Security and deployment infrastructure

Your contracts. Your infrastructure.
Your control.

Contract Lucidity is built for organizations where data sovereignty isn't optional.

Infrastructure

Self-Hosted Deployment

  • Full Docker Compose deployment — 5 containers, one command
  • Runs on your infrastructure: AWS, Azure, GCP, or on-premise
  • No data leaves your network
  • PostgreSQL with pgvector for embeddings — no external vector database required
  • Redis for task queue — all processing stays internal
Enterprise deployment infrastructure
Security and encryption

Flexibility

AI Provider Flexibility

  • Choose your AI provider: Anthropic (Claude) or OpenAI (GPT-4/5)
  • Switch providers without re-architecting
  • Use Azure OpenAI Service for enterprise compliance
  • API keys stay in your environment — never transmitted to Contract Lucidity

Validation

File Integrity Validation

Every uploaded document validated before entering the system.

DOCX

ZIP structure verified, XML parsed, content confirmed

PDF

Header validation

RTF

Format verification

Images

Magic byte validation (JPEG, PNG, GIF, TIFF)

Corrupt or malformed files rejected with descriptive error messages.

Garbage in, garbage out — we don't accept garbage.

Architecture

Architecture Overview

Frontend

Next.js (React)

Modern, responsive web application

Backend

FastAPI (Python)

Async API server with hot-reload

Worker

Celery

Async document processing pipeline

Database

PostgreSQL + pgvector

Relational storage with vector embeddings

Cache

Redis

Task queue and session management

Storage

Volume-mounted

File storage on your infrastructure

All components containerized and orchestrated via Docker Compose.

Compliance

Compliance Roadmap

plannedSOC 2 Type II certification
plannedISO 27001
currentGDPR-ready architecture
currentCCPA compliant
currentOIDC Single Sign-On
currentSCIM 2.0 provisioning
currentRole-based access control
currentEthical walls / information barriers

Identity

Enterprise Identity Management

Integrate with your existing identity provider. Provision users automatically. Control access at the project level.

OIDC Single Sign-On

Azure AD / Entra ID, Okta, Google Workspace, and any OIDC-compliant provider

SCIM 2.0 Provisioning

Automatic user and group sync from your identity provider — no manual account creation

Role-Based Access Control

Admin and user roles with distinct permissions for platform management and daily use

Group-Based Project Access

Assign groups to projects so team members see only what they need

Seed Admin Protection

Protected initial administrator account that cannot be deleted or demoted

Client Secret Encryption

OIDC client secrets encrypted at rest — never stored in plaintext

REST API (OAuth 2.0)

126+ versioned endpoints at /api/v1/. OAuth client credentials flow for machine-to-machine access. Power Platform, ServiceNow, and custom integrations.

Information Barriers

Ethical Walls

Enforce information barriers at the platform level. Designed for ABA Model Rule 1.10 compliance with a deny-overrides-allow permission model.

Deny-Overrides-Allow Model

iManage-style hybrid enforcement. Deny rules take absolute precedence over any allow grant, eliminating accidental exposure through inherited permissions.

No Admin Bypass

Even platform administrators cannot view documents in walled projects. The barrier is enforced at the query level with no override mechanism.

Matter-Level Isolation

Walls are applied at the project level. Every document, analysis, and report within a walled project is invisible to barred users.

Complete Audit Trail

Every access decision — granted and denied — is logged with user, resource, wall rule, and timestamp. Exportable for court or regulatory defense.

Conflicts Counsel Workflow

Create a wall, assign the attorneys who are barred, assign the projects that are restricted. One screen, immediate enforcement.

ABA Model Rule 1.10

Purpose-built for imputed disqualification screening. Ensure that conflicted attorneys are fully isolated from affected matters across the platform.

End-to-End Security

Secure the entire document lifecycle.

Contract Lucidity secures analysis on your infrastructure. Lucid Vault secures document exchange with your clients.

CL

Analysis Security

  • Self-hosted — data never leaves your network
  • Fernet encryption for API keys at rest
  • Non-root containers with dropped capabilities
  • Rate limiting and audit logging on every endpoint
LV

Exchange Security

New
  • AES-256-GCM encryption at rest, TLS 1.3 in transit
  • Single-tenant isolation — no shared databases
  • White-labeled portal under your domain
  • Complete audit trail for every file action
Explore Lucid Vault

Deploy on your terms.

Self-hosted. Air-gapped capable. Your infrastructure, your AI provider, your data. No exceptions.

Request a Demo