Billing & Plans

Security and compliance

March 28, 2026 2 min read

Lattica is built for teams that handle real work. This page covers what we do to keep your data safe and which compliance frameworks we operate under.

Certifications and reports

  • SOC 2 Type II — annual audit by an independent CPA firm. Report available under NDA from your account manager (Business and Enterprise).
  • ISO 27001 — certified, audited annually.
  • GDPR — EU data subjects’ rights fully supported. DPA available on request.
  • CCPA — California Consumer Privacy Act compliance for US workspaces.
  • HIPAA — BAA available for Enterprise customers handling protected health information.

Encryption

  • In transit — TLS 1.3 with modern ciphers; HSTS preload; older TLS versions disabled.
  • At rest — AES-256 for database storage and object storage. Keys managed in a dedicated KMS, rotated automatically every 90 days.
  • Backups — encrypted with separate keys, stored in a different region from production.

Data residency

Workspaces default to US data residency. Enterprise customers can choose EU (Frankfurt), Australia (Sydney), or Canada (Toronto). Once chosen, residency cannot be changed without a full export and re-import — pick deliberately.

Access control inside Lattica

  • Role-based access — Member, Guest, Admin (see Inviting your team).
  • Project visibility — Private, Team, Workspace.
  • Audit log — every admin action and security-relevant event, retained for 1 year on Business, indefinitely on Enterprise.

Vulnerability disclosure

We run a private bug bounty program through HackerOne. Researchers can also email security@lattica.app with PGP-encrypted reports — our key is published at lattica.app/.well-known/security.txt. Critical issues get a same-day response; everything else within three business days.

Incident response

If we detect a security incident affecting customer data, we notify affected customers within 72 hours (or sooner where required). Status is published live at status.lattica.app. Post-incident, we publish a public RCA within 14 days for any incident with customer impact.

Penetration testing

External penetration tests run quarterly, by a different vendor each year. The most recent report (executive summary) is shareable under NDA.