◍  LGX / SECURITYApril 22, 2026

Information Security

Last updated: April 22, 2026

§ 01

Security Commitment

The security of your genetic data is our top priority.

We recognize that genetic data is:

  • Unique biometric identifiers
  • Immutable throughout life
  • Revealing of family information
  • Potentially sensitive for employment and insurance

We implement enterprise-level technical and organizational controls to protect your information against unauthorized access, loss, or leakage.

We employ a crypto-first architecture where encryption happens at the application layer before any storage operation. This means all external storage — local disk, cloud (S3), and our dedicated genetic data vault (GenomiX) — only ever handles opaque encrypted blobs. The trust boundary is at the application layer, not the storage layer.

§ 02

End-to-End Encryption

All data is protected with multiple layers of end-to-end encryption (E2EE):

ZERO PLAINTEXT ON DISK

Our processing pipeline ensures that no unencrypted genetic data ever touches disk. Files are encrypted at the application layer before any storage operation. All external storage (local disk, S3, GenomiX vault) only handles opaque encrypted blobs.

FILE ENCRYPTION (LGCR FORMAT):

  • X25519 ECIES — Elliptic Curve Integrated Encryption Scheme with ephemeral keys
  • AES-256-GCM — Authenticated encryption for file contents
  • gzip compression — Applied before encryption for storage efficiency
  • Per-profile encryption keys — each genetic profile has independent X25519 keypairs
  • Storage-agnostic — encrypted blobs can be stored on any backend without special security configuration

HEALTH DATA ENCRYPTION (PPK):

All health and biometric data in the database (blood tests, bioimpedance, epigenetics, medications, reports, clinical notes) is encrypted with per-profile ECIES (X25519 ECDH + HKDF-SHA256 + AES-256-GCM).

  • PPK v1 — Standard encryption for short fields (titles, metadata)
  • PPK v2 — gzip compressed before encryption for large content (report markdown), achieving ~60-70% size reduction in the database
  • Decryption auto-detects v1/v2 — fully backward-compatible
  • Domain separation: distinct HKDF info prevents key reuse across genetic and health encryption contexts

GENOTYPE-LEVEL ENCRYPTION (GenomiX Vault):

  • AES-256-PRF — Per-genotype encryption with hardware-accelerated AES-NI
  • HMAC-SHA256 — File-level integrity verification
  • ECIES envelope — Ephemeral X25519 key exchange with HKDF key derivation
  • Individual genotype values are encrypted independently — compromising one does not reveal others

REPORT DIGITAL SIGNATURES (Ed25519):

All generated reports are digitally signed with per-profile Ed25519 keys, providing:

  • Integrity — any modification to report content invalidates the signature
  • Authenticity — proves the report was generated by the system for a specific profile
  • Non-repudiation — the signature cannot be forged without the profile's private key
  • Signature covers: profile ID, report ID, SHA256(title), SHA256(content), and timestamp
  • Pipeline: plaintext is signed before compression and encryption; verification happens after decryption and decompression
  • Visual indicator: each report displays a Verified (blue), Unsigned (gray), or Invalid (red) badge

KEY ENCRYPTION AT REST (KEK):

  • Profile private keys are encrypted in the database using AES-256-GCM envelope encryption
  • KEK (Key Encryption Key) is stored separately from encrypted data
  • Defense-in-depth: even if the database is compromised, private keys cannot be extracted without the KEK

CRYPTO SHREDDING

  • Deleting a profile's private keys renders all associated data permanently unreadable — genetic files, vault data, health records, and reports
  • LGCR encrypted files, GenomiX .gxd vault files, PPK-encrypted health data, and signed reports all become undecryptable
  • Per-profile granularity — shred one profile without affecting others in the same account
  • Irreversible by design — no recovery mechanism exists once keys are deleted

DATA IN TRANSIT

  • TLS 1.3 for all communications
  • HSTS enabled with preloading
  • Certificate Pinning in applications
§ 03

GenomiX — Genetic Data Vault

GenomiX is a dedicated Rust microservice purpose-built for secure genetic data storage. It serves as the single source of truth for all genetic variant data.

ARCHITECTURE

  • Written in Rust (Axum framework) for memory safety and performance
  • Separate process from the main application — isolated security boundary
  • Stores data in encrypted binary format (.gxd) — never in plaintext
  • All queries go through GenomiX — no direct database access to genetic data

CRYPTOGRAPHIC IDENTITY

  • Each profile receives an Ed25519 keypair (self-certifying digital identity)
  • The GenomiX profile ID is the Ed25519 public key — not a traditional database UUID
  • X25519 encryption keys are derived from Ed25519 via Edwards-to-Montgomery conversion
  • Per-profile independent keypairs — each profile in a user's account has completely separate keys

SIGNED INGEST (WRITE PROTECTION):

  • All data writes require an Ed25519 digital signature
  • Signature covers: profile ID + timestamp + provider + SHA256 hash of SNP data
  • 5-minute replay protection — signed payloads expire after 5 minutes
  • Provides authentication, integrity verification, and non-repudiation

BINARY FORMAT (.gxd v3):

  • Compact binary encoding — ~1.5-2 MB for 650,000 SNPs (vs ~50-70 MB in traditional databases)
  • zstd compression at level 19 for maximum storage efficiency
  • 32-byte header with magic number, version, SNP count, provider, and checksum
  • 64-byte crypto header with ephemeral public key and HMAC tag

DATA ISOLATION

  • Each profile's data is encrypted with its own unique keys
  • No shared encryption keys between profiles
  • Users can selectively shred individual profiles (e.g., delete a family member's data while keeping their own)
  • Deleting one profile's keys does not affect any other profile
§ 04

Secure Infrastructure

Our AWS infrastructure includes:

DATA CENTERS

  • SOC 2 Type II, ISO 27001 certifications
  • 24/7 physical security
  • Geographic redundancy

NETWORK PROTECTION

  • AWS WAF (Web Application Firewall)
  • AWS Shield (DDoS protection)
  • VPC with private subnets
  • Restrictive Security Groups

DETECTION

  • AWS GuardDuty (threat detection)
  • AWS CloudTrail (audit logs)
  • Real-time alerts
§ 05

Access Control

We implement rigorous controls:

AUTHENTICATION

  • Passwords with bcrypt + salt
  • 2FA support for users
  • Mandatory MFA for team
  • JWT tokens with short expiration

AUTHORIZATION

  • Principle of least privilege
  • RBAC (Role-Based Access Control)
  • Segregation of duties
  • Quarterly access reviews

AUDIT

  • Logs of all genetic data access
  • Administrative action logs
  • 12-month retention
  • Immutable logs (append-only)
§ 06

AI Processing Security

Specific measures for protection during AI analysis:

DATA MINIMIZATION

  • We send only necessary SNPs (30-100 per analysis)
  • We do not send personal identifiers to AI APIs
  • Data is contextualized without PII

SECURE TRANSMISSION

  • TLS 1.3 for all API calls
  • Authentication via secure API keys
  • Timeout configured to prevent leaks

SELECTED PROVIDERS

  • We prioritize providers with Zero-Data-Retention
  • Non-training policies verified
  • Security certifications evaluated

LIMITATIONS

  • We cannot guarantee 100% that providers follow their policies
  • Data sent to China (DeepSeek, Qwen) is subject to Chinese jurisdiction
§ 07

Development Security

Secure development practices:

CODE

  • Mandatory code review
  • SAST (Static Application Security Testing)
  • Dependencies audited and updated
  • Secrets in vault, never in code

TESTING

  • Automated security testing
  • Periodic penetration testing
  • Input validation
  • Output sanitization

DEPLOY

  • CI/CD with security gates
  • Segregated environments (dev/staging/prod)
  • Automated rollback
  • Container images scanned
§ 08

Monitoring and Detection

24/7 monitoring:

METRICS

  • Performance and availability
  • Failed access attempts
  • Anomalous usage patterns
  • AI API latency

ALERTS

  • Threshold-based and ML-based
  • Immediate team notification
  • Automatic escalation
  • Automated response to known threats

DASHBOARDS

  • Real-time visibility
  • Incident history
  • Security KPIs
§ 09

Backup and Recovery

Robust backup strategy with encryption at every layer:

FREQUENCY

  • Daily automatic backups
  • Snapshots every 6 hours
  • Continuous transaction logs

ENCRYPTED BLOB BACKUPS

  • Genetic files are backed up to S3 as LGCR encrypted blobs — S3 never sees plaintext
  • Local-first storage with asynchronous S3 backup via background job queue
  • If local files are lost, they are automatically restored from S3 encrypted copies
  • All backups are storage-agnostic — any blob storage provider can be used securely

GenomiX VAULT ROTATION:

  • On re-ingest, existing .gxd files are rotated (.gxd.1, .gxd.2, etc.)
  • Previous versions preserved for recovery
  • Current file is always the unversioned .gxd

REDUNDANCY

  • Multiple AWS regions
  • Encrypted offsite backups
  • 30-day retention

RECOVERY

  • RTO: 4 hours
  • RPO: 1 hour
  • Monthly restore tests
  • Documented DR plan
§ 10

Incident Response

Structured response process:

PLAN

  • Complete and updated documentation
  • Designated response team
  • Playbooks for common scenarios

RESPONSE

  • Detection in minutes
  • Immediate containment
  • Forensic investigation
  • Structured communication

NOTIFICATION

  • ANPD: up to 2 business days (relevant incidents)
  • Data subjects: without undue delay
  • GDPR: 72 hours

POST-INCIDENT:

  • Root cause analysis
  • Lessons learned
  • Implementation of improvements
§ 11

Certifications and Compliance

We adhere to the following standards:

REGULATORY

  • LGPD (Law 13,709/2018)
  • GDPR (Regulation 2016/679)
  • Brazilian Internet Framework
  • HIPAA-aligned controls

FRAMEWORKS

  • OWASP Top 10
  • CIS Controls
  • NIST Cybersecurity Framework

INFRASTRUCTURE

  • AWS: SOC 2, ISO 27001, HIPAA eligible
  • Stripe: PCI-DSS Level 1

AUDITS

  • Quarterly vulnerability assessment
  • Annual penetration testing
  • Annual compliance audit
§ 12

Team and Training

Our team follows rigorous standards:

HIRING

  • Background verification
  • Mandatory NDA
  • Specific confidentiality agreement for genetic data

TRAINING

  • Security onboarding
  • Annual LGPD/GDPR training
  • Phishing simulations
  • Threat updates

ACCESS

  • Minimum necessary per role
  • Review at each role change
  • Immediate revocation upon termination
§ 13

Vulnerability Disclosure

We encourage responsible disclosure of vulnerabilities:

CONTACT

[email protected]

WHAT WE EXPECT

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Estimated potential impact
  • Do not exploit or publicly disclose

OUR RESPONSE

  • Confirmation within 48 hours
  • Assessment within 7 days
  • Fixes prioritized by severity
  • Credit to researcher (if desired)
  • Possible reward for critical findings
Need Help?
General Contact:[email protected]
Privacy and Data Protection (DPO):[email protected]
Address:

LifeGenix, Inc.
16192 Coastal Highway
Lewes, Delaware 19958

Other Legal Documents
§ 01
Terms of Use
Platform usage conditions
§ 02
Privacy Policy
How we handle your data
§ 03
Regulatory Compliance
LGPD, GDPR, HIPAA & data rights