Articles on: Compliance & security

Security and data handling

Security and data handling


Lido handles sensitive documents — invoices, contracts, medical records, financial statements. This article covers how Lido protects your data, what compliance certifications we hold, retention policies, and how to make Lido fit your organization's security requirements.



At a glance


Topic

Where Lido stands

SOC 2 Type II

Yes

HIPAA

Yes, with a signed Business Associate Agreement (BAA), available on Enterprise

GDPR

Yes — data processing aligned with GDPR; DPA available

Encryption in transit

TLS 1.2+ for all connections

Encryption at rest

AES-256

Document retention

Original uploaded documents deleted within 23 hours of processing (default)

AI training on customer data

Never. Customer documents and extracted data are not used to train any AI model

Hosting

Major cloud provider, US regions

SSO (SAML)

Available on Enterprise

Audit logs

Available on Enterprise



Document retention: the 23-hour rule


When you upload or send a document to Lido for processing:


  1. Lido processes the document (extraction, OCR, etc.).
  2. Extracted structured data is saved to your spreadsheet/table.
  3. The original file is deleted from Lido's processing storage within 23 hours.


The extracted data in your sheet stays as long as you want it. Only the source file is purged.


Why this matters:


  • Smaller blast radius if anything were ever compromised.
  • Less data to manage in compliance reviews.
  • Aligns with HIPAA "minimum necessary" principles.


Custom retention windows (longer or shorter) are available on Enterprise plans. If your compliance program requires immediate deletion or a 7-day window for reprocessing, ask sales.



How AI calls handle your data


Lido's AI extraction, AI columns, and AI formulas are powered by enterprise-grade third-party LLM providers under strict data-handling contracts.


  • Document content sent to providers is governed by enterprise zero-retention agreements: providers do not retain prompts/responses past processing, and they do not train on your data.
  • For HIPAA workloads, the providers in our BAA chain are configured to meet HIPAA requirements.
  • Our specific provider and model selection is considered confidential and is not published publicly; the contractual data terms are equivalent across the providers we use.


If your security review requires a sub-processor list, a model-per-feature breakdown, or vendor-specific disclosures, ask in chat and the team will route the request to the appropriate person and share the information under NDA.



SOC 2 Type II


Lido holds an active SOC 2 Type II report. To request a copy:


  1. Sign an NDA (the team will send one in chat or via email).
  2. Once the NDA is countersigned, the SOC 2 report is shared via secure link.


The report covers Security, Availability, and Confidentiality trust principles.



HIPAA and Business Associate Agreement (BAA)


Lido supports HIPAA-regulated workloads:


  • BAA is available on Enterprise plans.
  • Contact sales (via chat or email) to begin BAA negotiation. Standard BAA terms are typically signable as-is for most healthcare customers.
  • Once BAA is in place, the workspace is configured with HIPAA-aligned settings (logging, retention, sub-processor scope).


If you process PHI without a BAA, you're not HIPAA-compliant. Don't upload PHI to Lido until the BAA is signed.



GDPR and the Data Processing Agreement (DPA)


For customers subject to GDPR:


  • Lido provides a Data Processing Agreement (DPA) that covers Lido's role as a data processor.
  • The DPA includes Standard Contractual Clauses (SCCs) for cross-border data transfers.
  • Request the DPA in chat or via your account contact.


Subject Access Requests (SAR), erasure requests, and portability requests for your end users: as the data controller, you fulfill these by editing or deleting data in your workspace. Lido provides export and deletion tooling to support this.



Encryption


  • In transit: TLS 1.2 or higher for all client and server connections.
  • At rest: AES-256 for stored data, including spreadsheet content and processed data.
  • Document processing: files in transit through extraction are encrypted in transit and at rest until deletion.


API keys are stored hashed; the full key is shown only at creation time.



Authentication and access control


  • Workspace access: controlled by workspace admin via the Members section.
  • Role-based access: admins, editors, viewers (varies by plan).
  • SSO (SAML): available on Enterprise. Supports major identity providers (Okta, Azure AD, Google Workspace, OneLogin, etc.).
  • Multi-factor authentication (MFA): supported for password-based login; required when SSO is enforced.
  • API keys: workspace-scoped Bearer tokens. Create and revoke at sheets.lido.app/settings/api-keys. Rotate periodically.



Sub-processors


Lido uses a small set of vetted sub-processors (cloud hosting, LLM providers, error monitoring, customer support tooling). The current sub-processor list is available on request via chat or in the security review packet.


You'll be notified before material changes to the sub-processor list, with a window to object before changes take effect.



Data export and deletion


Export your data at any time:


  • Spreadsheet data: download as CSV or Excel from the file menu.
  • Workflow run history: filter and export from the Runs view.
  • API extraction results: persist them in your own system as they complete (results expire after 24 hours).


Delete a sheet or workflow: from the file menu → Delete. Deletion is immediate; trashed items are recoverable for a short window before permanent deletion.


Delete the entire workspace and all data: ask in chat. This is irreversible and is performed by the team after admin confirmation.



Reporting a security issue


If you find a vulnerability or suspect a security incident:


  • Email security@lido.app with details.
  • Include reproduction steps, affected URLs/endpoints, and your contact info.
  • Lido aims to acknowledge reports within 1 business day.


Please do not test for vulnerabilities against production data you don't own.



Tips


  • Use a dedicated service account for production integrations (Drive, OneDrive, email). Personal accounts break when employees leave.
  • Rotate API keys regularly and immediately when an employee with access leaves.
  • Set short data retention in your own spreadsheets and tables — Lido stores extracted data until you delete it, so housekeeping is on you.
  • Enable SSO on Enterprise to centralize access management.
  • Keep a record of your BAA effective date and the workspace it covers, in case audit asks.



Common mistakes


  • Uploading PHI before BAA is signed. Wait for the BAA before sending real patient data.
  • Sharing API keys in code repos. Use a secrets manager and restrict repo access.
  • Treating extracted data as automatically deleted. It isn't — only the source file is purged within 23 hours; the data in your sheet stays until you delete it.
  • Assuming workspace cancellation deletes data. Cancellation moves to Free; deletion is a separate, deliberate action.
  • Sending highly sensitive data to chat support. Use email or a screen-share session for confidential context, not the chat widget.




  • Pricing, plans, and page allowance (HIPAA/SSO/custom retention require Enterprise)
  • Lido API quickstart and authentication (key management)
  • Manage your subscription (deletion vs. cancellation)
  • Get help: contact options


Updated on: 16/04/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!