Skip to content
Lightfield Lightfield
Security

Security & Compliance

SOC 2

Section titled “SOC 2”

Lightfield undergoes System and Organization Controls (SOC) 2 Type 2 audits of the design and operational effectiveness of our security and availability controls.

You can request a copy of the latest SOC 2 report from our Trust Center.

HIPAA

Section titled “HIPAA”

Customers who need to store protected health information (PHI) in Lightfield may request a Business Associate Agreement (BAA). Under a BAA, Lightfield commits to compliance with HIPAA requirements for business associates that store and process PHI.

Contact us if you require a BAA or have further questions.

Vulnerability Disclosure

Section titled “Vulnerability Disclosure”

We value input from the security community that helps us protect our customers’ data. If you discover a potential vulnerability, we want to hear about it.

Focus Areas

Section titled “Focus Areas”

We’re particularly interested in reports related to:

  • Authentication bypass or privilege escalation
  • Unauthorized access to data across workspace boundaries
  • Injection attacks or remote code execution

In Scope

Section titled “In Scope”
  • The Lightfield web application and supporting services
  • The Lightfield API
  • Lightfield client SDKs

Out of Scope

Section titled “Out of Scope”
  • Automated scanning of any kind
  • Social engineering, including phishing
  • Denial of service attacks
  • Attacks requiring physical access to a victim’s device
  • Theoretical attacks without proof of exploitability
  • Missing best practices in HTTP headers, cookies, TLS configuration, or DNS records on our marketing site

How to Report

Section titled “How to Report”

Send your findings to security@lightfield.app with the following details:

  • A summary of the issue and its potential impact
  • Steps to reproduce, including any tools used
  • Proof-of-concept code, if available

Our team will investigate and keep you updated on progress. We may follow up for additional details.

Responsible Conduct

Section titled “Responsible Conduct”

We ask that researchers:

  • Test only against their own accounts or with explicit permission from the account holder.
  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption.
  • Report the vulnerability to us before disclosing it publicly, and give us reasonable time to address it.
  • Do not attempt to expand or elevate access beyond what is necessary to demonstrate the vulnerability.
  • Comply with all applicable laws.

Safe Harbor

Section titled “Safe Harbor”

Research conducted in good faith under this policy is considered authorized. We will not pursue legal action against you for activities consistent with these guidelines. If a third party initiates legal action related to your research, we will take steps to make it known that your actions were conducted in compliance with this policy.