Security & privacy
LSAS is built for teams that already operate in regulated environments. The implementation in this framework follows the open LSAS specification and focuses on keeping sensitive data inside your boundary while surfacing rich telemetry for audits and investigations.
The formal spec, schemas, and technical whitepaper are published at reactlabs-dev/lsas-spec. This runtime is designed to be a reference implementation of that work.
Data handling
- Derived-only telemetry: no raw prompts or completions by default.
- Explicit tenant/app IDs and environments for all events.
- Postgres as the system of record, under your control and network boundary.
- Optional redaction of PHI/PII before storage, based on policy packs.
Controls & observability
- Configurable policy packs per app/tenant, mapped to LSAS risk domains.
- Deterministic validators for PHI/PII, PCI, security, and accessibility.
- Decision logging with risk scores, rule hits, and remediation actions.
- Hooks for incident creation, case management, and downstream SIEM tooling.
Regulated workloads
- HIPAA/PHI: minimum-necessary access, derived-only telemetry, and clear tenant IDs.
- Clinical decision support: separating model output from the final clinical decision.
- PCI and financial data: pattern-based detection for card data and sensitive numbers.
- Internal-only vs outward-facing flows: different policy packs per surface.
Further reading
LSAS is not a substitute for legal or compliance advice, but it is designed to make it easier to implement the controls your programs require.
- HIPAA guidance on uses and disclosures of PHI (U.S. HHS).
- FDA discussion papers on AI/ML-based software as a medical device (SaMD).
- Your organization's internal security, privacy, and governance standards.