Trust Center

1. Compliance Posture

Our security program is designed to align with the SOC 2 Type II and HIPAA control frameworks. Formal third-party certification and audit are in progress; we are not yet able to represent that a final SOC 2 Type II report or HIPAA attestation is available. We plan to complete initial external audit work in the coming months and will update this page as milestones are reached.

• —SOC 2 Type II: Controls aligned; formal audit in progress.
• —HIPAA: Controls aligned. A Business Associate Agreement (BAA) is not yet offered as a standard product; contact us if your use case requires one.
• —GDPR & CCPA/CPRA: We honor access, correction, erasure, portability, and objection rights as described in our Privacy Policy. A Data Processing Addendum is available on request.
• —EU AI Act: We provide AI-system disclosure in our chat widget and document AI processing in our Privacy Policy.

2. Subprocessors

The following third parties process personal data on our behalf. Each operates under contractual confidentiality and data-protection obligations appropriate to the data they handle.

We may update this list as our operations evolve. Material changes affecting personal data processing will be reflected in our Privacy Policy and, where required, communicated under an applicable Data Processing Addendum.

3. Security Practices

• —Encryption in transit: All traffic to our services is served over TLS.
• —Encryption at rest: Customer data stored in our cloud infrastructure is encrypted at rest using provider-managed keys.
• —Access controls: Production access is restricted to a small set of authorized personnel, authenticated via single sign-on, and audit-logged.
• —Secrets management: Credentials and API keys are stored in a managed secret store and rotated on role changes and incidents.
• —Audit logging: Administrative and security-relevant actions (erasure requests, role changes, key revocation) are logged and retained for up to seven years for compliance review.
• —Separation of tenants: Organization data is isolated at the application layer by organization identifier; authorization is enforced on every request.
• —Internal review cadence: We regularly review code changes affecting authentication, authorization, and data handling, and run targeted red-team exercises.

4. Data Privacy & Deletion

Our Privacy Policy describes what we collect, how long we retain it, and the rights you can exercise. Account holders can request erasure of their personal data (GDPR Article 17 / CCPA right to delete) through in-product controls or by contacting us. API keys, linked accounts, and active sessions are removed immediately on request; conversations, folders, and account records enter a 30-day grace period during which the request can be cancelled, after which data is anonymized or hard-deleted across our application database, cache, file storage, and checkpoint systems.

5. AI & Model Training

We do not use customer content, agent conversations, or widget chat data to train or fine-tune our AI models. Our model providers operate under enterprise terms that prohibit training on data submitted through our platform. Our embeddable chat widget shows an AI-assistant disclosure to end users at the start of every session and collects no personal data before affirmative consent.

6. Incident Response

We maintain internal procedures for detecting, triaging, and remediating security incidents. Where an incident affects personal data, we will notify affected parties consistent with our legal obligations and any applicable Data Processing Addendum. To report a suspected vulnerability or security concern, email brayden@levangielaboratories.com. We request that researchers act in good faith and avoid actions that could compromise other users' data while investigating.

7. Documents & Requests

The following documentation is available on request to qualifying customers under NDA. Email brayden@levangielaboratories.com.

• —Data Processing Addendum (DPA)
• —Security overview / whitepaper
• —Subprocessor list in tabular form (for vendor intake)
• —Business Associate Agreement (BAA) for HIPAA-regulated use cases, subject to review

8. Contact