SOC 2 & Security Overview

Content Type: Reference

8.9 SOC 2 and security overview

Lightfield (operated by Magical Tome Inc.) is SOC 2 Type 2 certified.

Audit details

• Auditor: Insight Assurance (Tampa, FL)

• Audit period: July 1 – September 30, 2025

• Report issued: January 5, 2026

• Trust services category: Security

• Outcome: Clean opinion — no exceptions

Access control

• Role-based access with least-privilege principles

• Multi-factor authentication (MFA) required across all in-scope systems

• Access revoked within 1 business day of employee termination

Data protection

• Customer data encrypted at rest and in transit (TLS)

• Each customer has a walled, isolated Lightfield instance — data is not co-mingled across workspaces

AI and model training

• Lightfield has no training agreements with AI model providers

• Your data is not used to train any AI models

Infrastructure

• Hosted on AWS

• Network segmentation and firewalls isolate customer data

• AWS GuardDuty for intrusion detection

• Continuous vulnerability scanning and anti-malware on all endpoints

Endpoint security

• Mobile device management (MDM) with enforced encryption on all company devices

• Background checks, confidentiality agreements, and annual security training for all employees and contractors

Software development

• Mandatory code review and approval before production deployment

• Annual penetration testing (no critical or high findings during the audit period)

Business continuity

• Incident response and BC/DR plans tested annually

• Annual risk assessments including fraud considerations

• Third-party vendor management program with annual reviews

Request the full SOC 2 report

Contact support@lightfield.app to request a copy of the full SOC 2 Type 2 report under NDA.

AWS infrastructure note

Lightfield is hosted on AWS. AWS's own physical and environmental controls are excluded from this report and are covered by AWS's separate SOC 2 certification.