Security at Lumen

Lumen Notes handles some of the most sensitive data that exists: recordings and notes from psychotherapy sessions. We treat that as a design constraint, not a marketing line. This page describes the controls in place today, in plain language. For contractual terms, see the Data Processing Agreement and the HIPAA Notice.

Encryption

• In transit: all traffic between your browser, the Lumen app, and our infrastructure is encrypted with TLS 1.2 or higher. Plaintext connections are refused.
• At rest: databases, file storage, and backups are encrypted at rest with AES-256. Encryption keys are managed by our infrastructure providers' key-management services and rotated on their standard schedules.

Session audio is never persisted

Audio exists in Lumen for exactly one purpose: producing the draft note. Audio is processed for transcription and drafting, and is permanently deleted when the clinician signs the note (or when the session is discarded). Deletion is the default behavior of the product, not a configuration option. We do not keep audio archives, and we do not use audio for any secondary purpose.

Your data is never used to train models

Customer content — audio, transcripts, drafts, signed notes, client records — is never used to train Lumen's models or any third party's models. Our AI subprocessors are contractually bound to the same restriction (see Subprocessors).

Access controls

• Role-based access control: clinicians see their own caseload; group-practice admins see only what their role permits.
• Only a licensed clinician can edit, sign, and file a note. The AI cannot sign, and signing is recorded with the signer's identity and a timestamp.
• Internal access to production data is restricted to a small number of engineers, gated by SSO and multi-factor authentication, granted on a least-privilege basis, and logged.
• Audit logs record access to client records within the product.

Infrastructure

Lumen runs on vetted cloud providers (Vercel for hosting, Neon for the database — see the full subprocessor list with regions). We do not operate our own physical servers. Backups are encrypted and tested.

Compliance posture

• HIPAA: Lumen is designed for HIPAA workflows and we sign Business Associate Agreements with covered entities on Solo and Group plans. See the HIPAA Notice.
• SOC 2 Type II — in progress. We are working through a SOC 2 Type II audit and will publish the report to customers under NDA when complete. We do not claim certifications we do not hold.

Responsible disclosure

If you believe you've found a security vulnerability in Lumen Notes, email security@lumen.1labs.app with enough detail to reproduce the issue. We commit to acknowledging reports within 2 business days, we won't pursue legal action against good-faith research, and we ask that you give us a reasonable window to fix the issue before public disclosure. Please do not test against accounts containing real client data — use a trial account.

Questions

Security questionnaires, BAA requests, or anything this page doesn't answer: support@lumen.1labs.app.