Security

LAST UPDATED · 2026-05-17

Production AI is only as trustworthy as the security posture underneath it. This page describes how we build, deploy, and operate the systems we ship — and what specifically applies to the Pro Bundle, which handles regulated data under HIPAA.

1. Operating principles

• Least privilege. Every account, key, and integration gets the minimum access it needs and no more.
• Encryption everywhere. Data in transit and at rest is encrypted using industry-standard algorithms (TLS 1.2+, AES-256).
• Human gates on customer-facing AI output. By default, AI outputs that affect a customer cross a human decision gate or a deterministic fallback before they're sent.
• Audit trail. Every system we build logs what happened, who triggered it, and what changed — sufficient to reconstruct activity months later.
• Subprocessor discipline. We use a small, deliberate set of vendors, each chosen for their security posture.

2. Infrastructure

We deploy on the major commercial clouds — Amazon Web Services, Microsoft Azure, and Google Cloud Platform — choosing per engagement based on data residency, integration needs, and the client's existing footprint. We use cloud-native primitives (managed databases, managed Kubernetes, managed secret storage) rather than rolling our own where commercial alternatives are stronger.

Specific technical controls per engagement:

• TLS 1.2+ for all client-facing connections.
• AES-256 encryption at rest for databases, object storage, and backups.
• Network segmentation: private subnets for data and compute; public-facing only at the load balancer.
• Secrets stored in managed secret managers (AWS Secrets Manager / Azure Key Vault / GCP Secret Manager) — never in code, never in repos.
• Daily encrypted backups with documented restore procedures.

3. Access controls

• Role-based access control on every system we build. We define explicit roles and assign people to them; we do not grant ad-hoc access.
• Multi-factor authentication required for all internal accounts and admin access to cloud consoles.
• SSO via Google Workspace where supported; long random per-service credentials rotated on a defined schedule where SSO is not supported.
• Production access is logged and reviewed.

4. AI subprocessors

We use third-party AI inference providers — primarily Anthropic, OpenAI, and Google — to power the agents we build. We choose the model per workload based on cost, latency, accuracy, and data-handling requirements. Specifically:

• We operate on enterprise-tier API contracts that prohibit the provider from training on customer data.
• For HIPAA workloads (Pro Bundle), we operate under Business Associate Agreements (BAAs) with the specific providers and route only through HIPAA-eligible endpoints.
• For sensitive non-PHI data, we may route through region-pinned or private deployment endpoints where the provider offers them.
• Where appropriate, we redact or tokenize sensitive fields before they reach the model.

5. HIPAA-conformant deployment (Pro Bundle)

The Pro Bundle is built to meet HIPAA technical safeguards. For Pro Bundle engagements:

• BAAs signed with all subprocessors that touch PHI before the system goes live.
• Encryption at rest and in transit.
• Access controls with role-based permissions and audit logging on every read and write of PHI.
• Retention policies aligned with the practice's records-retention requirements.
• Documented compliance posture provided as part of the engagement deliverables.

We cover technical safeguards on our side; administrative and physical safeguards on your side (workforce training, facility access, sanction policies, etc.) remain your operation's responsibility.

The Starter Bundle and Growth Bundle are not HIPAA-conformant by default and should not be used to handle PHI. Healthcare practices handling PHI should use the Pro Bundle.

6. Vulnerability management

• Dependencies in the systems we deploy are tracked and patched on a defined cadence; security-critical patches are expedited.
• We monitor cloud provider advisories and AI provider advisories and respond to relevant ones promptly.
• Penetration testing or third-party security review is available as a paid scope-add for engagements that require it.

7. Incident response

If we detect or are informed of a security incident affecting a client:

• We contain the immediate issue (rotate credentials, isolate affected systems, etc.).
• We notify the client without undue delay — typically within 24 hours of confirming an incident — and provide what we know, what we don't, and what we're doing.
• We complete a post-incident review and share the relevant findings with the client.
• For HIPAA-covered engagements, breach notification follows the timelines required by HIPAA / HITECH and the engagement's BAA.

8. Data handling on closure

At the end of an engagement, on request we will (a) return all client data in a usable format and (b) delete copies from our systems on a documented schedule, except for material we are required to retain by law (e.g., tax records) or for legitimate business records (executed contracts, audit logs of our own work).

9. What we do not claim

To set expectations honestly:

• We are not currently SOC 2, ISO 27001, or HITRUST certified. We can pursue these for an engagement that requires them at appropriate scope and cost.
• We are not a payment processor. We do not store or transmit payment card data.
• We do not currently host workloads outside the United States by default; international hosting is available per engagement.

10. Reporting a vulnerability

If you discover a security issue with this website or with a system we have deployed for you, please tell us at admin@lasdigitaltech.com. We will acknowledge receipt within two business days. We do not run a paid bug bounty, but we are grateful for, and will publicly acknowledge (with permission), good-faith reports.

11. Contact

Security questions, requests for documentation, or anything else: admin@lasdigitaltech.com.