Trust Center

Security, privacy, and compliance

Home Trust Center

Your compliance data is protected with enterprise-grade security controls and continuous monitoring. This Trust Center shows our security posture, certifications, and infrastructure.

Security Certifications & Compliance

We maintain industry-standard certifications and comply with global data protection regulations

SOC 2 Type II

Annual audit of security controls

In Progress

GDPR Compliant

EU data protection regulation

Compliant

CCPA Compliant

California privacy rights

Compliant

HIPAA Ready

Healthcare data protection

Ready

Infrastructure Security

Enterprise-grade infrastructure built on AWS with defense-in-depth security architecture

Cloud Infrastructure

LukaGRC is hosted on Amazon Web Services (AWS), a SOC 2, ISO 27001, and FedRAMP certified cloud provider. We leverage AWS's global infrastructure, security controls, and compliance certifications.

  • Multi-region deployment with automatic failover
  • AWS VPC with network segmentation and isolation
  • DDoS protection via AWS Shield
  • Web Application Firewall (WAF) protecting all endpoints
  • Infrastructure as Code (IaC) for consistent, auditable deployments

Data Encryption

All customer data is encrypted at rest and in transit using industry-standard cryptographic algorithms.

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database backups with 30-day retention
  • AWS KMS for key management and rotation
  • Evidence files cryptographically hashed (SHA-256) for integrity verification

Access Controls

Multi-layered access controls ensure only authorized users can access systems and data.

  • Role-Based Access Control (RBAC) with least privilege principle
  • Multi-Factor Authentication (MFA) enforced for all accounts
  • SSO integration with SAML 2.0 (Okta, Azure AD, Google Workspace)
  • API key rotation and time-based expiration
  • Automatic session timeout after 30 minutes of inactivity
  • Complete audit logging of all access and actions

Multi-Tenant Architecture

Complete data isolation between organizations ensures your compliance data remains private and secure.

  • Logical data separation with tenant ID enforcement at database level
  • Cross-tenant access prevention in all API endpoints
  • Separate encryption keys per tenant
  • Independent backup and restore capabilities
  • No shared resources or data between organizations

Data Privacy & Protection

We are committed to protecting your privacy and maintaining transparency in our data practices

Data Ownership

You own your data. We never sell customer data or use it for purposes other than providing the LukaGRC service.

  • Your data belongs to you
  • No third-party data sharing
  • Export your data at any time
  • Delete your data on request

Data Residency

Customer data is stored in AWS US regions by default. Additional regions available for compliance requirements.

  • Primary: AWS US-East-1 (N. Virginia)
  • EU region available for GDPR
  • Data backups in same region
  • Cross-region replication optional

Privacy by Design

Privacy is integrated into our development process from the start, not added as an afterthought.

  • Minimal data collection
  • Purpose limitation enforced
  • Data retention policies
  • Privacy impact assessments

Data Processing Agreement (DPA)

Our DPA covers GDPR Article 28 requirements, Standard Contractual Clauses (SCCs), and international data transfers.

View Data Processing Agreement

Availability & Reliability

Built for continuous operation with automated monitoring and recovery

Backup & Disaster Recovery

Comprehensive backup strategy ensures your data is protected and recoverable in any scenario.

  • Automated daily backups with 30-day retention
  • Point-in-time recovery capability
  • Encrypted backup storage in separate AWS region
  • Quarterly disaster recovery testing
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

Monitoring & Alerting

24/7 monitoring of all systems with automated alerting and on-call incident response team.

  • Real-time infrastructure monitoring
  • Application performance monitoring (APM)
  • Security event monitoring (SIEM)
  • Automated health checks every 60 seconds
  • PagerDuty integration for critical alerts
  • Public status page at status.lukagrc.com

Security Testing & Audits

Continuous security testing and third-party audits validate our security controls

SAST & Dependency Scanning

Every code commit is automatically scanned for security vulnerabilities and dependency issues before deployment.

  • Bandit for Python security scanning
  • Safety for dependency vulnerability checks
  • Pre-commit hooks for secret detection
  • Automated security reviews in CI/CD

Penetration Testing

Annual third-party penetration testing validates the effectiveness of our security controls.

  • Annual external penetration tests
  • Web application security testing (OWASP Top 10)
  • API security assessments
  • Reports available to enterprise customers

Vulnerability Management

Continuous vulnerability scanning and patch management keep our systems secure and up-to-date.

  • Weekly vulnerability scans
  • Critical patches within 48 hours
  • High-severity patches within 7 days
  • Coordinated disclosure program

Incident Response

Prepared to detect, respond to, and recover from security incidents

Incident Response Plan

We maintain a documented incident response plan tested quarterly with tabletop exercises.

  • 24/7 security incident response team
  • Defined escalation procedures and runbooks
  • Customer notification within 72 hours of confirmed breach
  • Post-incident reviews and remediation tracking
  • Coordination with law enforcement when required
  • Forensic investigation capabilities

Report a Security Issue

Discovered a security vulnerability? Report it to our security team.

Security Contact: security@lukagrc.com

PGP key available for encrypted communications.

Secure Software Development

Security is integrated throughout our software development lifecycle (SSDLC)

Development Practices

We follow secure coding standards and industry best practices throughout development.

  • Mandatory security training for all engineers
  • Threat modeling for new features
  • Security code reviews on all pull requests
  • Parameterized queries to prevent SQL injection
  • Input validation and output encoding
  • No hardcoded secrets or credentials in code
  • Secrets management via AWS Secrets Manager
  • Least privilege access to production systems

Security Questions

Contact our security team for questions about our practices or compliance certifications

Security & Compliance Inquiries

Request SOC 2 reports, penetration test summaries, or security questionnaires from our security team.

Security Questions: security@lukagrc.com

Compliance Documentation: compliance@lukagrc.com

General Inquiries: hello@lukagrc.com

Get Started

Request security documentation or sign in to your account

Request Documentation Sign In