Security
Effective June 23, 2026
Security is central to how Lane Compliance Systems is built. This page summarizes our posture and tells you how to report a vulnerability.
How the product protects data
- Client-side processing / zero document egress. The documents you review are parsed and analyzed entirely in your browser. They are never transmitted to or stored on our servers.
- Encryption in transit. All traffic is served over TLS, with HTTP Strict Transport Security (HSTS) enforced.
- Encryption at rest for secrets. Stored AI provider keys are encrypted with AES-256-GCM and are never returned to any browser — only a masked hint is ever shown.
- Hardening headers. A strict Content-Security-Policy,
X-Content-Type-Options: nosniff, a restrictivePermissions-Policy,Referrer-Policy: no-referrer, frame protections, and cross-origin isolation headers are applied site-wide. The policy restricts the app’s network connections to its own origin; the only third-party origins it permits areapi.anthropic.comandapi.voyageai.com, and only so a workspace that has turned on the optional AI judgment pass can send de-identified text directly to its own AI provider (Anthropic), or — if it enables optional semantic policy grounding — send a de-identified query directly to its embeddings provider (Voyage); your documents still never reach our servers. - Access control. The owner console is credential-gated with constant-time comparison, and authentication endpoints are rate-limited to resist brute-force and abuse.
- Data minimization. We hold only the organization configuration and access-key map needed to run the service — no case documents, and no end-user passwords.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email support@lcs-global.com (see also /.well-known/security.txt).
Please include
- A clear description and the steps to reproduce.
- The affected URL or component and any relevant logs or screenshots.
- Your assessment of impact.
Our commitment
- We aim to acknowledge legitimate reports promptly and to keep you updated as we investigate.
- Acting in good faith under this policy — avoiding privacy violations, data destruction, and service disruption — we will not pursue or support legal action against you for your research.
- Please give us a reasonable opportunity to remediate before any public disclosure.
Out of scope: denial-of-service testing, social engineering, physical attacks, and testing against organizations' own uploaded content (which never reaches us). Do not access or modify data that is not yours.
Related
See our Privacy Policy for what we do and do not collect.
Lane Compliance Systems, a DBA of Lane Global Holdings LLC · Privacy · Terms · Security · security.txt
This document is provided for transparency and does not itself constitute legal advice.
This document is provided for transparency and does not itself constitute legal advice.