top of page

Laami Data Security Policy

 

Last Updated: March 10áµ—Ê°, 2025

Version: v1.1

 

 

1. Purpose

 

This security policy ensures that customer data processed through Laami is secure, confidential, and compliant with SOC 2 and GDPR standards.

 

 

2. Scope

 

This policy applies to:

 

  • All employees, contractors, and third-party vendors with access to customer data.

  • All systems, applications, and services used in the operation of Laami.

 

 

3. Data Security & Access Controls

 

 

3.1 Data Classification

 

  • Customer data is classified as Confidential.

  • Only authorized personnel may access customer data.

 

 

3.2 Access Management

 

  • Role-Based Access Control (RBAC) is enforced to limit access based on job function.

  • Multi-Factor Authentication (MFA) is required for all admin and developer accounts.

  • The Least Privilege Principle is followed: users are granted only the access necessary for their roles.

 

 

3.3 Password & Credential Security

 

  • Passwords must be at least 12 characters long and stored securely using strong hashing algorithms.

  • Credentials such as API keys and database passwords are stored in environment variables or a secrets manager. Hardcoded secrets are prohibited.

 

 

3.4 Offboarding & Termination

 

  • All access for employees or contractors is revoked within 24 hours of departure.

 

 

4. Logging & Monitoring

 

 

4.1 Audit Logging

 

  • All database queries and admin actions are logged via built-in infrastructure.

  • Logs are retained for a minimum of 12 months.

  • Monthly reviews are conducted for suspicious activity.

 

 

4.2 Incident Detection & Alerts

 

  • Automated alerts notify the engineering team of unusual behavior (e.g., API spikes, abnormal login patterns).

  • Monthly security reviews include reviewing access logs and alert history.

 

 

5. Data Handling, Encryption & Retention

 

 

5.1 Processing Model

 

  • Laami does not permanently store the contents of user files or synced documents.

  • Synced files are processed in-memory and used to generate structured data representations.

  • Only metadata (e.g., filename, file type, connector source, user ID, timestamp) is stored in Supabase.

 

 

5.2 Data at Rest

 

  • All stored metadata is encrypted using AES-256 encryption.

  • No customer data is stored on local devices.

 

 

5.3 Data in Transit

 

  • All communications use HTTPS with TLS 1.2+ encryption.

  • Any transfer of structured data is encrypted during transmission.

 

 

5.4 Data Retention

 

  • Metadata is retained for the duration of the user’s account.

  • If a user disconnects a data source or deletes their account, metadata is deleted within 7 days.

  • No file content is stored beyond the immediate processing window.

 

 

6. Incident Response Plan

 

 

6.1 Security Incident Reporting

 

  • All employees must report security incidents within 1 hour.

  • Incidents are reported to the Security Lead at security@laami.co.

 

 

6.2 Investigation & Remediation

 

  • An investigation is initiated within 24 hours.

  • Affected users are notified within 72 hours if customer data is involved.

  • A root cause analysis and fix are applied immediately.

 

 

7. Backup & Disaster Recovery

 

 

7.1 Data Backups

 

  • Metadata stored in Supabase is backed up automatically every 24 hours.

  • All backups are encrypted and retained for a minimum of 30 days.

 

 

7.2 Recovery Testing

 

  • Full data restoration tests are conducted quarterly.

  • Recovery from any outage or breach is expected within 4 hours.

 

 

8. Third-Party Vendors & Integrations

 

 

8.1 Vendor Security Requirements

 

Vendors with access to metadata or user data must:

 

  • Provide SOC 2, ISO 27001, or equivalent certification.

  • Undergo annual security and compliance reviews.

 

 

8.2 API Usage

 

  • All external APIs are authenticated using OAuth 2.0 or signed API keys with restricted scopes.

  • No third-party has access to raw file content.

 

 

9. Employee Security Training

 

  • Annual security training is mandatory for all team members.

  • Policies are reviewed every 6 months or after major infrastructure changes.

 

 

10. Compliance & Enforcement

 

  • Any violation of this policy may lead to disciplinary action, including termination.

  • This policy is reviewed and updated annually in line with SOC 2 audit readiness.

 

 

11. Change Management

 

  • All changes to production systems must be submitted via pull requests and reviewed by at least one other engineer.

  • Deployment is handled via CI/CD pipelines with full traceability.

 

 

12. Business Continuity

 

  • Laami uses redundant infrastructure with high availability for core services.

  • In case of system failure, fallback mechanisms and runbooks are in place for immediate recovery.

 

Contact: security@laami.co

Review Cadence: Biannual or after any major architecture change.

Version: v1.1 (Reviewed March 10, 2025)

bottom of page