Lucidity

Security

Last updated: 2026-04-19. Contact: security@lucidity.today.

DRAFT , pending counsel review. This Security page is a DRAFT pending counsel review. It describes intended practices and is not yet effective.

Our posture, in plain English

Lucidity stores some of the most private things you write: journal entries, reflections, decisions you're wrestling with. We design the product around that fact rather than around a marketing slogan. We tell you honestly what is encrypted, what isn't, where plaintext exists, and what our third-party providers can and cannot see. If we're not sure, we say so instead of guessing favorably.

We are not perfect, and we don't claim to be. We publish our subprocessor list, our data flow, and our incident-response clock in public so you can check our work.

Encryption

Your journal is encrypted on your device and stored encrypted on our servers. When you use the AI coach, the relevant text is decrypted on your device and sent to Anthropic’s Claude model running inside AWS Bedrock. AWS processes the prompt under its standard data handling terms and does not log invocations by default; Anthropic does not receive the prompts on this path.

In more detail:

  • Journal content is encrypted on your device using libsodium secretbox with a device-held key stored in the iOS Keychain or Android Keystore (hardware-backed where the device supports it).
  • Only ciphertext is uploaded to our servers. Our database stores ciphertext; our backups store ciphertext.
  • When you use the AI Coach, the app decrypts the relevant entries locally, sends them over TLS 1.2+ to our API, which forwards them to AWS Bedrock. Anthropic’s Claude model runs as a hosted service inside Bedrock; Anthropic does not receive the prompts directly. AWS does not log invocations by default and Lucidity does not opt into logging. Nothing is retained in plaintext downstream.
  • A full data-flow diagram lives on our Privacy page.

This is notend-to-end encryption. An end-to-end system would run the AI model on your device so plaintext never leaves. We don't ship that today; we document what we do ship precisely rather than misstate it.

AI processing via AWS Bedrock

Our AI Coach, Pattern Letters, Red Team, and weekly synthesis all run on Anthropic Claude models hosted inside AWS Bedrock. Under this routing:

  • AWS is our data processor, covered by the AWS Data Processing Addendum and AWS’s Service Terms for Bedrock,
  • AWS does not log invocations by default. Lucidity does not opt into Bedrock’s Model Invocation Logging,
  • Anthropic does not receive the prompts on this path , Claude runs as a hosted service inside Bedrock,
  • prompts and completions are not used to train any model, per AWS Bedrock’s Service Terms and Anthropic’s own commitment for models served via Bedrock.

Status: AWS account provisioned, DPA accepted, Bedrock model access configured Architecture details are published on /subprocessors. AI Coach features are gated off paid tiers until the Plan B mobile app ships the production integration.

SOC 2 status

SOC 2 attestation is in progress. We are using a continuous-controls platform (Vanta / Drata) with a Type I report targeted. A Type II report is not yet available.

  • Type I report: targeted for Q2 of our commercial operation.
  • Type II observation window: 6–12 months after Type I.
  • Type II report: approximately month 14.

We will publish the Type I letter when available and will update this page with the Type II report when , and only when , that report is in hand.

Incident response

We operate under a written incident-response plan with a named owner.

  • Named Incident Response Owner: security@lucidity.today (monitored 24/7 for incidents classified P0/P1).
  • GDPR 72-hour clock. Personal-data breaches affecting EU/UK/EEA data subjects are reported to the lead supervisory authority within 72 hours of discovery, per GDPR Article 33.
  • US state notification clocks.We follow the shortest applicable state-AG notification clock for affected users (as short as “without unreasonable delay” and “no later than 30 days” in some states; some states require specific AG notice). Specific state timelines are mapped in our IR runbook.
  • User notification. Users affected by a breach receive email notice as soon as the scope is confirmed, with a description of what happened, what data was involved, what we have done, and what they should do.
  • Post-incident review. Every P0/P1 incident results in a written post-mortem published internally and, where material, summarized publicly.

Reporting vulnerabilities

If you find a security issue, please report it to security@lucidity.today with a description, reproduction steps, and (if possible) the affected version or URL. We ask that you:

  • do not publicly disclose the issue until we have had a reasonable opportunity to fix it;
  • do not access or modify other users' data;
  • do not perform denial-of-service, social-engineering, or physical-security attacks; and
  • do not submit high-volume automated scans.

We commit to:

  • acknowledge receipt within 3 business days,
  • triage and respond with a plan within 10 business days,
  • credit researchers in our Hall of Thanks (with consent), and
  • not pursue legal action against good-faith security research conducted under this policy.

A formal coordinated-disclosure policy and (eventually) a paid bounty program are on our roadmap.