Effective May 1, 2026
Security at Luminet
Luminet follows industry-standard practices to protect customer data, model traffic, and infrastructure. This page summarizes our security program. Our SOC 2 Type II report is available under NDA — contact billing@lumnt.com.
Compliance
SOC 2 Type II (audited annually). HIPAA-eligible Business Associate Agreement available on Enterprise. GDPR & CCPA aligned. ISO 27001 certification in progress.
Encryption
TLS 1.3 in transit. AES-256 at rest. Customer API keys are stored hashed; raw secrets are shown to the user only once at creation.
Access control
Production access is limited to on-call engineers. All access requires hardware-key MFA, is short-lived, and is logged. Customer data is segmented by organization and never shared across tenants.
Data residency
Default routing uses the geographically closest region. Enterprise customers can pin requests to specific regions (us, eu, apac) to meet data-residency requirements.
Logging
By default, prompt and completion bodies are not retained. Metadata (request counts, latency, model id) is retained for 90 days for analytics and abuse detection.
Vulnerability disclosure
We run a private bug-bounty program with rewards from $100 to $25,000 depending on severity. Report findings to security@lumnt.com (PGP key on request).
Incident response
We have a 24/7 on-call rotation with a documented incident response runbook. Customers are notified of qualifying incidents within 24 hours.
⚠️ This is a placeholder. Final legal copy is being reviewed by counsel. For specific questions, contact billing@lumnt.com.