LOGOS AI, INC.
Effective Date: January 1, 2025 | Last Updated: March 25, 2026
๐ก๏ธ Security Summary
All AI inference is processed through managed, enterprise-grade services covered under Business Associate Agreements (BAAs): AWS Bedrock (for Claude, Llama, Mistral, and other models) and Google Vertex AI (for Gemini models). These BAAs ensure HIPAA-compliant processing of Protected Health Information (PHI).
By accepting our Terms of Service, you enter into a Business Associate Agreement with Logos AI. This means you do not need to execute a separate BAA โ acceptance of our Terms constitutes agreement to BAA terms covering the safeguarding of PHI, breach notification within 72 hours, and appropriate administrative, physical, and technical safeguards.
PHI uploaded to Logos AI is processed exclusively through BAA-covered infrastructure. PHI is encrypted at rest and in transit, logically isolated per organization, and never used for any purpose other than providing the Services. All processing occurs in US regions.
Logos AI does not host or run AI models directly. All inference is routed through enterprise managed services: AWS Bedrock and Google Vertex AI. These services are operated by AWS and Google Cloud under their respective security programs, including SOC 2, ISO 27001, and HIPAA compliance.
This is guaranteed by architecture, not just policy. AWS Bedrock and Google Vertex AI are inference-only services โ your data is processed statelessly and is never retained by the AI provider beyond the duration of the request. Your documents, queries, and responses are never used to train, fine-tune, or improve any public or private AI model. This applies to all data, including PHI, PII, and attorney-client privileged information.
AI requests are processed statelessly. Your data is sent to the AI provider for inference and the response is returned to you. The AI provider does not retain your data after the request completes. There is no persistent memory or learning from your data.
All data stored by Logos AI is encrypted at rest using AES-256 encryption. This includes documents, database records, backups, and cached data. Additionally, tenant documents indexed in our vector search system use per-record Fernet encryption (AES-128-CBC + HMAC-SHA256) with PBKDF2-HMAC-SHA256 key derivation (100,000 iterations) and per-record random 128-bit salts.
All data transmitted between your browser and our servers, and between our servers and AI providers, is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and use HSTS headers to prevent downgrade attacks.
Each organization's data is logically isolated at the database level. All queries are scoped to the authenticated user's organization. Cross-organization data access is not possible through the application.
Logos AI implements a comprehensive RBAC system: Organization roles (Owner, Admin, Member, Viewer) control organization-level access. Project roles (Lead, Member, Reviewer, Observer) control case-level access. Permissions are enforced at the API layer for every request.
Logos AI supports TOTP-based two-factor authentication compatible with Google Authenticator, Authy, 1Password, and other standard authenticator apps. Users are prompted to enable 2FA on first login, and backup codes are provided for account recovery.
Authentication uses secure JWT tokens with configurable expiration. Sessions are invalidated on password change or account deactivation. All authentication events are logged for audit purposes.
Logos AI is hosted on Amazon Web Services (AWS) using ECS Fargate for containerized workloads, RDS for managed PostgreSQL databases, ElastiCache for Redis caching, S3 for document storage, and CloudFront for content delivery. All services run within a secured VPC with private subnets.
All data processing and storage occurs in US regions (primarily us-east-1). No data is transferred to or processed in non-US regions. AI inference through AWS Bedrock and Google Vertex AI also occurs in US regions.
Every AI interaction is logged with: the model used, tokens consumed, cost attribution, timestamp, and associated case/project. This enables transparent client billing and comprehensive audit trails.
Organizations have access to usage dashboards showing AI credit consumption, model usage breakdown, per-case cost tracking, and monthly usage trends. Usage logs are retained for 12 months for billing disputes, and credit transaction history is retained for 7 years for tax/accounting purposes.
If a security breach affecting your data occurs, we will: notify affected users within 72 hours, provide details of the type of information affected, describe steps we are taking to address the breach, and provide recommendations for protecting yourself. For breaches involving PHI, we will comply with the HIPAA Breach Notification Rule (45 CFR ยงยง 164.400-414).
If you discover a security vulnerability or suspect a breach, please report it immediately to security@trustlogos.ai. We take all security reports seriously and will respond promptly.
For security inquiries, contact security@trustlogos.ai. For compliance and BAA questions, contact compliance@trustlogos.ai.
For our full Privacy Policy, visit the privacy center. For our Terms of Service (including the BAA), view our terms.
ยฉ 2025 Logos AI, Inc. All Rights Reserved.