Client-safe trust documentation

Implementation Overview

This page summarizes the current implementation baseline behind the Imagine and Lucid trust program. It is designed to be safe to share with customers: specific enough to show real engineering and governance progress, but intentionally censored so it does not disclose secrets, internal configurations, or exploit-helpful detail.

This overview describes implemented baselines, active workstreams, mapped frameworks, and customer-shareable evidence types. It is not a penetration-test report, key-management disclosure, or blanket certification claim.
Live legal baseline0 sectionsRights routing activeDocs-ready presentation
Last updated May 30, 2026
Page structure
Hero briefing
Scope, applicability, and status markers
Live surface
Interactive controls, forms, or datasets below
Support docs
Related policies, packs, and trust materials
Related docs
Docs Center
Core policies and rights flows
Privacy Request Center
Access, delete, export
Regulatory Packs
Counsel and diligence view
Vendor Register
Processor and DPA posture
Recommended use

This is the best place to fill the space: not decorative noise, but a useful orientation layer. It gives readers page structure, supporting docs, and a quick sense of what to do next before they reach the live form, pack, or data surface below.

Recommended filler pattern
  • Quick actions or entry points
  • Support response timing or scope note
  • Cross-links to the most relevant trust materials
Open primary docOpen support path

Need the packaged customer version?

The dedicated assurance packet turns the live trust model into a sanitized diligence handoff with review ownership, framework evidence, and download-friendly output.

Open packetDownload Markdown
Control entries
10
Implemented baseline
7
In progress
3
Framework mappings
18

Client-safe control library

This view is intentionally safe to share with customers. It describes implemented control baselines, mapped frameworks, public evidence types, and boundaries without exposing sensitive configuration detail.

Privacy governance

Privacy notices and regional supplements

The privacy baseline now discloses controller identity, categories of data, purposes, sharing, transfer posture, retention framing, and rights handling across the covered web surfaces.

Implemented baseline
Corporate site + Lucid legal surfaces
Public evidence
  • Published corporate privacy notice
  • Published Lucid privacy notice
  • Regional rights and disclosure supplements
Mapped frameworks
GDPRCCPA / CPRAVirginia VCDPAColorado Privacy ActConnecticut Data Privacy ActUtah Consumer Privacy ActBrazil LGPDArgentina privacy baselineColombia Law 1581Mexico privacy law
Boundaries
  • Product lines with materially different data flows still require their own annex or notice supplement.
Owner and review cadence
Privacy + legal
Quarterly or on material data-flow change
Consent and cookies

Consent management and cookie preference center

Non-essential browser technologies are positioned behind explicit choice, and users can revisit a live preference center after first interaction.

Implemented baseline
Corporate site
Public evidence
  • Cookie banner with essential-only and optional choices
  • Live cookie preference center
  • Published cookie inventory and category descriptions
Mapped frameworks
GDPRePrivacyCCPA / CPRAColorado Privacy ActConnecticut Data Privacy ActBrazil LGPD
Boundaries
  • Future browser vendors must still be entered into the integration governance registry before activation.
Owner and review cadence
Privacy + engineering
Quarterly or before enabling a new non-essential browser technology
Data subject rights

Privacy request intake, triage, and SLA tracking

A structured rights-request workflow exists with public intake, verification gating, admin review, jurisdiction-aware due dates, and follow-up tracking.

Implemented baseline
Corporate site + Lucid request handling
Public evidence
  • Public Privacy Request Center
  • Request-record workflow in admin operations
  • Operational due-date tracking and reminder automation
Mapped frameworks
GDPRCCPA / CPRAVirginia VCDPAColorado Privacy ActConnecticut Data Privacy ActUtah Consumer Privacy ActBrazil LGPDArgentina privacy baselineColombia Law 1581Mexico privacy lawISO 27701
Boundaries
  • Regulator- or counsel-specific edge cases may still require manual legal review.
Owner and review cadence
Privacy operations
Weekly queue review plus daily operational monitoring
Data subject rights

Verified data export workflow

Verified requests can generate structured portable exports for repository-backed records, with scope notes where processor-side evidence still requires separate handling.

In progress
Repository-backed user and privacy records
Public evidence
  • Admin export workflow for verified requests
  • Structured portable package generation
  • Request-level export metadata and audit trace
Mapped frameworks
GDPRCCPA / CPRAVirginia VCDPAColorado Privacy ActConnecticut Data Privacy ActBrazil LGPDArgentina privacy baselineColombia Law 1581Mexico privacy lawISO 27701
Boundaries
  • Processor-side logs, vendor mailboxes, and backups remain part of the external fulfillment workflow rather than a single-click unified export.
Owner and review cadence
Privacy + engineering
Monthly capability review
Data subject rights

Deletion preview and repository-scoped minimization

Deletion-like requests are reviewed through a preview-first workflow that minimizes or anonymizes retained records where legal, accounting, or security obligations remain.

Implemented baseline
Repository-backed user, order, newsletter, and rights-request records
Public evidence
  • Preview-before-execution model
  • Repository-scoped anonymization execution path
  • Request-level execution summary and follow-up evidence tracking
Mapped frameworks
GDPRCCPA / CPRAVirginia VCDPAColorado Privacy ActConnecticut Data Privacy ActBrazil LGPDArgentina privacy baselineColombia Law 1581Mexico privacy lawISO 27701
Boundaries
  • This control does not claim immediate purge of backups or third-party processors; those are tracked separately in the fulfillment workflow.
Owner and review cadence
Privacy + engineering
Monthly control review
Audit and evidence

Structured audit trail with tamper-evident sealing

Security-significant events now flow into a structured audit log with sequence-aware tamper-evident sealing and integrity verification support.

Implemented baseline
Auth, privacy, consent, and privileged workflow events
Public evidence
  • Structured audit event model
  • Tamper-evident audit chain for newly written entries
  • Integrity verification workflow and optional external forwarding path
Mapped frameworks
GDPRCCPA / CPRASOC 2ISO 27001ISO 27701ISO 27017ISO 27018
Boundaries
  • Long-term enterprise retention policy and full external SIEM onboarding remain part of the continuing audit-readiness program.
Owner and review cadence
Engineering
Quarterly plus incident-driven review
Identity and access

RBAC and privileged-session hardening

Privileged access is being enforced through a central RBAC catalog, server-side permission checks on sensitive admin APIs, and step-up verification for admin login.

Implemented baseline
Admin surfaces and high-risk internal APIs
Public evidence
  • Central RBAC role and permission catalog
  • Server-side checks on high-risk admin routes
  • Step-up MFA flow for privileged admin sessions
Mapped frameworks
GDPRSOC 2ISO 27001ISO 27701ISO 27017
Boundaries
  • Broader enterprise IAM and organization-wide joiner-mover-leaver automation remain in progress.
Owner and review cadence
Engineering + leadership
Monthly access review
Vendor and processor governance

Vendor register and governance cadence

The covered stack now has a code-backed vendor register, a public transparency page, and an internal governance layer for review cadence, owners, and reassessment posture.

Implemented baseline
Covered repository processors, infrastructure, and optional messaging/security vendors
Public evidence
  • Public subprocessors page
  • Machine-readable vendor register endpoint
  • Internal review-status tracking for active, optional, and migration-only vendors
Mapped frameworks
GDPRCCPA / CPRABrazil LGPDSOC 2ISO 27001ISO 27701ISO 27017ISO 27018
Boundaries
  • Environment-dependent provider identity and contract artifacts are still managed through internal contract systems where required.
Owner and review cadence
Operations + privacy + engineering
Quarterly baseline with machine-readable status tracking
Monitoring and incident readiness

Security monitoring hooks and incident-readiness baseline

The operating baseline now includes optional central log forwarding, an incident-response playbook, and automated privacy-ops reminders for overdue or blocked request handling.

In progress
Security events, privacy ops, and operational response
Public evidence
  • Optional central security log sink integration
  • Documented incident-response playbook
  • Automated privacy-ops reminder and escalation workflow
Mapped frameworks
GDPRSOC 2ISO 27001ISO 27701ISO 27017ISO 27018
Boundaries
  • A full external SOC, SIEM, or formalized enterprise alerting program is not being claimed at this stage.
Owner and review cadence
Engineering + operations
Quarterly program review
Accessibility and trust

Accessibility and trust transparency baseline

Accessibility and trust communication are being treated as part of the same delivery baseline, with a public compliance page, rights-intake paths, and roadmap visibility for standards work still in progress.

In progress
Public legal, trust, and marketing surfaces
Public evidence
  • Public Security & Compliance page
  • Published accessibility roadmap statements
  • Reachable support and privacy intake channels on public pages
Mapped frameworks
WCAG 2.1 AASI 5568ISO 27701
Boundaries
  • Full WCAG conformance requires continuing remediation and validation; it is not being claimed as complete yet.
Owner and review cadence
Product + engineering
Quarterly accessibility review
Frameworks tracked
5
In progress
5
Objective rows
18
Updated
May 30, 2026

Framework readiness matrix

This matrix shows how the current repository controls are being organized toward major assurance frameworks. It stays customer-safe by showing implemented baselines, mapped control objectives, and boundaries without disclosing secrets or exploit-helpful detail.

Trust-services baseline for covered repository operations

SOC 2

The SOC 2 track is being organized around real control evidence instead of generic roadmap claims, using the current repository controls as the implementation baseline.

In progress
This does not claim a completed SOC 2 report. It shows how existing controls are being aligned to the audit path.
Control objective

CC2 / Governance, policies, and transparency baseline

In progress

Governance, published policy, and customer-facing trust disclosures are already structured as repeatable control surfaces.

Evidence types
  • Published legal pages
  • Control library
  • Trust roadmap statements
Mapped control ids
privacy-notices-regional-baselineclient-facing-accessibility-and-trust
Control objective

CC6 / Logical access and privileged control

Implemented baseline

Privileged access is moving through central roles, server-side checks, and step-up verification rather than loose shared-admin behavior.

Evidence types
  • RBAC catalog
  • Permission-gated routes
  • Step-up MFA flow
Mapped control ids
privileged-access-hardening
Control objective

CC7 / Monitoring, logging, and anomaly-ready evidence

In progress

Security-significant events are logged in a structured and tamper-evident way, with optional external forwarding and incident-readiness workflows.

Evidence types
  • Audit chain
  • Integrity verification
  • Incident-response playbook
Mapped control ids
audit-trail-and-tamper-evidencemonitoring-and-incident-readiness
Control objective

CC9 / Vendor and processor governance

Implemented baseline

Infrastructure and processors are now part of a reviewable governance model instead of a hidden dependency list.

Evidence types
  • Vendor register
  • Governance cadence report
  • Public processor page
Mapped control ids
vendor-governance-and-subprocessors
Evidence packs
5
Shareable packs
1
Customer-safe artifacts
19
Review due soon
1
Artifacts in collection
17
Updated
May 30, 2026

Customer-safe assurance artifacts

This layer describes the artifact categories we can already point to in customer or partner diligence conversations, while keeping internal-only evidence private.

Evidence pack

SOC 2

In collection

This does not claim a completed SOC 2 report. It shows how existing controls are being aligned to the audit path.

Customer packet
Refresh required
Release owner: Trust communications lead
Review freshness
overdue
Next target: 2026-06-19
Objectives
4
Available artifacts
8
Customer-safe
5
Customer-safe release is approved for diligence while internal audit-only evidence continues to mature.
CC2 / Governance, policies, and transparency baseline
In collection
Published policy and trust page set
Customer-facing policy, privacy, cookie, and trust pages are published for the covered scope.
Control-library and implementation summary
Customer-safe control summaries and framework mappings are available from the trust layer.
CC6 / Logical access and privileged control
In collection
RBAC catalog and permission model
Privileged operations are mapped to defined roles and permission classes.
CC7 / Monitoring, logging, and anomaly-ready evidence
In collection
Tamper-evident audit chain
Security-significant events are captured through a structured and tamper-evident audit path.
CC9 / Vendor and processor governance
In collection
Vendor transparency register
Infrastructure and processors are published through a live transparency register.
Evidence pack

ISO 27001

In collection

This is a readiness view, not a certification statement.

Customer packet
Refresh required
Release owner: Trust communications lead
Review freshness
overdue
Next target: 2026-06-18
Objectives
4
Available artifacts
4
Customer-safe
4
Customer-shareable baseline is approved, with ISMS management-review artifacts still tracked internally.
ISMS governance and policy baseline
In collection
Policy and governance baseline
The program has a published trust and governance baseline for the covered scope.
Access control and privileged administration
In collection
Role-based privileged access design
Privileged access is designed around centralized permissions and role assignment.
Logging, monitoring, and security-event evidence
In collection
Audit logging and integrity verification
Security-significant actions are logged and can be verified for integrity.
Supplier and cloud relationship governance
In collection
Supplier governance register
Supplier and processor governance is tracked as part of the trust baseline.
Evidence pack

ISO 27701

In collection

This shows current privacy control alignment, not a completed PIMS certification.

Customer packet
Shareable now
Release owner: Trust communications lead
Review freshness
due soon
Next target: 2026-07-15
Objectives
4
Available artifacts
5
Customer-safe
4
Customer-safe privacy assurance materials are approved and aligned to the current rights and consent flows.
Privacy governance and notice accountability
In collection
Privacy notice suite
Privacy notices and regional supplements are published for the covered web scope.
Consent and user choice management
Ready baseline
Consent preference center
Users can manage non-essential browser-technology choices through a live preference center.
Rights handling, export, deletion, and follow-up evidence
In collection
Rights intake and tracking workflow
A public rights-request workflow with verification, due dates, and follow-up exists for the covered scope.
Processor and subprocessor transparency
In collection
Processor transparency baseline
Processors and infrastructure dependencies are publicly disclosed for the covered scope.
Evidence pack

ISO 27017

In collection

This is readiness alignment for cloud-security controls, not a formal cloud-certification claim.

Customer packet
Refresh required
Release owner: Trust communications lead
Review freshness
overdue
Next target: 2026-06-24
Objectives
3
Available artifacts
3
Customer-safe
3
Cloud-governance assurance can be shared at a baseline level while shared-responsibility evidence expands internally.
Cloud shared-responsibility and provider governance
In collection
Cloud-provider governance register
Core cloud and infrastructure providers are governed through a live reviewable register.
Cloud-admin access and privileged operation control
In collection
Cloud-admin access baseline
Sensitive operational access is controlled through roles, permissions, and privileged-session hardening.
Cloud event logging and monitoring readiness
In collection
Cloud event logging baseline
Cloud-facing operations inherit a structured audit and monitoring baseline.
Evidence pack

ISO 27018

In collection

This is a cloud-privacy readiness view, not a certification statement.

Customer packet
Refresh required
Release owner: Trust communications lead
Review freshness
overdue
Next target: 2026-06-24
Objectives
3
Available artifacts
3
Customer-safe
3
Hosted-data privacy materials are approved for customer sharing, with deeper processor evidence still under internal collection.
Public-cloud privacy transparency and customer notice
In collection
Hosted privacy transparency baseline
Hosted-surface privacy transparency is already part of the public notice baseline.
PII access, export, and deletion handling in hosted systems
In collection
Hosted rights-request workflow
Hosted records can be searched, exported, and minimized through a rights workflow with verification and follow-up.
Hosted processor governance and contractual posture
In collection
Cloud processor governance baseline
Hosted processors and infrastructure are visible through the trust transparency layer.