Governance & Security

Governance that stands up to audit.

LGPD applied in the engineering layer, CFM 2,454/2026 alignment, Brazilian infrastructure, and a named DPO.

01 / LGPD

LGPD applied in engineering, not just declared.

Sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is named, audit-trailed, and retained by contract. Laudos.AI acts as processor for clinical data and never uses production clinical data to train third-party models.

Legal basis: Regular exercise of rights in healthcare
Retention: Per contract — default 10 years
Data subject channel: natan@laudos.ai · 15 business days

02 / CFM 2,454/2026

Aligned with CFM Resolution 2,454/2026.

AI supports the physician; it does not replace them. A report is issued only after review and digital signature by the responsible radiologist. Every automated change is logged with timestamp, author, and model identifier.

Responsibility: 100% the signing radiologist
Traceability: Immutable log per report
Transparency: Model identified in each suggestion

03 / Information Security

Security-by-default operating model.

Internal security program inspired by ISO 27001 and 27701 controls, with recurring reviews, access governance, and responsible disclosure for security researchers. Formal certification is not in the current scope.

Security review: Recurring
Internal audit: Per scope
Disclosure: security@laudos.ai

04 / Infrastructure

Infrastructure in Brazilian territory.

Processing and storage run in Brazilian infrastructure, with encrypted backups and continuity controls defined by contract. Clinical data does not leave the country.

Sovereignty: 100% in Brazilian territory
SLA: Defined by contract
Continuity: Technical plan by scope

05 / Model & Data

Own model, validated under clinical governance.

Clinical validation follows documented protocol, human review, and safety criteria before any relevant change to the AI-assisted workflow.

Validation: Documented protocol
Curation: Human review
Control: Traceable change

06 / DPO & Audit

Named DPO and on-demand audit package.

A named Data Protection Officer handles direct contact with data subjects and authorities. DPIA-style impact reports and audit packages are available according to institutional scope.

DPO: natan@laudos.ai
Data subjects: Dedicated channel
Impact report: Available under NDA

Need a technical report for legal or compliance? We assemble the package according to scope.

Talk to the team