Security
Livy stores the durable record of how a jurisdiction makes decisions. Auditability, access control, and tenant isolation aren’t features — they’re architectural constraints, enforced at the API boundary, not the UI.
Every change is recorded. Not a single mutation in Livy reaches the database without an append-only audit log entry — every edit, approval, vote, comment, and configuration change. Reconstruct who changed what, and when. The audit trail is never silently overwritten.
Role-based permissions are enforced at the API boundary, not the UI. Closed-session items and confidential fields are redacted server-side before they reach unauthorized callers. The permission matrix is explicit and inspectable; new endpoints can’t ship without declaring their gate.
Every request is scoped to your organization. Every identifier from a caller is verified to match the caller’s tenant before any read or write happens — there are no inputs that quietly cross between jurisdictions. Cross-tenant access is impossible by construction, not by promise.
Refresh tokens are hashed and revocable. Public writes require an email-verified account. Public forms (signup, password reset, public comments) are protected by Cloudflare Turnstile.
Attachments are served through per-request signed URLs scoped to the viewer. Confidential content never crosses the wire to a non-admin viewer. Bell-pane notifications are retained for 30 days; the durable record lives on the audit log, which is append-only.
Your data is never used to train a third-party model. This is a contractual commitment in our Master Services Agreement. AI features (summaries, drafting, minutes) run on enterprise inference endpoints that do not retain prompts or outputs for training.
All traffic between your browser and Livy is encrypted with TLS. Attachments at rest live in object storage with provider-managed encryption. Hosting runs on Railway in U.S. regions; subprocessor details are published in our DPA.
Our subprocessor list, Data Processing Addendum, and Master Services Agreement are public. Any change to subprocessors is reflected on the published list before the change goes live.
The full set of agreements that govern Livy is published. Every commitment on this page is reflected there in contract form.
If you believe you’ve found a security issue in Livy, email security@livygov.com. We’ll respond within one business day and keep you updated through resolution. Please don’t test against jurisdictions that aren’t your own.