--- title: Security & Compliance | Lightfield --- ## SOC 2 Lightfield undergoes System and Organization Controls (SOC) 2 Type 2 audits of the design and operational effectiveness of our security and availability controls. You can request a copy of the latest SOC 2 report from our [Trust Center](https://app.vanta.com/c/tome.app/trust-center/view). ## HIPAA Customers who need to store protected health information (PHI) in Lightfield may request a Business Associate Agreement (BAA). Under a BAA, Lightfield commits to compliance with HIPAA requirements for business associates that store and process PHI. [Contact us](mailto:support@lightfield.app) if you require a BAA or have further questions. ## Vulnerability Disclosure We value input from the security community that helps us protect our customers’ data. If you discover a potential vulnerability, we want to hear about it. ### Focus Areas We’re particularly interested in reports related to: - Authentication bypass or privilege escalation - Unauthorized access to data across workspace boundaries - Injection attacks or remote code execution ### In Scope - The Lightfield web application and supporting services - The Lightfield API - Lightfield client SDKs ### Out of Scope - Automated scanning of any kind - Social engineering, including phishing - Denial of service attacks - Attacks requiring physical access to a victim’s device - Theoretical attacks without proof of exploitability - Missing best practices in HTTP headers, cookies, TLS configuration, or DNS records on our marketing site ### How to Report Send your findings to with the following details: - A summary of the issue and its potential impact - Steps to reproduce, including any tools used - Proof-of-concept code, if available Our team will investigate and keep you updated on progress. We may follow up for additional details. ### Responsible Conduct We ask that researchers: - Test only against their own accounts or with explicit permission from the account holder. - Make a good-faith effort to avoid privacy violations, data destruction, or service disruption. - Report the vulnerability to us before disclosing it publicly, and give us reasonable time to address it. - Do not attempt to expand or elevate access beyond what is necessary to demonstrate the vulnerability. - Comply with all applicable laws. ### Safe Harbor Research conducted in good faith under this policy is considered authorized. We will not pursue legal action against you for activities consistent with these guidelines. If a third party initiates legal action related to your research, we will take steps to make it known that your actions were conducted in compliance with this policy.