Secure and Compliant Data Protection

ISO 27001

ISO 27001 is a globally recognized standard that sets out the requirements for an information security management system (ISMS). The certification shows that Laser AI has a robust framework of policies, procedures, and controls in place to protect sensitive information from unauthorized access, disclosure, or compromise. To receive its ISO 27001 certification Laser was rigorously assessed by an independent certification body.

Laser AI’s ISO 27001 certification covers all aspects of its operations, including software development, technical support, and hosting services. This comprehensive approach ensures that our systems and processes are designed to identify, manage, and mitigate any risks to the confidentiality, integrity, and availability of its clients' information.

To maintain the ISO 27001 certification, Laser AI will undergo regular audits by an external certification body to ensure ongoing compliance with the standard. These audits ensure that we continually improve our information security management system and adapt to emerging risks and technological advancements.

This certification not only reinforces Laser AI's dedication to information security but also establishes us as a trusted partner for organizations in various industries, including healthcare, research, and government. Clients and partners can confidently rely on our software knowing that their sensitive information is protected by internationally recognized security standards.

A logo of the ISO certified 27001, the information security management system.

SOC 2®

This certification is a testament to our multi-year efforts and substantial investments in security and compliance, ensuring that Laser AI is the most secure option for systematic reviews.
The SOC-2 Type 2 certification is an audit that’s independently conducted by a certified public accounting firm. They assess a company's internal controls, security measures, and overall organizational compliance with the Trust Service Criteria of the AICPA (American Institute of Certified Public Accountants). The certification shows that Laser AI's security protocols meet and exceed industry standards, providing clients with the confidence that their sensitive data is protected.

This latest achievement adds to our impressive portfolio of security certifications. Laser AI is the only product in the systematic review automation space to have earned the prestigious ISO 27001 certification, FedRAMP li-SaaS authorization, and now the SOC-2 Type 2 certification. The combination of these certifications sets Laser AI apart from our competitors and underscores our commitment to data security and privacy.

The logo of AICPA SOC2 to show that Laser AI is SOC 2 compliant

FedRAMP® LI-SaaS

Our FedRAMP certification means that Laser AI can now be integrated securely and efficiently into federal customers’ workflows to accelerate their research.

Laser AI is a cloud-based software platform that uses advanced machine learning techniques to automate and streamline the management of large volumes of scientific data. It speeds up the process, decreases the costs, and improves the quality of literature reviews by allowing overworked human specialists to focus on the essential elements and offload repetitive tasks to the AI-enabled system. Laser AI’s security-by-design approach includes a secure cloud-native platform built using modern DevSecOps technologies, such as Kubernetes.

FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It helps the government rapidly adapt from old, insecure legacy IT to secure, easy-to-deploy and cost-effective cloud-based solutions.

The FedRAMP logo showing that Laser AI has a FedRAMP certification and is compliant.

Our company's compliance is constantly monitored and frequently audited by a competent third party. For a detailed compliance status please view this link.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Laser AI ("Processor") regarding the use of Laser AI services.


Effective Date: Jan 1, 2024

Applicability: This DPA applies to all customers of Laser AI services provided by Evidence Prime.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Controller" means the Customer who determines the purposes and means of Processing.
  • "Processor" means Laser AI who Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data.

2. Scope and Purpose

2.1 Services

This DPA applies to the Processing of Personal Data by the Processor in connection with providing Laser AI services, including:

  • AI-powered literature review services
  • Search query construction
  • Document search and screening
  • Data extraction
  • Report generation
  • Team and project management
  • Integration with external systems

2.2 Personal Data Types

Types of Personal Data processed:

  • User's full name
  • User's email address
  • User's organizational affiliation

3. Obligations of the Processor

3.1 The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller
  2. Ensure confidentiality of Processing
  3. Implement appropriate technical and organizational security measures
  4. Assist the Controller in responding to data subjects' requests
  5. Notify the Controller of any Personal Data breach without undue delay
  6. Delete or return Personal Data upon termination of services

4. Sub-processors

4.1 Categories of Sub-processors

The Processor uses the following

categories of Sub-processors:

a) Platform as a Service (PaaS) hosting:

  • Microsoft Azure
  • Hetzner
  • OVH

b) Backup services:

  • Microsoft Azure
  • Amazon AWS

c) NLP model providers:

  • OpenAI
  • Microsoft Azure

d) Email services:

  • Amazon AWS
  • Mailgun

e) Monitoring and logging:

  • Sentry.io
  • GlitchTip
  • Microsoft Azure

4.2 Data Location Options

  • Hetzner: EU regions only
  • Microsoft Azure: All regions available
  • Amazon AWS: All regions available
  • OVH: USA, Canada, EU regions

4.3 Sub-processor Authorization

The Controller authorizes the Processor to engage Sub-processors, provided that:

  1. The Processor informs the Controller of any changes
  2. Sub-processors are bound by equivalent data protection obligations
  3. The Processor remains liable for Sub-processors' compliance

5. Data Security

5.1 The Processor implements appropriate technical and organizational measures to ensure security appropriate to the risk, including:

  1. Encryption of Personal Data
  2. Ability to ensure confidentiality, integrity, and availability
  3. Regular testing and evaluation of measures
  4. Documented access control procedures

6. International Transfers

6.1 Any transfer of Personal Data outside the EU/EEA shall be subject to appropriate safeguards as required by applicable data protection law.

7. Audit Rights

7.1 The Controller has the right to audit the Processor's compliance with this DPA, provided reasonable notice is given.

8. Term and Termination

8.1 This DPA shall remain in effect for the duration of the Processing of Personal Data by the Processor.

9. Governing Law

9.1 This DPA shall be governed by the laws applicable to the Terms of Service.

10. Contact

For any questions regarding this DPA, please contact privacy@laser.ai

The FedRAMP logo showing that Laser AI has a FedRAMP certification and is compliant.