Skip to content
lacudelph

trust

Security

Last updated 2026-05-07

A factual snapshot of how Lacudelph handles your data. For the long-form privacy policy see /privacy; for sub-processor commitments see the DPA. Mismatch between this page and either of those should be flagged via /contact?topic=security — privacy policy and DPA are the legal source of truth.

1. Data residency

  • Application + database run on Neon Postgres in AWS US-East-1 (single primary, no cross-region replicas today).
  • Application hosting: Vercel (US/EU edge for static assets; serverless functions execute in the region nearest the request).
  • Non-US customers: residency is not formally region-pinned today. If your procurement requires data to remain outside the US, contact us before signing — Neon supports EU regions and we can spin a separate project per ADR 0002 if commercially justified.

2. Encryption

  • At rest: Neon-managed encryption (AES-256) on all stored rows and backups.
  • In transit: TLS 1.2+ enforced end-to-end (HSTS max-age=63072000; includeSubDomains; preload). HTTP redirects to HTTPS at the edge.
  • BYO Anthropic API keys (BYO-key tier only): encrypted at rest with AES-256-GCM under a server-side secret distinct from the session-signing key. Decrypted only on-demand inside the per-turn handler; never logged in plaintext.

3. Authentication

  • Auth.js v5 with two methods: email magic link via Resend, or Google OAuth.
  • Magic-link tokens are signed, single-use, and 15-minute TTL.
  • Sessions are DB-backed (not JWT-only), so revocation is immediate on sign-out or account deletion.
  • Session cookies are HttpOnly + Secure + SameSite=Lax.
  • Per-IP rate limit on magic-link sends (5/hour) to prevent inbox flooding.

4. Tenancy isolation

All app data carries an org_id. Every server action and API route resolves the active org via requireActiveOrg() before reading or writing — queries scope by org_id, never user_id. A user with no membership in an org cannot read any of that org’s briefs, interviews, transcripts, takeaways, rounds, or LLM-call telemetry.

5. Retention

Default behavior: data is retained as long as your organisation’s account is active. Specifics by resource:

  • Briefs, interviews, turns (transcripts), takeaways, rounds, round aggregates: indefinite while subscription active. Hosts can delete individual briefs at any time, which cascades-deletes attached interviews and turns.
  • llm_calls telemetry rows (model, tokens, ms, cost — no transcript content): indefinite while subscription active.
  • Rate-limit buckets: lazily GC’d; nightly cron removes expired buckets.
  • IP addresses (rate-limit only): cleared after the rate-limit window expires (currently 1 hour).
  • Billing records (Paddle invoices, customer ID): up to 7 years per Israeli tax law. Paddle is Merchant of Record and retains its own copy.

Account / org deletion triggers cascade deletion of briefs, interviews, transcripts, takeaways, organisation memberships, and llm_calls telemetry within 30 days. Sole-owner orgs are dropped along with the user.

6. Deletion

  • Self-serve account deletion: any signed-in user can delete their account (and any sole-owner orgs) from /org/settings → “Delete account” (type DELETE to confirm). The deletion cascades briefs, interviews, transcripts, takeaways, organisation memberships, and LLM-call telemetry from sole-owned orgs.
  • Self-serve brief deletion: hosts can delete individual briefs from the brief detail page; this cascades attached interviews and turns.
  • Org-wide deletion when you are not the sole owner, participant erasure requests, or bulk export before deletion are not currently self-serve. Email /contact?topic=privacy (privacy / data) or /contact?topic=participant-erasure (participant-side erasure). We respond within 30 days as committed in the privacy policy.

7. Sub-processors

The full list lives in the DPA. Summary:

  • Vercel (US / EU edge) — application hosting, serverless functions.
  • Neon (US-East-1) — managed Postgres (primary database).
  • Anthropic (US) — large-language-model provider for conductor, refinement, meta-noticing, extraction, takeaway, aggregation. Models in use: claude-opus-4-7, claude-sonnet-4-6, claude-haiku-4-5.
  • Vercel AI Gateway (US) — routing + observability layer in front of Anthropic for non-streaming calls.
  • Resend (US) — transactional email (magic-link sign-in, takeaway delivery, contact-form relay).
  • Paddle (UK; Merchant of Record) — payments + tax. Chosen over Stripe because Stripe doesn’t support Israeli merchants directly.
  • Google (US) — OAuth provider (only invoked if user signs in with Google).
  • Sentry (US) — server-side error reporting (no transcript content; PII-redacted stack traces only).

We do not use OpenAI or other LLM providers today — the model layer is dynamic but every cell in the routing matrix is currently an Anthropic model. Anthropic, Vercel, Resend, Neon, and Paddle each contractually commit not to use Lacudelph customer data for their own model training or advertising.

8. PII handling and logging

  • Participant transcripts, host briefs, takeaways, and personal identifiers stay out of operational logs and external telemetry.
  • llm_calls telemetry stores provider, model id, token counts, latency, and cost — not prompt or completion content.
  • Session IDs / interview IDs are hashed before they appear in any external telemetry.
  • Server-side error reports (Sentry) strip request bodies and known-PII fields before send.
  • Rate-limit IPs are stored only for the active 1-hour window, then evicted.

8a. Audit log

Every state-changing action in a workspace — brief publishes, tier toggles, BYO key set/clear, webhook config, member invites + revocations, version restores, site-admin operator actions — writes a row to the per-org org_event table. Owner / admin sees the last 50 on /org/settings; site admins see cross-tenant on /admin/orgs/<id>. The audit log captures actor, timestamp, target id, and a free-form summary string; no participant content lands here.

Outbound webhook attempts are persisted with their delivery status, attempt count, and last-response excerpt — operator + customer can both answer “did this delivery succeed?” without server-side log spelunking.

9. Headers and embedding

Applied to every route:

  • Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • X-Frame-Options: DENY — the participant interview page is not iframable by third parties.
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(self), geolocation=(), interest-cohort=() — same-origin microphone allowed for the participant chat’s opt-in voice input (audio transcribed via OpenAI Whisper, then discarded; never stored).

A Content-Security-Policy is currently shipped in Report-Only mode — every page response carries Content-Security-Policy-Report-Only with a policy that pins script + connect + frame sources to our known third parties (Vercel Analytics, Sentry tunnel via /monitoring, Paddle checkout, PostHog when enabled). Violations are forwarded to /api/csp-report and recorded as Sentry warning-level events for tightening. Promotion to enforced Content-Security-Policy follows a clean reporting window.

10. Incident response

Lacudelph is operated by a small team. We are honest about what that means:

  • Acknowledgment: best-effort within 24 hours of receiving a security report at /contact?topic=security.
  • Triage and remediation: prioritised by severity; status updates via email until resolved.
  • Customer notification: if we discover a security incident affecting your data, we will notify you without undue delay and within any timeframe required by applicable law.
  • We do not publish an uptime SLA today. Past Vercel + Neon uptime is the practical floor.

11. Compliance posture

  • GDPR: standard processor terms in the DPA; Standard Contractual Clauses for transfers to the US.
  • Israeli Privacy Protection Law: operator (Attius Digital Art) is registered in Israel.
  • SOC 2 / ISO 27001: Lacudelph itself is not certified today. Underlying providers (Neon, Vercel, Anthropic, Paddle, Resend) hold their own SOC 2 / ISO 27001 reports; we can share their attestations on request.
  • HIPAA: not in scope. Do not use Lacudelph with PHI today.

12. Contact

Security questions, vulnerability reports, or anything that doesn’t fit a category above: /contact?topic=security. Replies within 3 business days for non-incident requests; 24 hours for incident reports.

cross-turn reasoning · rendered live© 2026 · proprietary