Security & HIPAA
How we handle your program’s data.
Lucida is a read-only documentation intelligence layer. We minimize what we touch, encrypt everything we store, and default to the stricter interpretation whenever HIPAA leaves room. This page is the plain-English version; our BAA and security policies are available on request.
HIPAA posture
We operate as a business associate under HIPAA when we touch PHI. A BAA is available on request before any PHI is transmitted — and is required before we begin paid engagements. Our policies align with the 2026 HIPAA Security Rule updates, including mandatory encryption of ePHI at rest and in transit.
SOC 2 — in progress
SOC 2 Type I is targeted for Q3 2026; Type II follows 12 months of operational history. Until SOC 2 is completed, we publish our security controls in long form and welcome customer-led security reviews. If you need the unfinished report today, ask and we'll share what we have.
Encryption & access
PHI and customer data are encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based and limited to the specific clinical reviewer or engineer assigned to your program. Every access is logged. We run least-privilege by default — no engineer has standing production access.
What we store and for how long
For the free documentation risk scan: de-identified note samples are retained no longer than 30 days after the report is delivered, then deleted. For paid engagements: data retention is governed by your BAA and defaults to 7 years for clinical records as HIPAA requires, with customer-directed deletion available at any time. Your notes are never used to train models without explicit written consent.
Security questions or BAA request?
Email security@lucida.ai for security reviews, SOC 2 status, or to request a BAA. We respond within one business day.
Found a vulnerability? Please report it privately to the same address — we’ll acknowledge within 24 hours and keep you informed through remediation.