

Last updated 2026-05-15

A factual snapshot of how Lacudelph handles your data. For the long-form privacy policy see /privacy; for sub-processor commitments see the DPA. Mismatch between this page and either of those should be flagged via /contact?topic=security — privacy policy and DPA are the legal source of truth.

1. Data residency

  • Application + database run on Neon Postgres in AWS US-East-1 (single primary, no cross-region replicas today).
  • Application hosting: Vercel (US/EU edge for static assets; serverless functions execute in the region nearest the request).
  • Non-US customers: residency is not formally region-pinned today. If your procurement requires data to remain outside the US, contact us before signing — Neon supports EU regions and we can spin a separate project per ADR 0002 if commercially justified.

2. Encryption

  • At rest: Neon-managed encryption (AES-256) on all stored rows and backups.
  • In transit: TLS 1.2+ enforced end-to-end (HSTS max-age=63072000; includeSubDomains; preload). HTTP redirects to HTTPS at the edge.
  • BYO Anthropic API keys (available as a mode on any paid plan): encrypted at rest with AES-256-GCM under a server-side secret distinct from the session-signing key. Decrypted only on-demand inside the per-turn handler; never logged in plaintext.

3. Authentication

  • Auth.js v5 with two methods: email magic link via Resend, or Google OAuth.
  • Magic-link tokens are signed, single-use, and 15-minute TTL.
  • Sessions are DB-backed (not JWT-only), so revocation is immediate on sign-out or account deletion.
  • Session cookies are HttpOnly + Secure + SameSite=Lax.
  • Per-IP rate limit on magic-link sends (5/hour) to prevent inbox flooding.

4. Tenancy isolation

All app data carries an org_id. Every server action and API route resolves the active org via requireActiveOrg() before reading or writing — queries scope by org_id, never user_id. A user with no membership in an org cannot read any of that org’s briefs, interviews, transcripts, takeaways, rounds, or LLM-call telemetry.

5. Retention

Default behavior: data is retained as long as your organisation’s account is active. Specifics by resource:

  • Briefs, interviews, turns (transcripts), takeaways, rounds, round aggregates: indefinite while subscription active. Hosts can delete individual briefs at any time, which cascades-deletes attached interviews and turns.
  • llm_calls telemetry rows (model, tokens, ms, cost — no transcript content): indefinite while subscription active.
  • Rate-limit buckets: lazily GC’d; nightly cron removes expired buckets.
  • IP addresses (rate-limit only): cleared after the rate-limit window expires (currently 1 hour).
  • Billing records (Paddle invoices, customer ID): up to 7 years per Israeli tax law. Paddle is Merchant of Record and retains its own copy.

Account / org deletion triggers cascade deletion of briefs, interviews, transcripts, takeaways, organisation memberships, and llm_calls telemetry within 30 days. Sole-owner orgs are dropped along with the user.

6. Deletion

  • Self-serve account deletion: any signed-in user can delete their account (and any sole-owner orgs) from /org/settings → “Delete account” (type DELETE to confirm). The deletion cascades briefs, interviews, transcripts, takeaways, organisation memberships, and LLM-call telemetry from sole-owned orgs.
  • Self-serve brief deletion: hosts can delete individual briefs from the brief detail page; this cascades attached interviews and turns.
  • Org-wide deletion when you are not the sole owner, participant erasure requests, or bulk export before deletion are not currently self-serve. Email /contact?topic=privacy (privacy / data) or /contact?topic=participant-erasure (participant-side erasure). We respond within 30 days as committed in the privacy policy.

7. Sub-processors

Lacudelph engages third-party sub-processors to operate the Service, across the following categories: application hosting and edge delivery; managed database; large-language-model providers (text and voice); transactional email; payments and tax; authentication (when a user signs in via a federated provider); product analytics (when enabled); error monitoring; and optional outbound integrations such as Slack (only when a workspace installs them).

The current named list, with each sub-processor’s location and processing purpose, lives in DPA §5and is the canonical source of truth. Existing customers receive 14 days’ notice via that page’s “Last updated” date before a new sub-processor is engaged. Sub-processors that handle Customer Personal Data contractually commit not to use that data for their own model training or advertising — either by their default API terms (Anthropic Commercial Terms; OpenAI API data-usage policy) or by negotiated processor terms with us (Vercel, Resend, Neon, Paddle).

8. PII handling and logging

  • Participant transcripts, host briefs, takeaways, and personal identifiers stay out of operational logs and external telemetry.
  • llm_calls telemetry stores provider, model id, token counts, latency, and cost — not prompt or completion content.
  • Session IDs / interview IDs are hashed before they appear in any external telemetry.
  • Server-side error reports (Sentry) strip request bodies and known-PII fields before send.
  • Rate-limit IPs are stored only for the active 1-hour window, then evicted.

8a. Audit log

Every state-changing action in a workspace — brief publishes, tier toggles, BYO key set/clear, webhook config, member invites + revocations, version restores, site-admin operator actions — writes a row to the per-org org_event table. Owner / admin sees the last 50 on /org/settings; site admins see cross-tenant on /admin/orgs/<id>. The audit log captures actor, timestamp, target id, and a free-form summary string; no participant content lands here.

Outbound webhook attempts are persisted with their delivery status, attempt count, and last-response excerpt — operator + customer can both answer “did this delivery succeed?” without server-side log spelunking.

9. Headers and embedding

Applied to every route:

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-Frame-Options: DENY — the participant interview page is not iframable by third parties.
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(self), geolocation=(), interest-cohort=() — same-origin microphone allowed for the participant chat’s opt-in voice input (audio transcribed via OpenAI Whisper, then discarded; never stored).

A Content-Security-Policy is currently shipped in Report-Only mode — every page response carries Content-Security-Policy-Report-Only with a policy that pins script + connect + frame sources to our known third parties (Vercel Analytics, Sentry tunnel via /monitoring, Paddle checkout, PostHog when enabled). Violations are forwarded to /api/csp-report and recorded as Sentry warning-level events for tightening. Promotion to enforced Content-Security-Policy follows a clean reporting window.

10. Incident response

Lacudelph is operated by a small team. We are honest about what that means:

  • Acknowledgment: best-effort within 24 hours of receiving a security report at /contact?topic=security.
  • Triage and remediation: prioritised by severity; status updates via email until resolved.
  • Customer notification: if we discover a security incident affecting your data, we will notify you without undue delay and within any timeframe required by applicable law.
  • We do not publish an uptime SLA today. Past Vercel + Neon uptime is the practical floor.

11. Compliance posture

  • GDPR: standard processor terms in the DPA; Standard Contractual Clauses for transfers to the US.
  • Israeli Privacy Protection Law: operator (Attius Digital Art) is registered in Israel.
  • SOC 2 / ISO 27001: Lacudelph itself is not certified today. Underlying providers (Neon, Vercel, Anthropic, Paddle, Resend) hold their own SOC 2 / ISO 27001 reports; we can share their attestations on request.
  • HIPAA: not in scope. Do not use Lacudelph with PHI today.

12. Contact

Security questions, vulnerability reports, or anything that doesn’t fit a category above: /contact?topic=security. Replies within 3 business days for non-incident requests; 24 hours for incident reports.

cross-turn reasoning · rendered live