LIVE ⚡ AI — Security & Compliance

Your data powers every conversation, so we treat it like gold‐plated PHI.

Below you'll find the technical and organisational controls that keep LIVE AI safe, resilient and HIPAA-ready.

🛡️

Security & Data Protection

Looking for our data-collection practices or your privacy rights?
See our Privacy Policy for the what & why of personal data.
This page focuses on the how.

1. Data & Information

Control

Details

Encryption at Rest

All customer & PHI data stored in production is encrypted with AES-256 (AWS KMS-managed keys).

Encryption in Transit

TLS 1.2+ everywhere; HSTS enforced. Qualys SSL Labs grade: A.

Back-ups

Continuous point-in-time snapshots + daily full backups, retained 7 days (prod) & 30 days (audit logs).

Password Hashing

No plaintext passwords. Auth0 hashes & salts with bcrypt and is ISO 27001 + HIPAA aligned.

Data Residency

All primary and fail-over regions are US-East / US-West. Data never leaves the USA.

Payments

We never store card numbers. Billing runs through Stripe ↗ (PCI-DSS Level 1).

SSO / Identity

OIDC / OAuth 2.0 and SAML 2.0 via Auth0.

Data-Retention & Purge Timers

• Chat transcripts: 180 days (default)

• Uploaded content & embeddings: Life-of-contract or on written request

• Audit & access logs: 7 years (HIPAA §164.316)

Retention periods mirror §5 of our Terms of Service and Exhibit A of our BAA. At contract end we destroy or return PHI and issue a certificate of destruction within 30 days.

2. Infrastructure

Cloud platform: Amazon Web Services (HIPAA-eligible services only).

Firewalls & Network Segmentation: AWS WAF, Security Groups, VPC flow logs.

Patching: Automated OS & container patch pipeline; critical CVEs patched ≤ 48 h.

Real-time Monitoring: CloudWatch, AWS GuardDuty, HostedScan (24 × 7 alerts).

Logging: Every action, API call, and admin change is logged with immutable write-once storage; logs retained 7 years.

Disaster Recovery: Hot-standby region; RPO ≤ 5 min, RTO ≤ 1 h. Quarterly fail-over tests.

Pen-testing: Independent third-party test twice per year; summary report available under NDA.

Change Management: GitHub + semantic versioning; blue/green deploys; mandatory code review & CI security scans.

Status & Uptime: Real-time monitoring with 24/7 alerting. For uptime reports or status inquiries, contact support@liveai.co.

3. Incident Response

Report security issues to security@liveai.co (PGP key available on request).

SLA: initial response within 4 business hours; HIPAA breach notification ≤ 10 business days.

Post-incident reviews are shared with affected customers.

4. Vendors & Sub-processors

We sign BAAs with every vendor that might touch PHI.

Current list (always updated ≥ 30 days before changes):

Vendor	Purpose	BAA	Region
AWS	Hosting & storage	Yes	USA
Auth0	Identity & SSO	Yes	USA
Stripe	Payments (no PHI)	N/A (PCI-DSS)	USA
OpenAI	LLM inference (limited prompts, no PHI)	No PHI sent	USA

Full JSON feed: liveai.co/legal/sub-processors.json.

5. People & Access

Least-Privilege & RBAC: Roles (SUPERADMIN, ADMIN, STAFF) scoped via JWT.

MFA: Mandatory for 100% of staff & contractors.

Secure Devices: MDM-enrolled; disk encryption, antivirus, OS auto-updates.

Background Checks & NDA: Completed before system access is granted.

Annual Training: HIPAA, Security Awareness, and Incident Escalation refreshers.

6. Compliance Frameworks

Standard	Status
HIPAA	Administrative, Physical & Technical safeguards implemented (§164.308-312).
BAA	Business Associate Agreements available on a case-by-case basis for qualifying healthcare entities and covered entities as required.
SOC 2	Type II audit in progress (expected Q4 2025).
GDPR	DPA & SCCs available.

7. Frequently Asked Questions

Q: Do you use my data to train public models?

A: Never. Customer data is siloed and excluded from any upstream LLM training.

Q: Where can I see uptime?

A: For uptime reports and status inquiries, contact support@liveai.co.

Q: How do I exercise my privacy rights?

A: Visit our Privacy Policy - Section 8 explains access, deletion and portability.

Last updated · 14 July 2025

(Changes & history are tracked in Git.)

Questions? — email security@liveai.co and we'll be right back ⚡