Security

Last updated: March 12, 2026

At LabStream, security is foundational to everything we build. Our platform handles sensitive laboratory and healthcare data, and we take that responsibility seriously. This page outlines our security practices, compliance posture, and commitments to protecting your data.

Infrastructure Security

Cloud Hosting

LabStream is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification. Our infrastructure is deployed across multiple availability zones for high availability and disaster resilience.

Network Security

  • All traffic is encrypted in transit using TLS 1.2 or higher
  • Web Application Firewall (WAF) protection against common attack vectors
  • DDoS mitigation at the network and application layers
  • Network segmentation isolating production, staging, and development environments
  • Regular vulnerability scanning and penetration testing

Data Encryption

  • In Transit: TLS 1.2+ for all API calls and data transfers
  • At Rest: AES-256 encryption for all stored data, including database records, file storage, and backups
  • Key Management: Encryption keys are managed through a dedicated key management service with automatic rotation

Application Security

Authentication and Access Control

  • Multi-factor authentication (MFA) support for all user accounts
  • Role-based access control (RBAC) with granular permissions
  • SSO integration via SAML 2.0 and OpenID Connect
  • Session management with automatic timeouts and secure token handling
  • Brute-force protection and account lockout policies

Secure Development

  • Secure development lifecycle (SDLC) with security reviews at each stage
  • Automated static code analysis and dependency vulnerability scanning
  • Code review requirements for all changes, with security-focused reviewers
  • Regular third-party security assessments and penetration tests
  • Responsible disclosure program for security researchers

Data Isolation

Each customer's data is logically isolated at the database level. Row-level security policies enforce strict tenant separation, ensuring no cross-organization data access. All queries are scoped to the authenticated organization context.

Compliance

HIPAA

LabStream is designed to meet HIPAA requirements for handling Protected Health Information (PHI). We execute Business Associate Agreements (BAAs) with covered entities and implement the required administrative, physical, and technical safeguards outlined in the HIPAA Security Rule.

SOC 2

Our infrastructure and processes are designed to meet SOC 2 Type II criteria for security, availability, and confidentiality. We undergo regular third-party audits to validate our controls.

Data Residency

Customer data is stored in the United States by default. If you have specific data residency requirements, contact us to discuss available options.

Operational Security

Monitoring and Incident Response

  • 24/7 infrastructure monitoring with automated alerting
  • Centralized log management and security information and event management (SIEM)
  • Documented incident response plan with defined severity levels and escalation procedures
  • Post-incident reviews and root cause analysis for all security events
  • Customer notification within 72 hours for any breach affecting your data

Backup and Recovery

  • Automated daily backups with point-in-time recovery capability
  • Backups are encrypted and stored in geographically separate locations
  • Regular backup restoration testing to validate recoverability
  • Recovery Time Objective (RTO) of 4 hours, Recovery Point Objective (RPO) of 1 hour

Access Management

  • Principle of least privilege for all employee access to production systems
  • Just-in-time access provisioning for elevated permissions
  • Quarterly access reviews and prompt deprovisioning upon role changes
  • All production access is logged and auditable

Audit Logging

All write operations within the LabStream platform are logged in an append-only audit trail. Audit records capture who performed the action, what changed (including previous and new values), when the action occurred, and which resource was affected. Audit logs are retained according to your service agreement and applicable regulatory requirements.

Employee Security

  • Background checks for all employees with access to production systems
  • Mandatory security awareness training during onboarding and annually
  • Confidentiality and non-disclosure agreements for all team members
  • Endpoint security with managed devices, disk encryption, and remote wipe capability

Vendor Security

We evaluate the security posture of all third-party vendors and subprocessors before engagement. Vendors with access to customer data are contractually bound to meet our security and privacy standards. We maintain an up-to-date list of subprocessors and notify customers of changes.

Reporting a Vulnerability

We value the security community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to:

Email: security@labstream.ai

We commit to acknowledging your report within 24 hours and providing an initial assessment within 72 hours. We will not take legal action against researchers who discover and report vulnerabilities in good faith.

Contact Us

For security questions or to request our latest security documentation, contact us at:

LabStream, Inc.
Email: security@labstream.ai
Website: labstream.ai