// Trust & Security Report
Lucid Software Inc.
Lucid Suite visual collaboration platform: Lucidchart (intelligent diagramming with generative AI features), Lucidspark (virtual whiteboarding), and airfocus (product management/roadmapping). Add-ons include Cloud Accelerator, Process Accelerator, and Enterprise Shield (security hardening add-on). A separate FedRAMP-authorized government offering, Lucid GovSuite, runs on AWS GovCloud and is distinct from the standard commercial product.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lucid.co“Lucid complies with applicable local and international requirements and maintains compliance certifications, including: SOC 2 Type II”
Verify on lucid.co“Lucid complies with applicable local and international requirements and maintains compliance certifications, including: ... ISO 27001”
Verify on lucid.co“Lucid is also ISO 27701 certified.”
Verify on lucid.co“Lucid complies with applicable local and international requirements and maintains compliance certifications, including: ... PCI (merchant certification)”
Verify on lucid.co“Lucid is now FedRAMP Authorized at the Moderate security impact level, through sponsorship by the United States Drug Enforcement Administration (DEA)... Lucid GovSuite includes the Lucidspark virtual whiteboard and the Lucidchart diagramming application.”
Verify on lucid.co“IRAP Assessed at the PROTECTED Level”
Verify on lucid.co“Cloud Application Security Assessment (CASA)”
Verify on lucid.co“Lucid is committed to CCPA and GDPR compliance and ensures that it uses an approved framework (e.g., Standard Contractual Clauses or the EU-U.S. Data Privacy Framework)... Compliance certifications... EU-U.S. and Swiss-U.S. Data Privacy Framework”
> Show 3 unconfirmed / not-held certifications
source: lucid.cono public evidence: 'CSA STAR' does not appear anywhere on lucid.co/security or in Lucid's 'Compliance certifications' list. The security page states only that the trust center 'includes our SOC 2, CAIQ, and SIG documentation.' A CAIQ questionnaire is an input to CSA STAR Level 1 but is not itself a vendor-stated CSA STAR certification, and no CSA STAR listing is claimed on the vendor's own domain.
source: lucid.cono public evidence: HIPAA does not appear in Lucid's own 'Compliance certifications' list on lucid.co/security (SOC 2, PCI, Data Privacy Framework, FedRAMP, ISO 27001, ISO 27701, CASA, IRAP). No BAA offering or HIPAA page found on lucid.co or lucidchart.com. Third-party review-aggregator sites claim 'HIPAA Compliant' but this is not corroborated on the vendor's own domain.
source: lucid.cono public evidence: not listed among Lucid's certifications on lucid.co/security, and no ISO 42001 announcement found on any lucid.co page as of this assessment.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not fully verified. Vendor references a 'Global data residency for Lucid' help article (gated/JS-rendered, could not confirm exact regions offered). Primary hosting is AWS with GovCloud used for the separate FedRAMP-authorized Lucid GovSuite.
Vendor states: 'Customer data is not used to train any generative AI models available to third parties.' Lucid AI features run on Microsoft Azure OpenAI Service; Lucid stores anonymized/redacted prompts and responses only for internal error handling and analysis, with 'no direct connection to individual Lucid users or documents.' AI features are optional and admins on Team/Enterprise accounts can disable them account-wide. A separate Data Processing Addendum is available for Enterprise customers.
// Security controls
Encryption in transit
HTTPS with TLS 1.2 or 1.3, symmetric key lengths up to 256 (AES), depending on connecting browser.
lucid.coEncryption at rest
AES-256 encryption at rest for all persisted application data; keys protected by AWS Key Management Service (with an optional customer-managed Lucid KMS under Enterprise Shield).
lucid.coInfrastructure
Hosted on AWS, Azure, and Google Cloud Platform; replicated across multiple availability zones with a 99.9% uptime guarantee for Enterprise customers.
lucid.coAccess control
Role-based permissions, principle of least privilege, SAML SSO, two-factor authentication, domain control/verification for Enterprise accounts.
lucid.coVulnerability disclosure / bug bounty
Public bug bounty program hosted on HackerOne; researchers may also report directly to security@lucid.co.
lucid.coEnterprise Shield add-on
Optional add-on for Enterprise/FedRAMP accounts adding IP allowlisting, idle session timeout, and Lucid-managed KMS.
lucid.co// Products & data scope
data: Diagram content, org/process data, optionally linked cloud infrastructure/data imports
Primary product covered by this assessment; standard multi-tenant SaaS, not the FedRAMP-authorized instance.
data: Whiteboard content, sticky notes, collaboration data
Shares Lucid Suite security/compliance posture with Lucidchart.
data: Roadmap, prioritization, and product backlog data
Acquired product line under the Lucid Suite umbrella; has its own separate privacy/security article on Lucid's help center, not independently verified here.
data: Same as Lucidchart/Lucidspark but hosted on AWS GovCloud
This is the product that actually carries the FedRAMP Authorized (Moderate) designation; the standard commercial Lucidchart/Lucid Suite product does not run in the FedRAMP-authorized environment.
// What to watch
- FedRAMP Authorized (Moderate) applies only to the separate Lucid GovSuite / AWS GovCloud offering, not to the standard commercial Lucidchart product most AIFOXX visitors would sign up for. Listing FedRAMP as a blanket product attribute would be an over-claim; it should be scoped to the Gov offering.
- HIPAA compliance is claimed by third-party review/aggregator sites (e.g. security-profile scanners) but is absent from Lucid's own trust center and security page compliance list. Do not list HIPAA as held without a vendor-confirmed BAA offering.
- CSA STAR is graded held=false: the term 'CSA STAR' does not appear on lucid.co/security or in Lucid's compliance certifications list. Only a CAIQ document (an input to CSA STAR Level 1) is referenced in the trust center, which is not a vendor-domain statement of a CSA STAR certification. Do not list CSA STAR as held without direct vendor-domain confirmation.
- Could not verify the specific data-residency regions/options (help center article on global data residency returned a 403/gated response); left as an open item rather than guessed.
- airfocus (product management sub-product under the same corporate umbrella) has a separate privacy/security document; this assessment covers the core Lucid Suite (Lucidchart/Lucidspark) posture and does not independently verify airfocus's compliance posture.
// At a glance
Pricing model
Freemium with paid Individual, Team, and Enterprise tiers; Enterprise adds SSO, admin controls, Enterprise Shield, and a Data Processing Addendum
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Lucid Software Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.lucid.co