Data protection
- Encryption in transit: TLS 1.2+ for all client and service-to-service traffic.
- Encryption at rest: datasets, models, and artifacts are stored in object storage with at-rest encryption; database storage is encrypted by the managed provider.
- Tenant isolation: data is scoped to organizations with row-level authorization checks; signed, expiring URLs gate artifact downloads.
- No training on your data: we do not use private Customer Content to train foundation models, and we do not sell it.
Access control
- Least-privilege access to production; access is limited to personnel who need it.
- Authentication via email/password or OAuth (Google/GitHub); enterprise SSO (OIDC/SAML) and SCIM available on Enterprise.
- Organization roles and audit logs record significant actions for accountability.
Retention & deletion
- Customer Content is retained while your account is active.
- On deletion, content is removed from primary systems within 30 days and from backups within 90 days, except where law requires retention.
- Self-serve data export and account/organization deletion are available; see the documentation.
Backups & availability
- Automated, encrypted database backups with point-in-time recovery via our managed Postgres provider.
- Object storage is redundant within the configured region.
- Target service availability of 99.9% for paid plans (Enterprise SLAs available by contract).
- Health checks and uptime monitoring on critical endpoints.
Monitoring & incident response
- Application errors and anomalies are monitored (Sentry) and triaged.
- We maintain an incident-response process with defined severities and on-call escalation.
- For incidents affecting Customer Content, we notify affected customers without undue delay (within 72 hours where feasible), consistent with our DPA.
Application security
- HTTPS-only with HSTS, frame protections, restricted referrer and permissions policies, and a content security policy.
- Restricted CORS to known origins; signed webhooks (e.g., Stripe) verified server-side.
- Secrets are stored in the platform's encrypted secret store, never in source control.
Enterprise readiness & boundaries
Available on Enterprise: SSO/SCIM, audit-log export, custom data residency, BYO storage bucket, and contractual SLAs. We are transparent about boundaries: we are not yet SOC 2 / ISO 27001 certified, and we will tell you where a control is in progress. Request our latest security questionnaire at security@laplace.ai.
Reporting a vulnerability
Please report suspected vulnerabilities to security@laplace.ai. We investigate good-faith reports and will not pursue legal action for responsible disclosure.