GDPR and data privacy at Lightfield

Last updated: May 23, 2026

Lightfield takes data privacy seriously and supports a number of practices relevant to GDPR. We can execute a Data Processing Agreement (DPA) with customers, and our underlying security controls are SOC 2 Type 2 certified.

This article covers what's available today. For specific GDPR questions related to your use case, contact support@lightfield.app.

Data Processing Agreement (DPA)

We have a standard DPA available to customers on request. Email support@lightfield.app and we'll send it over for review and signature.

How we handle your data

  • Encryption. Customer data is encrypted at rest and in transit (TLS).

  • Isolation. Each customer has a walled, isolated Lightfield instance. Data is not co-mingled across workspaces.

  • Retention. Data is retained while your workspace is active. Once a workspace is deleted, data is retained for 120 days and then removed.

  • Access controls. Role-based access with least-privilege principles, MFA across all in-scope systems, access revoked within 1 business day of employee termination.

  • SOC 2 Type 2. We're SOC 2 Type 2 certified (clean opinion). The full report is available under NDA. See SOC 2 and Security Overview.

AI and model training

We do not use customer data to train any AI models. We have no training agreements with our model providers. The model providers we use include Anthropic, OpenAI, Google, and AWS Bedrock. Prompts may be transiently cached for short durations (on the order of hours) for reliability and performance.

If you connect external tools via MCP, those interactions are subject to the respective provider's policies.

Data residency

Customer data is currently stored in the United States. This applies to production, backups, and replicated environments. If EU data residency is a requirement for your use case, let us know at support@lightfield.app.

Common questions

Can I use Lightfield if I have EU customers?

Most of our customers with EU contacts use Lightfield today under our standard DPA. Whether that's sufficient for your specific situation depends on the nature of the data you're processing, your role under GDPR (controller vs processor), and your own legal obligations to your EU customers. We're not able to give legal advice on that, but we're happy to walk through what we have in place. Contact support@lightfield.app with specifics.

Is there a sub-processor list?

Our core sub-processors include AWS for infrastructure and the AI model providers listed above. If you need a complete list for your own documentation, contact support@lightfield.app.

How do I handle a data subject request (deletion, access, export)?

You can export or delete records directly in Lightfield via the agent ("Export all data for [contact]" or "Delete [contact]"). For a workspace-level export or deletion, contact support@lightfield.app.

What's the difference between a DPA and being "GDPR compliant"?

A DPA is a contract between us and you that defines how we process personal data on your behalf and what each party's obligations are. It's one component of a customer's GDPR posture, alongside the technical and organizational controls we describe above.