Security & Trust
Built for confidential portfolio data.
Lyrian isolates every organisation's data at the database layer, encrypts it in transit and at rest, and keeps a deliberately small, transparent set of sub-processors. This page is a factual summary — including what's on our roadmap rather than already shipped.
Tenant isolation
Every organisation is a separate tenant. Projects and all project data — RAID, plans, documents, reports, meeting minutes — plus the user directory and templates are isolated by PostgreSQL Row-Level Security (hundreds of policies enforced in the database, not just the UI). One customer can never see another's data.
Authentication & access
Sign-in via password, one-time email link, or SSO (Microsoft / Google). Multi-factor authentication is supported and can be required per workspace. Inside the app, role-based permissions plus row-level security govern who can see and do what.
Data storage & encryption
Your data lives in a managed PostgreSQL database (Supabase, on AWS), with files in object storage. Everything is encrypted in transit (TLS) and at rest. The application host (Vercel) runs code and holds no copy of your database.
AI & your data
AI features use Anthropic's Claude via its commercial API. Only the specific text needed for a task is sent. Per Anthropic's commercial terms, your data is not used to train models. A no-AI / manual mode for highly sensitive workspaces is on our roadmap.
Confidential meetings
The AI Notetaker reads meeting transcripts from your own Microsoft 365 tenant via Microsoft Graph, only with the permissions your admin grants. The generated minutes are stored in your workspace; configurable retention is on our roadmap.
No tracking
Lyrian wires in no analytics, advertising, or behavioural-tracking third parties. The complete sub-processor list is below — nothing else touches your data.
Sub-processors
| Provider | Purpose | Data it processes |
|---|---|---|
| Vercel | Application hosting | Runs the application; transient request data |
| Supabase (on AWS) | Database, authentication, file storage | Your stored data (projects, RAID, documents, users, minutes) |
| Anthropic | AI features (Claude) | The specific text submitted for a given AI task |
| Resend | Outbound email | Recipient addresses + email content (invites, minutes) |
| Microsoft Graph | Meeting notetaker / calendar (opt-in) | Transcripts/calendar — read within your own Microsoft 365 tenant |
On our roadmap
We believe in being explicit about what is shipped versus in progress:
- SOC 2 — pursuing Type I → II.
- Independent penetration test + published report summary.
- Data Processing Agreement (DPA) and signed sub-processor agreements.
- Configurable data retention for meeting minutes and transcripts.
- No-AI / manual mode and customer-managed encryption keys (BYOK) for enterprise.
- Regional data residency options.
Security questions or a vendor review? Contact us — we're glad to walk your team through the architecture.