Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys managed with industry best practices.
Multi-Tenant Isolation
Complete data isolation between tenants. Your data is never visible to other organizations on the platform.
Access Controls
Role-based access control (RBAC), multi-factor authentication, and SSO support for enterprise customers.
Audit Logging
Complete audit trails of all data access and modifications with IP tracking and timestamp recording.
Security Testing
Regular penetration testing, vulnerability scanning, and code security analysis (SAST/DAST).
Local Processing Option
Run processing entirely on your infrastructure. Your compliance data never leaves your network.
Infrastructure Security
Hosted on AWS with enterprise-grade infrastructure:
- SOC 2 Type II certified infrastructure
- Automated backups with point-in-time recovery
- DDoS protection and web application firewall
- Network segmentation and private VPCs
- 24/7 infrastructure monitoring and alerting
Application Security
Secure development practices:
- Secure Software Development Lifecycle (SSDLC)
- Parameterized queries to prevent SQL injection
- Input validation and output encoding to prevent XSS
- CSRF protection on all state-changing operations
- Dependency scanning for known vulnerabilities
- Secret scanning to prevent credential leaks
Data Processing
When using cloud processing features:
- Data Processing Agreements with all providers
- Your data is not used to train third-party models
- Processing is scoped to your organization only
- All API calls are encrypted and authenticated
For maximum privacy, use local processing (Ollama) where all processing happens on your infrastructure.
Compliance Certifications
Current compliance status:
- SOC 2 Type II: Annual audits of security controls (in progress)
- GDPR: Data processing agreements and privacy controls
- ISO 27001: Information security management (planned)
Data Retention and Deletion
You control your data:
- Export all data at any time in standard formats
- Request account and data deletion
- 30-day grace period after cancellation for data export
- Secure data destruction after retention period
Security Vulnerability Reporting
If you discover a security issue, please report it responsibly:
Email: security@lukagrc.com
Please include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
Response commitment:
- Acknowledge receipt within 24 hours
- Provide regular updates on remediation progress
- Credit researchers who report responsibly (if desired)