How we protect the documents you trust us with.

Identity

Sign-in is brokered through AWS Cognito with email-and-password credentials, optional MFA, and the option to bring your own SSO provider on the Enterprise tier. Session tokens are HMAC-signed, HttpOnly cookies with an 8-hour TTL. The product backend verifies every request against the Cognito JWKS; there is no shared session store to compromise.

Data at rest

Voyage documents land in S3 with SSE-S3 encryption (SSE-KMS with a customer-managed key on request). Structured data sits in Aurora Serverless v2 Postgres with at-rest encryption enabled. Backups run daily and are retained for thirty days.

Data in transit

Every connection terminates at AWS-managed TLS 1.2 or higher. Outbound calls to the Claude API and to optional research providers use the same TLS posture.

Access control

Every voyage carries the Cognito user identifier of the owner; the backend filters every list and detail endpoint against the requesting principal. Admin access is short-lived and audited.

Audit logging

Application logs are structured JSON. Authentication events, voyage creations, voyage deletions, and revise applies are emitted with the actor and a redacted payload. Logs ship to CloudWatch and are retained for ninety days.

Incident response

Suspected vulnerabilities and incident reports go tosecurity@laytimely.com. We acknowledge within one business day and disclose any incident that affects customer data to the affected customer within seventy-two hours.