Security & Confidentiality

Last updated: April 2026

Protecting the information you share with us is a core responsibility, not an afterthought. This page describes our security approach, the infrastructure we rely on, how we handle client confidentiality, and what to do if you discover a security issue.

This page describes our general security practices. It is not a formal security audit report or compliance attestation. For specific compliance questions relevant to your industry, contact us directly.

1. Our Approach to Security

We apply a layered security approach across the services we operate and the third-party infrastructure we rely on. Our principles:

• Minimize what we store: We collect and retain only the information necessary to provide the services you have requested. We do not accumulate data speculatively.
• Rely on purpose-built infrastructure: Rather than build security-sensitive systems from scratch, we leverage established providers (Cloudflare, Anthropic, Stripe, Railway) who operate mature, audited security programs.
• Isolate user data: We design our systems so that one user’s data cannot be accessed by or bleed into another user’s sessions or records.
• Keep access tight: Internal access to client data is limited to those who need it to deliver services. We do not have open internal access to conversation data or client business information as a matter of routine.

2. Encryption

In Transit

All data transmitted between your browser and our platform is encrypted using TLS (Transport Layer Security). We enforce HTTPS across the site — unencrypted HTTP connections are redirected. This means that your form submissions, LYRA conversation inputs, and any other information you send or receive through our platform are encrypted in transit.

Communications between our platform and third-party APIs (Anthropic, Stripe) also occur over encrypted connections.

At Rest

Data stored through our hosting infrastructure is encrypted at rest where supported by our providers. Stripe encrypts payment data at rest as a matter of their standard compliance (PCI DSS). Cloudflare and Railway encrypt stored data at rest as part of their infrastructure standards.

3. Access Controls

Access to internal systems, client data, and administrative interfaces is restricted by role and necessity:

• Team members do not have routine access to LYRA conversation logs; access for debugging or quality review is limited and logged
• Administrative access to hosting and API systems requires strong authentication
• Third-party service access is scoped to what is necessary for each provider’s function (e.g., Stripe only receives payment-related data)
• API keys and credentials are stored in environment variables and secrets management systems, not in source code

4. Third-Party Services and Their Security Standards

Several third-party providers are integral to our platform. Each operates under security standards appropriate to their function:

Cloudflare

Our site is delivered through Cloudflare’s global network, which provides DDoS protection, TLS termination, and CDN performance. Cloudflare holds SOC 2 Type II certification and ISO 27001 certification. Their security posture is among the strongest in the industry for web infrastructure providers.

Anthropic

LYRA’s AI processing is handled by Anthropic’s API. Anthropic operates with enterprise-grade security controls appropriate for AI API infrastructure. Our commercial API agreement with Anthropic includes data use commitments that restrict how API data may be used. Anthropic publishes their security and trust documentation on their website for independent review.

Stripe

Payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment card industry compliance. We do not handle, store, or transmit raw payment card data. All cardholder data is handled exclusively by Stripe.

Railway

Our application hosting is provided by Railway, a cloud infrastructure platform with appropriate security controls for web application hosting. Railway operates on major cloud providers and applies standard infrastructure security practices.

5. Memory Isolation Architecture

One of our most important security design choices is how we handle LYRA’s session data. Our architecture is designed to prevent cross-user data exposure:

• Per-user session isolation: Each LYRA session is treated as an independent, isolated context. Session data for one user is not accessible to another user at any point during or after a session.
• No shared memory pool: LYRA does not maintain a persistent memory system that aggregates information across users. There is no shared knowledge base built from user conversations that could expose one user’s information to another’s session.
• No cross-user information leakage: Our AI configuration is designed so that LYRA cannot retrieve, reference, or reveal information from any other user’s sessions. Each context window is populated only with data relevant to the current user’s session.
• Session termination: When a session ends, in-session context is cleared and is not carried forward to future sessions (unless a persistent memory feature is explicitly offered and opted into).

6. Confidentiality of Client Information

Business information you share with us — whether through LYRA, our contact forms, or during a diagnostic session — is treated with discretion. Specifically:

• We do not share client business details, workflow descriptions, or operational information with third parties except as necessary to provide the services you have engaged (see our Privacy Policy)
• Team members who have access to client information are expected to maintain confidentiality as a condition of their role
• Diagnostic findings and implementation work product are treated as client-specific and confidential — not used to build generic frameworks, case studies, or marketing materials without explicit permission

If you require a formal Non-Disclosure Agreement (NDA) before sharing sensitive business information, contact us at legal@launchyourai.com before beginning an engagement.

7. Incident Response

In the event of a security incident affecting your data, we will:

• Investigate promptly to determine the nature and scope of the incident
• Contain the incident and mitigate further exposure as quickly as possible
• Notify affected individuals in a timely manner, consistent with applicable legal requirements
• Take steps to prevent recurrence
• Document the incident and our response for internal review and, where applicable, regulatory purposes

We will not delay notification unnecessarily in order to minimize reputational impact. Our obligation to affected clients and users takes priority.

8. Responsible Disclosure

If you discover a potential security vulnerability in our platform, we ask that you report it to us responsibly before making it public. Responsible disclosure gives us the opportunity to investigate and remediate before a vulnerability can be exploited.

To report a security issue:

• Email legal@launchyourai.com with the subject line “Security Vulnerability Report”
• Include a clear description of the issue, steps to reproduce it, and your contact information
• Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability
• Do not disclose the issue publicly until we have had a reasonable opportunity to address it

We will acknowledge receipt of your report within 5 business days and will keep you informed of our progress. We appreciate researchers and users who help us maintain a secure platform.

9. Contact

For security-related questions or to report an issue:

LaunchYourAI — Security
Email: legal@launchyourai.com
Visit: Legal & Privacy Contact