Security

Last updated: July 21, 2025

We take security seriously in order to protect our users' data. This page explains our security approach for Rao and the data handling practices of our model providers.

We're continuously improving our product and strengthening our security practices. We are working to become HIPAA compliant and SOC 2 Type II certified, but we currently recommend you do not use Rao with highly sensitive or regulated data like PHI.

We encourage you to review this information carefully to make an informed decision about Rao's suitability for your specific use case.

If you have security-related questions or concerns, please reach out to us at founders@lotas.ai.

Infrastructure & Model Providers

  • Lotas: Our platform maintains strict data handling practices to protect user privacy and security. Lotas does not store conversations from its users and does not use any user data to train models. We also do not knowingly or purposefully collect or store sensitive personal information for the purpose of uniquely identifiying people or building profiles.
  • AWS: Our infrastructure is hosted on AWS. All of our servers are located in the US.
  • OpenAI: Rao communicates with OpenAI's models via the OpenAI API. We have a zero data retention (ZDR) agreement with OpenAI, and your data is by default not used to train OpenAI models. We are in the process of signing a Business Associate Agreement (BAA) with OpenAI to allow our users to analyze data that contains Protected Health Information (PHI) and is regulated under HIPAA.

    For more information regarding OpenAI's data handling practices, please visit the API Platform FAQ and Model Training FAQ sections in OpenAI's Enterprise Privacy site. For more information on OpenAI's security certifications, please consult their trust portal.

  • Anthropic: Rao communicates with Anthropic's Claude models via the Anthropic API. We have have a zero data retention (ZDR) agreement with Anthropic, and your data is by default not used to train Anthropic models. We are also in the process of signing a Business Associate Agreement (BAA) with Anthropic to allow our users to analyze data that contains Protected Health Information (PHI) and is regulated under HIPAA.

    For more information regarding Anthropic's data handling and retention practices, please visit their Commercial Customers page on their privacy site. If you'd like to know more about Anthropic's security certifications, please consult their Trust Center.

  • Clerk: We use Clerk to manage user authentication. Clerk records your email and name.
  • Stripe: We use Stripe to manage payments. Stripe records your name, email, card information, and billing address. Apart from name and email, Lotas does not have access to your payment information.
  • Vercel: We use Vercel to host our website and Vercel Analytics to monitor website traffic.
  • PostHog: Only when the user opts in (turns their mode from "Secure" to "Improve Rao for everyone"), Lotas uses PostHog to monitor analytics to improve Rao. Users can toggle this setting in Rao's settings page.

Important Notice About Sensitive Data

Important: If you are working with data that falls under HIPAA compliance or regulations, or any other sensitive or secure data, you should not input this data into our product at this time.

Lotas is in the process of signing a Business Associate Agreement (BAA) with OpenAI and Anthropic to allow our users to input data under HIPAA regulations.