PlatformSecurity & Compliance

Security built for sensitive longitudinal data.

LLIF handles health and lifestyle data that participants trust us to protect. Here is exactly where we stand — what's active, what's in progress, and what's on the roadmap.

Compliance

Compliance posture

Nonprofit Data GovernanceActive

Participant data is legally classified as a donor-restricted asset under 501(c)(3) nonprofit governance. It cannot be sold, monetized, or transferred regardless of any future change in leadership or organizational circumstance. This protection survives bankruptcy and cannot be unilaterally changed by any executive. It is enforced by IRS law, not internal policy.

IRB-Compatible Consent ArchitectureActive

Participant opt-in consent designed for IRB requirements. Layered consent model: participants consent first to the LLIF data framework, then separately to each program or study. All consent events are timestamped, immutable, and auditable. Consent records are available to researchers via API with appropriate partner access. IRB reviewers can inspect the consent architecture prior to study approval.

HIPAA AlignmentIn Progress

Infrastructure designed for HIPAA-adjacent workloads. Encryption at rest and in transit. Access logging and audit trails on all participant data reads. A HIPAA Business Associate Agreement (BAA) is available for qualifying research and healthcare partners. Full HIPAA certification is in progress.

SOC 2 Type IIRoadmap

SOC 2 Type II certification is planned. Current infrastructure is operated according to SOC 2 principles: access controls, continuous monitoring, incident response procedures, and availability commitments. Certification timeline will be published when confirmed.

Technical Controls

Technical controls

Data Protection
Encryption at rest: AES-256 for all stored participant data
Encryption in transit: TLS 1.2+ required on all connections
Database access: restricted to application service accounts, no direct database access by partners or staff outside approved workflows
Backups: encrypted, geographically redundant, tested regularly
Data residency: US-based infrastructure
Access & Audit
Bearer token authentication, scoped per partner per participant per consent grant
Every participant data read logged against the participant's active consent record
Audit trail immutable and timestamped — available to participants via their data dashboard
Partner access revoked immediately upon consent withdrawal
Rate limiting applied per partner account
No bulk export without explicit per-participant consent
Staff access to production participant data governed by internal access control policy and logged
For Researchers

For research applications

The security and compliance details most commonly requested by IRB committees and institutional data security reviewers.

Data classification
Health and lifestyle data, treated as sensitive personal information
Storage location
US-based cloud infrastructure
Encryption at rest
AES-256
Encryption in transit
TLS 1.2+
Access control model
Role-based, scoped per partner and consent grant
Audit trail
Full read/write audit log per participant, immutable
Consent model
IRB-compatible layered consent, participant-revocable
Data retention post-study
Persists with participant consent; deletion on request within 30 days
HIPAA BAA
Available for qualifying studies — contact research partnerships
Data sharing with third parties
Never without explicit participant consent and partner approval
Breach notification
Follows applicable law; participants notified per regulatory requirements
IRB documentation package
Available on request — see /researchers/grant-support
Need IRB documentation? Request the full security documentation package
Incident Response

Incident response

LLIF maintains documented incident response procedures covering detection, containment, assessment, notification, and remediation.

In the event of a data security incident affecting participant data:

Affected participants are notified as required by applicable law and within the timeframes required by our Data Partner Agreements
Research partners are notified per the terms of their Data Partner Agreement
Incidents are documented and summaries are included in LLIF's annual transparency report

Security concerns or vulnerability disclosures should be directed to security@llif.org

Security Research

Responsible disclosure

If you discover a security vulnerability in LLIF infrastructure, please disclose it responsibly before public disclosure. Contact: security@llif.org

We commit to:

Acknowledging receipt within 2 business days
Providing an initial assessment within 5 business days
Keeping you informed of remediation progress
Not pursuing legal action against researchers who follow responsible disclosure practices

Security questions or documentation requests?

We're happy to walk through our security posture with your team, IRB, or institutional data security reviewer.

Contact Our TeamRequest IRB Documentation →