Loading0%
Security & Privacy

Security engineered into every layer

Security engineered into every layer

Lium is where experts hand their hardest data to AI. That only works if the platform earns their trust. So we built isolation, encryption, and sandboxing into the foundation — not bolted on after the fact.

Our principles

Trust is the product

Experts bring Lium their most sensitive, hard-won data. These are the commitments that make that possible.

Your data stays yours

We don't train models on your data. Your data, workflows, and models stay contained to your organization.

Isolated by design

Every organization is separated at multiple layers — from the API down to the database itself.

Encrypted everywhere

Data is encrypted in transit and at rest, from the browser to the database and every service in between.

Defense in depth

No single control is a single point of failure. Each layer assumes the one above it could fail.

How it works

Security at every layer

From the compute that runs your analysis to the database that holds your results, every layer is designed to contain, encrypt, and account for your data.

01
Runtime compute

Sandboxed, ephemeral compute

When Lium runs code to interpret your data, it runs in a disposable environment — created for a single job and destroyed the moment it finishes.

  • Code executes in ephemeral, containerized environments provisioned per job and torn down on completion.

  • Every execution is time-bounded, with enforced timeouts and automatic cleanup of the entire process tree.

  • Each run receives its own short-lived, scoped credentials — never long-lived platform keys.

  • Compute runs in an isolated network tier with no inbound access from the internet.

02
Multi-tenancy

Organization isolation at multiple levels

Separation between organizations isn't enforced in one place and trusted everywhere else. It's enforced at every level, so a mistake at one layer is caught by the next.

  • Every request is authenticated and bound to your organization, with membership verified on each call.

  • Row-level security in the core data platform scopes every query to your organization — cross-organization reads are blocked at the database, even if application code has a bug.

  • Role-based access (admin and member) plus per-workspace permissions govern who can read, write, and manage.

  • Break-glass suspension can isolate access instantly, without deleting or losing any data.

03
Encryption

Encryption in transit and at rest

Data is protected on the wire and on disk with strong, industry-standard encryption — end to end, at every hop.

  • All connections use TLS 1.2 and 1.3; database connections require SSL.

  • Data at rest is encrypted with AES-256 across databases, object storage, compute volumes, and audit logs.

  • Public traffic terminates at a managed gateway; internal services are never directly reachable from the internet.

  • Encryption is on by default for every data store — never an opt-in a team has to remember.

04
Developer ecosystem

Credentials and connections, handled carefully

Connecting Lium to your systems means trusting us with credentials. We treat every secret as if it were the only thing standing between an attacker and your data.

  • Connection credentials are sealed with envelope encryption: a unique key per credential, protected by a cloud key-management service and authenticated AES-256-GCM.

  • Wherever possible we broker short-lived, scoped access tokens instead of handing out your secrets — via OAuth, cloud STS, and service-account exchange.

  • Secrets are never written to logs; sensitive fields are automatically redacted before anything is recorded.

  • Sharing a connection exposes only its metadata — never the underlying credential.

05
Infrastructure

Hardened infrastructure and networks

The platform runs on a defensively designed cloud footprint: private by default, least-privilege throughout, and reproducible from code.

  • Databases live in private subnets with no public access; instance metadata is locked down to prevent credential theft.

  • Administrative access is brokered through an audited session manager — there are no standing SSH keys.

  • Application secrets live in a managed vault with least-privilege, environment-scoped access.

  • Infrastructure is defined as code, version-controlled, and reviewed before every change.

06
Auditability

Audit, monitoring, and resilience

Trust requires evidence. We keep tamper-evident records of what happens across the platform, and we design for recovery, not just prevention.

  • Infrastructure and API activity is captured in tamper-evident audit logs with defined retention.

  • Authentication events, database activity, and system metrics are continuously monitored.

  • Databases run with automated backups and high-availability failover across zones.

  • Environments are separated so development and testing never touch production data.

FAQs

No. We do not train models on customer data. Your data, the workflows you build, and the models you use stay contained to your organization and under your control.

Get in touch

General Inquiries

Support

Careers

Press

Ask anything, Lium answers.

Join the leaders accelerating insights with real-world data.