We Provide
Security You Can Trust

Journey.do is built to meet the security, privacy, and accountability needs of organizations operating in high-trust, high-responsibility environments. Our platform and practices align with the SOC 2 Trust Services Criteria and are designed to support HIPAA-regulated use cases, along with other applicable state, county, and federal requirements.

We safeguard sensitive data across justice, recovery, social services, education, and other mandated change programs—combining strong technical controls with clear governance and human oversight. We partner with Vanta to continuously monitor and strengthen our security posture through ongoing control validation, audits, penetration tests, and periodic third-party testing.

Our AI systems are built with privacy, fairness, and security in mind. User data is not stored for model training or shared externally, and all AI-generated insights are reviewed by trained staff before being shared—ensuring human oversight and mitigating bias.

More on Safety and Security

More on Journey
Contract Resources

We understand trust begins with security. Our robust security measures ensure that your data is always safe, protected, and handled with care. From implementing advanced encryption standards and secure authentication methods to providing detailed audit trails, we take every precaution to maintain the integrity of your information. (Read more -->)

Supported by the National Science Foundation, we have been able to research and integrate AI to ensure personalized care. We run our AI in a safe and secure private instance within our Amazon Cloud, using Claude AI developed by Anthropic. No models are trained or data is saved (Read more -->)

To ensure seamless access to the Journey.do platform while maintaining a secure environment, we provide the following guidelines for network administrators to properly configure firewall and proxy settings. This will ensure that the necessary domains and services are whitelisted, allowing uninterrupted access. (Read more -->)

We take security, privacy, and trust seriously across everything we build and deliver. Our systems, processes, and people are designed to protect sensitive data, ensure reliability, and uphold the highest standards of responsible data stewardship. (read more)

SECURITY STATEMENT

Security in Journey.do

At Journey.do, we understand that trust begins with security. Security is built into the fabric of our cloud platform, infrastructure, and processes, ensuring your data is safeguarded at every level. Our robust security measures include encryption for data at rest and in transit, strict AI safeguards, role-based access control (RBAC), multi-factor authentication (MFA), and a multi-tenant architecture, ensuring data integrity and responsible handling.

We deliver an annual uptime of 99.85% and prioritize transparency, accountability, and privacy. User data is securely retained for up to three years to support reporting and long-term impact evaluation, with the option for organizations to request a shorter retention period. 

Our AI systems are built with privacy, fairness, and security in mind. No user data is stored, shared externally, or used to refine AI models. All AI-generated insights are reviewed by staff before being shared, ensuring human oversight and mitigating bias.

By leveraging cutting-edge AWS infrastructure and maintaining strict security protocols, we provide a secure, resilient environment for every interaction. With Journey.do, you can trust that your data is protected while receiving personalized care and exceptional service.

Download Security Statement

Our Written Information Security Policy (WISP) outlines how we protect your data with clear protocols for access, encryption, and incident response, ensuring compliance with the highest industry standards. It’s a testament to our commitment to safeguarding your information and maintaining your trust.

If you would like to receive a copy of Journey.do’s latest WISP, please send a request to support@lifelabstudios.org. Since an NDA is required, please include your company’s full name, company address, and place of incorporation. 

PRODUCT SECURITY

Multi-factor Authentication (MFA)
Journey.do provides advanced account protection through MFA using One-Time Passwords (OTP) and Google Authenticator. For environments like detention facilities, innovative Two-Factor Authentication (2FA) options allow officers to generate and share authentication codes securely with youth.

Role-based Access Control (RBAC)
Journey.do is deployed with various defined user roles with respective permissions; however, administrators have control over user roles, permissions, and access. RBAC ensures users can access only data and features relevant to their roles.

Secure Transmission and Sessions
All data transmissions are encrypted via SSL/TLS, ensuring secure connections. Individual sessions are uniquely tokenized and re-verified for security. 

DATA SECURITY
Encryption
• Data at Rest: Encrypted using AES-256, ensuring sensitive information remains secure.
• Data in Transit: Encrypted using HTTPS/TLS 1.2 or newer.

Password Security
Users’ account passwords stored only in hashed form, using bcrypt with a modern industry standard work factor. 

Data Retention and Transparency
Journey.do collects and securely stores personal data only for as long as necessary to support users’ growth journeys. Users or guardians may request data deletion at any time by contacting support@lifelabstudios.org. Requests are reviewed in compliance with legal and contractual obligations.

Data Deletion
Upon program completion, user accounts are archived, maintaining secure storage within AWS infrastructure.

• Retention Period: User data is retained for up to three (3) years following program completion to fulfill reporting requirements and support long-term impact evaluations. Upon request, counties may opt for a shorter retention period.
• Data Eradication: After the three-year retention period, all personally identifiable information (PII) is redacted, ensuring that individual users and their actions can no longer be traced.
• Security Protections: During the retention period, all archived data remains protected by industry-standard encryption and access controls, preventing unauthorized access or misuse.

Privacy Policy
Journey.do’s Privacy Policy details how personal data is collected, used, and protected. It adheres to GDPR and other legal requirements, offering users rights like data access, correction, and deletion. Visit the privacy policy on our website for more details.
Visit our privacy policy here.

Data Ownership
Users retain ownership of their data, and Journey.do retains no rights beyond service functionality.
Visit our terms of use policy here.

Transparency
Personal data is collected and securely stored only for as long as necessary, with clear retention and deletion policies. 

INCIDENT MANAGEMENT AND RESPONSE
Incident Response Plan (IRP)
Journey.do employs a structured IRP to classify incidents into low, medium, high, or critical levels, ensuring timely communication and resolution.

Data Breach Notification
In the event of a suspected or actual data breach, Journey.do will notify affected parties promptly and in accordance with applicable laws. 

Employee Security Training
All coaches undergo background checks, including County, State, and Federal Criminal Searches (past 7–10 years), SSN Trace, Sex Offender Registry Search, National Criminal Database, and Global Watchlist screenings. All employees undergo comprehensive onboarding and annual security training to ensure adherence to confidentiality, privacy, and security policies (download PDF). A formal employee termination notification process exists, which is initiated by our Human Resources (“HR”) department. Upon notice by HR, all physical and system accesses are promptly revoked.

Principle of Least Privilege
Access to systems is limited to legitimate business needs, reviewed periodically, and revoked immediately upon termination.

Physical Access Control
Robust physical security controls restrict access to offices and data centers, which are managed by AWS with biometric scanning, 24/7 surveillance, and other safeguards. 

At Lifelab Studios, we provide the benefits of AI without compromising on privacy or safety. No data is shared externally, or used internally to refine or retrain AI models.

1. No Data Retention: All data, including stories, uploaded to the platform is processed securely and not stored by our AI systems after use.
2. Restricted Access: All data remains within our private cloud instance, with no external sharing to third-party entities.
3. Generative AI Protections: Our AI systems leverage external data to build and refine models, generate insights, and provide solutions—never sharing back or using your users' data or activities to develop or enhance any AI technologies. 

Platform Hosting
Journey.do's infrastructure operates on Amazon Web Services (AWS) data centers located in the United States.
AWS data centers maintain extensive compliance certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27032, HIPAA, FedRAMP, SOC-1, and SOC-2.

Multi-Tenant Architecture
Journey.do employs a multi-tenant architecture where each customer's data is logically segregated from others. All data is encrypted at rest using AES-256 encryption standards.

ISO 27001 – Data Center
ISO 27001 – Data Center AWS data centers maintain certification with ISO 27001:2013, ISO 27017:2015, ISO 27018:2019, and ISO 27701:2020 standards.

SOC 2 Type II — Data Center
AWS data centers hold SOC 2 Type 2 certification across Security, Confidentiality, Availability, and Privacy Trust Principles.

Physical Access Control – Data Center
For detailed information about AWS's security infrastructure and controls, please refer to AWS's Security Controls Documentation at https://aws.amazon.com/compliance/data-center/controls/

Availability and Reliability
Journey.do utilizes Amazon Web Services (AWS), the world's leading cloud platform, operating across multiple geographically dispersed data centers. Each facility employs comprehensive physical security controls including 24/7 security personnel, video surveillance, multi-factor authentication, and biometric access systems. Redundant power, cooling, and network connectivity ensure high availability, with a service level commitment of 99.99%. All facilities maintain SOC 2 compliance and implement industry-standard fire suppression systems.

We have designed our service for high availability; no less than 99.85%. 

Integration of Generative AI

We run our AI in a safe and secure private instance within our Amazon Cloud, using Claude AI developed by Anthropic. We find Claude to be the best solution for our generative AI needs, especially in terms of using prompts, n-shot examples, temperature settings, and advancing useable insights. No user data is stored, shared externally, or used to refine AI models. Unless explicitly stated, all AI-generated insights are reviewed by staff before being shared, ensuring human oversight and mitigating bias.

With support from the National Science Foundation and from Maricopa Public Health, we have partnered with Arizona State University to continually develop, test, and fine our AI integration so we can provide personalized care at scale. Initial findings show AI can provide insights that are more accurate, trustworthy, relevant, and useable than coaches alone.

Download AI Statement
Ensure Consistency

Ensure quality and consistency of guidance and feedback across coaches. Also, identify needs and linkage to care opportunities.

Personalize Care

Create high quality growth and transition plans to ensure hyper-personalized care, and build aligned field notes. AI can even direct and transcribe site visits to align with plans. 

Identify Themes

Analyze large numbers of stories and plans for individuals, groups, or across organizations to create knowledge and advance insights. 

Lifelab Studios Trust Center

Our Trust Center is built around the SOC 2/HIPAA Trust Services Criteria and provides transparency into how Lifelab Studios safeguards data, manages risk, and maintains strong security and privacy practices. It outlines the technical, organizational, and operational controls we use to protect customer and participant information, including infrastructure security, product security, data handling, and access management.

Here, you’ll find documentation of our SOC 2–aligned controls, policies, sub-processors, and ongoing security updates. We believe trust is built through openness, accountability, and continuous improvement, and this Trust Center reflects our ongoing commitment to meeting SOC 2 standards and earning the confidence of the individuals and organizations we serve.

Request Access

How to Whitelist?

To ensure seamless access to the Journey.do platform while maintaining a secure environment, we provide the following guidelines for network administrators to properly configure firewall and proxy settings. This will ensure that the necessary domains and services are whitelisted, allowing uninterrupted access. We follow industry best practices for platform security and operation, with data encrypted at rest, and rely on multi-factor authentication for sensitive information.

Security Assurance:
Our AI and all ongoing project updates operate within secure, cloud-hosted environments. Each environment is fully secured and enables secure communication between the services.

Every account, whether for a county, department, or caseload, is "containerized." This means that only the registered members within that specific container can access its data. This isolation ensures that each county manages its own private, secure instance.

View Whitelist Requirements

Whitelist Required Domains

To ensure the platform functions correctly, it's essential to whitelist the specific domains and services used by Journey.do. With these whitelisted, we can then run the platform on any device already deployed in your system, either as app or URL.

Custom Configuration Support

If any of these domains conflict with your existing settings, please reach out to us directly. For example, our third-party providers such as logrocket are not critical to the functionality of our platform, but is used to provide support and/or enhance the feature set of Journey.do

Device-Level Configuration

We are available to help configure the platform to fit your needs and assist in configuring device-level safety and security settings to augment network security best practices.

Customers We Serve

Journey.do FAQ

Contact us for a brochure and demo. We will walk you through the platform and cater the services to meet your needs.

Yes, we provide “Tiered Pricing” which means you can get discounts on license costs when you qualify to enter into higher tiers. 

We use a suite of evidence-based practices, including motivational interviewing, trauma-informed care, strength0based communication, single-session intervention, and peer-based learning. Our core connect-grow-apply-inspire framework is also grounded in learning sciences research, as is the larger behavioral change framework (see journey_BCF)

No, part of the power of the innovation is we use devices that youth already have or are available. Within secure care, you can use a tablet and download the journey.do app at the Apple an Google stores, or even use the school computers on any browser, and clients login with a modified 2FA in which their authentication codes are provided by staff. Similarly, clients outside of secure locations can download the app or use a browser with safe and secure authentication.

Every organization has it's own custom instance, and each officer or case manager, has their own group within the instance where they register users. Staff can access the coaching dashboard either through our apps or via browser.

Yes. We have created an application ecosystem and company culture that meets SOC-2 and HIPAA requirements with all the necessary privacy and safety features to keep your organization and participant data safe. Each group can also turn on and off particular features, based on their needs. Our robust security measures include encryption for data at rest and in transit, strict AI safeguards, role-based access control (RBAC), multi-factor authentication (MFA), and a multi-tenant architecture, ensuring data integrity and responsible handling.

Our AI systems are built with privacy, fairness, and security in mind. No user data is stored, shared externally, or used to refine AI models. All AI-generated insights are reviewed by staff before being shared, ensuring human oversight and mitigating biasJourney.do was designed to operate in either a single or multi-tenant environment and therefore can be used safely in secure care. Access or privacy and security policy, or learn more by visiting our safety and security overview.

We understand the high demands placed on staff and have designed the Journey.Do experience to offer flexibility, allowing staff to engage at whatever level they feel is appropriate. Clinicians and Coaches can run the program or their efforts can be supported through our Recovery Coaches. They will always have access to the platform and can use it as a tool to further engage with their participants, gaining valuable insights into their progress.

Our dedicated account team will work closely with your staff to ensure that each staff’s participation aligns with their preferences and responsibilities. Together, we will co-serve the participant from intake through outtake, providing consistent support and personalized attention to help them succeed at every stage of their journey.

Our Growth Coaches are certified through the LLS coaching academy and are well-versed in each of the specialty and evidence-based journeys you will facilitate. They are expertly trained to use AI for accountability and insights, ensuring they can provide the most impactful support to both staff and participants. All of our Coaches are trained in trauma-informed care and strength-based communication, enabling them to engage participants in a constructive, empathetic manner. We regularly audit their responses to ensure the feedback provided is helpful and consistent, while continuously updating our training with real-world examples to enhance the JourneyDo experience.

Note: To safeguard participants, any story that is reviewed can be marked private. If a story is submitted that raises concerns for a participant's safety, we promptly notify the appropriate contact to ensure timely intervention



Thrivecast



Apple Google



Home      Programs     Resources    About Us

© Copyright 2021-2025 Lifelab Studios, Inc.