← Back to Home

Security Policy

Last updated: April 1, 2026

Lucid Vault is a secure document sharing platform built for law firms and organizations that handle sensitive information. Security is fundamental to how we design, build, and operate the platform. This policy describes the security measures in place to protect your data.

1. Overview

Lucid Vault employs a defense-in-depth approach to security, combining encryption, access controls, infrastructure isolation, and monitoring to protect customer data. Every customer receives a dedicated, single-tenant instance, ensuring complete separation of data and infrastructure between organizations.

2. Encryption

Sensitive data is encrypted at rest using AES-256-GCM, an authenticated encryption algorithm that provides both confidentiality and integrity protection. All data in transit between clients and the server is protected by TLS 1.3, ensuring that communications cannot be intercepted or tampered with.

3. Authentication and Access Control

Lucid Vault uses stateless JWT (JSON Web Token) authentication with short-lived access tokens and automatic session expiration.

Password Security

• Minimum 12 character password length with complexity requirements
• Passwords are hashed using bcrypt with 12 rounds of salting
• Plaintext passwords are never stored or logged

Account Lockout

• Accounts are locked after 10 consecutive failed login attempts
• Lockout duration is 30 minutes
• Failed login attempts are logged for audit purposes

Single Sign-On

Lucid Vault supports enterprise single sign-on (SSO) via any OIDC-compliant identity provider, including Azure AD, Okta, Google, OneLogin, and Auth0. SSO is available on all plans.

4. Infrastructure Security

• Single-Tenant Isolation: Every customer receives their own dedicated instance. No shared databases, no co-mingled data, and no cross-tenant access.
• Containerized Deployments: Each instance runs in Docker containers with a minimal attack surface and consistent, reproducible environments.
• Automated SSL: SSL certificates are automatically provisioned and renewed via Let's Encrypt for all custom domains.
• Security Headers: The application uses Helmet to set strict security headers including Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and HTTP Strict Transport Security (HSTS).

5. File Security

Lucid Vault enforces strict controls on file uploads to prevent malicious content:

• File Type Whitelist: Only approved file types are accepted: PDF, DOCX, XLSX, DOC, XLS, CSV, and ZIP.
• Magic Byte Detection: Files are validated using magic byte (file signature) detection to prevent file type spoofing, regardless of the file extension provided.
• File Size Limit: Maximum file size is 100MB per file.

6. Rate Limiting

Rate limiting is applied to authentication endpoints to prevent brute force attacks. Repeated failed login attempts trigger automatic account lockout, protecting accounts from unauthorized access attempts.

7. Audit Logging

All user actions within Lucid Vault are logged for compliance and security visibility, including:

• User logins and authentication events
• File uploads, downloads, and sharing operations
• Administrative actions such as user management and settings changes
• Permission changes and role assignments

Audit logs are retained for 1 year and are accessible to administrators for compliance reporting.

8. Incident Response

In the event of a security incident affecting customer data:

• We will notify affected customers within 72 hours of becoming aware of a breach
• Notification will include the nature of the incident, the data affected, and the measures taken to address it
• We will notify relevant supervisory authorities as required by applicable law
• We will provide ongoing updates as our investigation progresses

9. Responsible Disclosure

We welcome reports of security vulnerabilities from security researchers and the public. If you discover a potential security issue in Lucid Vault, please report it responsibly by contacting us at davidsoden.com. We ask that you:

• Provide sufficient detail for us to reproduce and verify the issue
• Allow reasonable time for us to address the vulnerability before public disclosure
• Do not access, modify, or delete data belonging to other users

10. Third-Party Services

Lucid Vault integrates with the following third-party services:

• Stripe: Payment processing and subscription management. Stripe is PCI DSS Level 1 certified. We do not store full credit card numbers on our servers.
• Cloud Storage Providers: Customers may configure external storage connections to Amazon S3, Azure Blob Storage, Google Cloud Storage, SharePoint, or other supported providers. These connections are configured and managed by the customer.

See also: Privacy Policy | Terms of Service