Secure, privacy-first, and reliable by design

Isolated, ephemeral VMs; least‑privilege access; auditability; no training on your data.

Talk to securityRead docs
SOC 2 (in progress)GDPR alignedSSO/SAML & SCIMRBAC & audit logs

How Lucien generates and executes code

  • Isolated, ephemeral sandbox VMs for all generation and execution (lint, build, test, run)
  • Least‑privilege, repo‑scoped tokens; no long‑lived creds in VMs
  • Read‑only source mounts; writable temp workspaces wiped after run
  • Network egress controls; no inbound
  • Seccomp/AppArmor profiles; CPU/memory/time quotas; per‑run audit logs
  • No secrets stored in logs; never train shared models on your data
Data boundaries

You control which repos/orgs are in scope. Lucien only sees what you allow, and execution artifacts are ephemeral by default.

Auditability

Every run is logged with inputs/outputs metadata. We minimize PII and redact secrets from logs.

Principles

We design for least‑privilege access, isolation by default, auditable actions, and data minimization. Controls are surfaced to you: repo scope, environment policies, retention, and identity. Proof beats promises—we document what we do and why.

Data handling & retention

What we ingest

Source code (scoped), PR diffs, CI status, task metadata, and execution logs needed to complete your tasks. You choose the repos and scopes.

Storage & encryption

Encrypted in transit and at rest. No secrets in logs.

Retention & deletion

Execution artifacts are ephemeral by default. Logs follow a short, configurable retention window and can be exported or deleted upon request.

Model usage

We never train shared models on your data. Enterprise tenants may opt‑in to tenant‑isolated fine‑tuning.

Access & identity

SSO/SAML, SCIM for provisioning, and RBAC to govern actions. API keys are scoped and rotateable. We encourage MFA for human accounts and short‑lived tokens for automation.

Logging & auditing

Every run emits structured audit logs with inputs/outputs metadata. We minimize PII, redact secrets, and retain logs for a short window by default. Export available on request.

Incident response

24/7 on‑call, rapid detection and containment, customer notifications per legal and contractual obligations, and public post‑mortems for qualifying incidents.

Shared responsibility

Lucien
  • Platform security, sandbox isolation, encryption, backups
  • Audit logging, vulnerability management, incident response
  • Access controls for service accounts and infrastructure
Customer
  • Repo/org scoping, token management, and revocation
  • RBAC role assignments and SSO/SCIM configuration
  • MFA for human users and secret storage in your systems
Compliance

SOC 2 is in progress. We follow GDPR‑aligned practices. Our DPA is available here.

Request security packRead security docs

Frequently asked questions

Do you train on our code or data?

No. Customer data is never used to train shared models. In future, Enterprise customers may have the option to train on their data for their own models.

Where does code generation and execution happen?

Inside isolated, ephemeral sandbox VMs with strict network and resource policies.

Do you have a DPA?

Yes — available here. We follow GDPR‑aligned practices.

What permissions are required?

Least‑privilege, repo‑scoped tokens; you control org/repo scope and revocation.