Overview Resources Controls Subprocessors

All systems operational

Security & Compliance

Security is core to how Lumari operates. We design systems, build products, and make decisions with data protection at the forefront. All customer and partner data is treated as sensitive by default.

Last updated February 1, 2026

SOC 2
Type I

Achieved

SOC 2
Type II

Achieved

CASA
Tier II

Achieved

Security Overview

A summary of Lumari's security posture, certifications, and control coverage across all operational areas.

Infrastructure Highlights

Encryption at rest and in transit
Multi-factor authentication required
Automatic TLS/HTTPS on all endpoints
Row-level security for multi-tenant isolation
Regular penetration testing

Data Protection

Data classification policy
Data retention procedures
Vendor management program
Incident response procedures
Responsible AI usage policy

Security Resources

20 documents available

Request access to audit reports, security policies, and compliance documentation.

Acceptable Use Policy

Access Management Policy

Asset Management Policy

Business Continuity & Disaster Recovery Policy

Change Management Policy

Company Handbook

Data Management & Retention Policy

Data Recovery Policy

Human Resource Security Policy

Incident Response Policy

Information Security Policy

Network Security Policy

Password Policy

Performance Evaluation Policy

Responsible AI Usage & Governance Policy

Risk Management Policy

Secure Development Policy

Vendor Management Policy

Physical Security Policy

Vulnerability Management Policy

Security Controls

68 controls implemented

An overview of the security controls Lumari has implemented to protect customer data and maintain compliance.

Access Control and Authorization 6

Access management policy established

Account inventory maintained

Dormant accounts disabled

Employee access regularly reviewed

MFA required for critical services

Password management policy established

Data Management and Protection 3

Data encrypted in-transit

Data inventory maintained

Data management and retention policy established

Disaster Recovery 4

Business continuity and disaster recovery policy established

Data recovery process established

Disaster recovery plans tested

Recovery data isolated

Email Security 3

DMARC policy and verification used

Email account access restricted

Email settings block malicious content

Endpoint Security 4

Anti-malware deployed on end-user devices

Data encrypted on end-user devices

Firewall maintained on end-user devices

Mobile device management (MDM) used

Infrastructure Security 11

Active discovery tools used

Automated security scanning performed on infrastructure

Buckets not exposed publicly

Configuration management system established

Infrastructure changes logged

Infrastructure changes require review

Infrastructure deployed using an infrastructure-as-code tool

Production deployment access restricted

Unauthorized assets addressed and removed

Unique production database authentication enforced

Web Application Firewall (WAF) used

Monitoring and Incident Response 7

Audit log management process maintained

Audit logs collected

Incident response policy established

Incident review process implemented

Infrastructure performance monitored

Log management used

Network infrastructure monitored

Organizational Security 22

Acceptable use policy established

Asset inventory maintained

Asset management policy established

Board charter documented

Board oversight briefings conducted

Change management policy established

Changelog established and maintained

Code of conduct established

Company security commitments externally communicated

Data-flow diagrams maintained

External support resources available (i.e., documentation)

Offboarding process established

Onboarding process established

Policies signed by relevant personnel

Reference checks performed for employees

Roles and responsibilities specified

Security awareness training conducted

Service description communicated

Software development lifecycle established

System changes externally communicated

System changes internally communicated

Third-party security oversight conducted

Risk Management 4

Risk assessments performed

Risk management policy established

Vendor inventory maintained

Vendor management program established

Vulnerability Management 4

Penetration testing findings remediated

Penetration testing performed within the last 12 months

Vulnerabilities scanned

Vulnerability management policy established

No controls found matching your search.

Subprocessors

18 services

Third-party services that Lumari uses to process data.

Service Category

Anthropic

AI & ML Services

Browserbase

Browser Automation Services

Cloudflare

Network & Edge Security

Exa

Search & Data Retrieval

GitHub

Code & Build Security

Google Cloud Platform

Cloud Infrastructure & Platform Services

Google Workspace

Business Apps & Productivity

LangFuse

AI Observability & Tracing

Linear

Business Apps & Productivity

OpenAI

AI & ML Services

P

Porter

Cloud Infrastructure & Platform Services

PostHog

Analytics & Product Intelligence

Resend

Transactional Email

Sentry

Logging & Observability

Slack

Business Apps & Productivity

Supabase

Data Stores & Warehouses

Upstash

Cloud Infrastructure & Platform Services

Vercel

Cloud Infrastructure & Platform Services

No subprocessors found matching your search.

Request Document

Send an email to our security team with your name and company to request access.

security@lumari.io