Governance & Security

Governance that stands up to audit.

LGPD applied in the engineering layer, CFM 2,454/2026 alignment, Brazilian infrastructure, and a named DPO.

01 / LGPD

LGPD applied in engineering, not just declared.

Sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is named, audit-trailed, and retained by contract. Laudos.AI acts as processor for clinical data and never uses production clinical data to train third-party models.

Legal basis: Regular exercise of rights in healthcare
Retention: Per contract — default 10 years
Data subject channel: dpo@laudos.ai · 15 business days

02 / CFM 2,454/2026

Aligned with CFM Resolution 2,454/2026.

AI supports the physician; it does not replace them. A report is issued only after review and digital signature by the responsible radiologist. Every automated change is logged with timestamp, author, and model version.

Responsibility: 100% the signing radiologist
Traceability: Immutable log per report
Transparency: Model identified in each suggestion

03 / Information Security

Security-by-default operating model.

Internal security program inspired by ISO 27001 and 27701 controls, with recurring reviews, access governance, and responsible disclosure for security researchers. Formal certification is not in the current scope.

Security review: Recurring
Internal audit: Per scope
Disclosure: security@laudos.ai

04 / Infrastructure

Infrastructure in Brazilian territory.

Processing and storage run in Brazilian infrastructure, with encrypted backups and continuity controls defined by contract. Clinical data does not leave the country.

Sovereignty: 100% in Brazilian territory
SLA: Defined by contract
Continuity: Technical plan by scope

05 / Model & Data

Own model, trained only with consent.

The Laudos.AI model is trained with anonymized partner data under explicit contracts. Production client data is never used for training unless the service has opted in. Model versions are controlled, and clients can pin a version contractually.

Training opt-in: Off by default
Anonymization: De-ID aligned with HIPAA Safe Harbor
Versioning: Contract-pinnable model

06 / DPO & Audit

Named DPO and on-demand audit package.

A named Data Protection Officer handles direct contact with data subjects and authorities. DPIA-style impact reports and audit packages are available according to institutional scope.

DPO: dpo@laudos.ai
Data subjects: Dedicated channel
Impact report: Available under NDA

Need a technical report for legal or compliance? We assemble the package according to scope.

Talk to the team