Information Security — LabReadAI

This document describes the data protection measures and secure transmission procedures applied by the LabReadAI service. The document follows the requirements of Russian Federal Law No. 152-FZ "On Personal Data", the PCI DSS standard, and Tinkoff Kassa requirements. The legally binding version is the Russian one at labreadai.com/security.

1. Data transport security

  • All connections to labreadai.com are made exclusively over HTTPS with TLS 1.2/1.3 encryption and modern cipher suites (AES-GCM, CHACHA20).
  • The TLS certificate is issued by a trusted certification authority; expiry is monitored automatically.
  • HSTS (Strict-Transport-Security) is enforced with a long max-age and preload — browsers do not allow opening the site over plain HTTP.
  • Security headers are applied: Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Cross-Origin-Resource-Policy, Referrer-Policy.

2. Payment data security

LabReadAI does not collect, transmit, or store user bank card details. The payment process is fully isolated on the side of AO TBank (Tinkoff Kassa):

  • Card details are entered on a secure Tinkoff Kassa page; data does not cross the Provider's perimeter.
  • 3-D Secure 2 protocol (Visa Secure, Mastercard Identity Check, MIR Accept) — payment confirmation via push or one-time code.
  • The payment processor is certified to PCI DSS Level 1 (highest) — the international card networks' requirement for online card processing.
  • From Tinkoff Kassa the Provider receives only anonymised data: operation ID, status, amount, and a masked card number (e.g., 4*** **** **** 1234) — for accounting and refunds.

3. Data-at-rest protection

  • Files uploaded by the user are deleted from the servers immediately after extraction of textual data and result generation.
  • The interpretation result is stored for a strictly limited time (7 days) and automatically deleted afterwards.
  • Access to the server infrastructure is protected by authentication; operations are logged for traceability.
  • Databases containing technical identifiers and payment metadata are hosted on servers located in the Russian Federation.
  • Backups are encrypted and stored separately from the main infrastructure.

4. Access control

  • Administrative access is restricted to the Provider only and protected by two-factor authentication.
  • The service does not have a public interface for third parties to view user files or Results.
  • The unique link to the Result is generated by a cryptographically strong method and is not feasibly guessable.
  • Sharing this link with third parties is at the user's own discretion and responsibility.

5. Incident response

In case of an information security incident (unauthorised access, data leak), the Provider promptly takes measures to contain, remediate, and notify affected users and the supervisory authority (Roskomnadzor) within the periods set by Russian law.

6. Recommendations to users

  • Do not share the unique Result link with third parties unless you intend to share its content.
  • Use up-to-date browser versions to ensure correct operation of modern encryption standards.
  • Avoid using public Wi-Fi without a VPN when working with medical data.
  • If you receive suspicious emails "from LabReadAI" asking for card details — this is phishing; the Provider never requests card data by email or phone.

7. Security contact

If you have discovered a vulnerability or suspect a security incident, please report it to: info@labreadai.com

Last updated: May 1, 2026.