// Trust & Security Report

    Lucid Software Inc. logo

    Lucid Software Inc.

    Lucid Suite visual collaboration platform: Lucidchart (intelligent diagramming with generative AI features), Lucidspark (virtual whiteboarding), and airfocus (product management/roadmapping). Add-ons include Cloud Accelerator, Process Accelerator, and Enterprise Shield (security hardening add-on). A separate FedRAMP-authorized government offering, Lucid GovSuite, runs on AWS GovCloud and is distinct from the standard commercial product.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Lucid complies with applicable local and international requirements and maintains compliance certifications, including: SOC 2 Type II

    Verify on lucid.co
    ISO 27001
    HELD

    Lucid complies with applicable local and international requirements and maintains compliance certifications, including: ... ISO 27001

    Verify on lucid.co
    ISO 27701 (privacy information management)
    HELD

    Lucid is also ISO 27701 certified.

    Verify on lucid.co
    PCI (merchant certification)
    HELD

    Lucid complies with applicable local and international requirements and maintains compliance certifications, including: ... PCI (merchant certification)

    Verify on lucid.co
    FedRAMP Authorized (Moderate) - Lucid GovSuite only
    HELD

    Lucid is now FedRAMP Authorized at the Moderate security impact level, through sponsorship by the United States Drug Enforcement Administration (DEA)... Lucid GovSuite includes the Lucidspark virtual whiteboard and the Lucidchart diagramming application.

    Verify on lucid.co
    IRAP (Australia) - Assessed at PROTECTED level
    HELD

    IRAP Assessed at the PROTECTED Level

    Verify on lucid.co
    CASA (Cloud Application Security Assessment)
    HELD

    Cloud Application Security Assessment (CASA)

    Verify on lucid.co
    EU-U.S. and Swiss-U.S. Data Privacy Framework
    HELD

    Lucid is committed to CCPA and GDPR compliance and ensures that it uses an approved framework (e.g., Standard Contractual Clauses or the EU-U.S. Data Privacy Framework)... Compliance certifications... EU-U.S. and Swiss-U.S. Data Privacy Framework

    Verify on lucid.co
    > Show 3 unconfirmed / not-held certifications
    CSA STAR
    NOT CONFIRMED

    no public evidence: 'CSA STAR' does not appear anywhere on lucid.co/security or in Lucid's 'Compliance certifications' list. The security page states only that the trust center 'includes our SOC 2, CAIQ, and SIG documentation.' A CAIQ questionnaire is an input to CSA STAR Level 1 but is not itself a vendor-stated CSA STAR certification, and no CSA STAR listing is claimed on the vendor's own domain.

    source: lucid.co
    HIPAA
    NOT CONFIRMED

    no public evidence: HIPAA does not appear in Lucid's own 'Compliance certifications' list on lucid.co/security (SOC 2, PCI, Data Privacy Framework, FedRAMP, ISO 27001, ISO 27701, CASA, IRAP). No BAA offering or HIPAA page found on lucid.co or lucidchart.com. Third-party review-aggregator sites claim 'HIPAA Compliant' but this is not corroborated on the vendor's own domain.

    source: lucid.co
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    no public evidence: not listed among Lucid's certifications on lucid.co/security, and no ISO 42001 announcement found on any lucid.co page as of this assessment.

    source: lucid.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not fully verified. Vendor references a 'Global data residency for Lucid' help article (gated/JS-rendered, could not confirm exact regions offered). Primary hosting is AWS with GovCloud used for the separate FedRAMP-authorized Lucid GovSuite.

    Vendor states: 'Customer data is not used to train any generative AI models available to third parties.' Lucid AI features run on Microsoft Azure OpenAI Service; Lucid stores anonymized/redacted prompts and responses only for internal error handling and analysis, with 'no direct connection to individual Lucid users or documents.' AI features are optional and admins on Team/Enterprise accounts can disable them account-wide. A separate Data Processing Addendum is available for Enterprise customers.

    // Security controls

    Encryption in transit

    HTTPS with TLS 1.2 or 1.3, symmetric key lengths up to 256 (AES), depending on connecting browser.

    lucid.co

    Encryption at rest

    AES-256 encryption at rest for all persisted application data; keys protected by AWS Key Management Service (with an optional customer-managed Lucid KMS under Enterprise Shield).

    lucid.co

    Infrastructure

    Hosted on AWS, Azure, and Google Cloud Platform; replicated across multiple availability zones with a 99.9% uptime guarantee for Enterprise customers.

    lucid.co

    Access control

    Role-based permissions, principle of least privilege, SAML SSO, two-factor authentication, domain control/verification for Enterprise accounts.

    lucid.co

    Vulnerability disclosure / bug bounty

    Public bug bounty program hosted on HackerOne; researchers may also report directly to security@lucid.co.

    lucid.co

    Enterprise Shield add-on

    Optional add-on for Enterprise/FedRAMP accounts adding IP allowlisting, idle session timeout, and Lucid-managed KMS.

    lucid.co

    // Products & data scope

    LucidchartIntelligent diagramming (flowcharts, org charts, ERDs, cloud/infra diagrams) with generative AI (Lucid AI, AI Prompt Flow) via Azure OpenAI Service

    data: Diagram content, org/process data, optionally linked cloud infrastructure/data imports

    Primary product covered by this assessment; standard multi-tenant SaaS, not the FedRAMP-authorized instance.

    LucidsparkVirtual whiteboarding

    data: Whiteboard content, sticky notes, collaboration data

    Shares Lucid Suite security/compliance posture with Lucidchart.

    airfocusProduct management and roadmapping

    data: Roadmap, prioritization, and product backlog data

    Acquired product line under the Lucid Suite umbrella; has its own separate privacy/security article on Lucid's help center, not independently verified here.

    Lucid GovSuiteGovernment-only bundle of Lucidchart + Lucidspark

    data: Same as Lucidchart/Lucidspark but hosted on AWS GovCloud

    This is the product that actually carries the FedRAMP Authorized (Moderate) designation; the standard commercial Lucidchart/Lucid Suite product does not run in the FedRAMP-authorized environment.

    // What to watch

    • FedRAMP Authorized (Moderate) applies only to the separate Lucid GovSuite / AWS GovCloud offering, not to the standard commercial Lucidchart product most AIFOXX visitors would sign up for. Listing FedRAMP as a blanket product attribute would be an over-claim; it should be scoped to the Gov offering.
    • HIPAA compliance is claimed by third-party review/aggregator sites (e.g. security-profile scanners) but is absent from Lucid's own trust center and security page compliance list. Do not list HIPAA as held without a vendor-confirmed BAA offering.
    • CSA STAR is graded held=false: the term 'CSA STAR' does not appear on lucid.co/security or in Lucid's compliance certifications list. Only a CAIQ document (an input to CSA STAR Level 1) is referenced in the trust center, which is not a vendor-domain statement of a CSA STAR certification. Do not list CSA STAR as held without direct vendor-domain confirmation.
    • Could not verify the specific data-residency regions/options (help center article on global data residency returned a 403/gated response); left as an open item rather than guessed.
    • airfocus (product management sub-product under the same corporate umbrella) has a separate privacy/security document; this assessment covers the core Lucid Suite (Lucidchart/Lucidspark) posture and does not independently verify airfocus's compliance posture.

    // At a glance

    Pricing model

    Freemium with paid Individual, Team, and Enterprise tiers; Enterprise adds SSO, admin controls, Enterprise Shield, and a Data Processing Addendum

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Lucid Software Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.lucid.co

    > Browse all vendor trust reports