Lucid Rare

Security & Trust

Learn about our security practices and data handling policies

Security Overview

Lucid is built with security and privacy as foundational principles. We implement industry-standard security measures to protect clinical data and ensure the integrity of our diagnostic support system.

Encryption

Data in Transit

TLS 1.3

All data transmitted between your browser and our servers is encrypted using the latest TLS protocol.

Data at Rest

AES-256

Any stored data is encrypted using AES-256 encryption standards.

Authentication & Access

API Security

All API requests are authenticated and rate-limited to prevent abuse.

Access Controls

Strict access controls ensure only authorized systems and personnel can access data.

Session Management

Sessions are managed securely with appropriate timeout and invalidation mechanisms.

Infrastructure Security

  • Regular security updates and patches applied to all systems
  • Network security measures including firewalls and intrusion detection
  • Secure hosting infrastructure with redundancy and monitoring
  • Regular security audits and vulnerability assessments
  • Incident response procedures in place

Compliance

HIPAA

Security measures aligned with HIPAA principles for healthcare data protection.

GDPR

Data handling practices designed to comply with GDPR requirements.

Note: While we implement security measures aligned with these standards, please ensure your use of Lucid complies with your institution's policies and applicable regulations.

Data Handling Policy

Collection Purpose

Clinical diagnostic assistance and differential diagnosis generation

Scope: Only data explicitly provided by the user during active sessions

Storage

Session-based only. No persistent storage without explicit consent.

Location: Processed in-memory during active sessions

Third-Party Services

OpenAI

Purpose: AI-powered clinical data extraction and analysis

Data Shared: Anonymized clinical notes and extracted phenotypes

Compliance: OpenAI Business Terms with data processing agreement

OpenAlex

Purpose: Scientific literature and evidence retrieval

Data Shared: Search queries only (no patient data)

Compliance: OpenAlex is a public, non-commercial service

Security Headers

Lucid implements comprehensive security headers to protect against common web vulnerabilities:

  • Strict-Transport-Security (HSTS) for enforced HTTPS
  • X-Frame-Options to prevent clickjacking
  • X-Content-Type-Options to prevent MIME sniffing
  • Content-Security-Policy (CSP) for XSS protection
  • Referrer-Policy for privacy
  • Permissions-Policy for feature restrictions

Reporting Security Issues

If you discover a security vulnerability, please report it through your institution's designated security channels. We take security seriously and will investigate all reported issues promptly.