Security Overview
Effective date: May 20, 2026.
This page describes the controls we use to keep Lumear and your data safe. We update it as our infrastructure changes. For anything that isn’t covered here, or to request a current Trust Center summary, email letschat@lumear.ai.
Hosting and infrastructure
- Application hosting. Vercel — SOC 2 Type II and ISO 27001 certified. Deployments run on isolated serverless functions and the edge network.
- Database and authentication. Supabase — SOC 2 Type II certified. Postgres and Auth instances are provisioned in a US region.
- Background jobs. Inngest — handles asynchronous runs and scheduled tasks under a workspace-scoped signing key.
Encryption
- In transit. All customer-facing traffic is served over HTTPS with TLS 1.3. HTTP requests are redirected to HTTPS at the edge. Internal service-to- service traffic is also encrypted.
- At rest. Postgres storage is encrypted with AES-256 using Supabase-managed disk encryption. Backups are encrypted using the same keys.
- Integration tokens. Refresh tokens for connected Google integrations (GSC, GA4) are encrypted at the application layer with AES-256-GCM before they are written to Postgres. Tokens are decrypted only inside the worker that needs them for a specific API call.
Authentication
- Email + password and magic-link. Authentication is provided by Supabase Auth. Passwords are hashed with bcrypt at industry-standard cost.
- Breached-password protection. New and changed passwords are checked against the HaveIBeenPwned k-anonymity API. Known-compromised passwords are rejected.
- OAuth. Sign-in with Google is supported through Supabase Auth.
- SAML SSO. Available on the Enterprise plan.
- Session management. Sessions are bound to HTTP-only, secure, SameSite cookies. Refresh tokens rotate on use.
Authorization
- Row-level security.Every multi-tenant Postgres table enforces row-level security tied to the requesting user’s workspace. Cross-tenant reads and writes are blocked at the database layer, not only in application code.
- Org-scoped tokens. All API calls — internal and external — carry an organization identifier that is validated server-side on every request.
- Per-user API keys. When you generate a personal API key the plaintext value is shown once and never persisted. We store only a SHA-256 hash so that lost keys cannot be recovered (they have to be reissued).
Logging and audit
- Application logs. Request, error, and run-execution logs are collected and retained for operational use. They do not include the contents of customer dashboards or AI responses.
- Audit log. Privileged super-admin actions (workspace creation, plan changes, user impersonation, manual run re-issues) are written to an append-only audit log.
Backups and disaster recovery
- Daily backups. Postgres is backed up daily by Supabase with point-in-time recovery available for the trailing 7 days.
- Restoration drills. We periodically restore production backups into an isolated staging environment to verify they are usable.
- Stateless application tier. The application tier is stateless and can be redeployed from source within minutes if a region becomes unavailable.
Incident response
We will notify affected customers within 72 hours of confirming a material security breach that involves their data. Notification is sent to the email address associated with the workspace administrator and includes the scope of the incident, the data categories involved, and the remediation steps in progress. We will follow up with a written post-mortem once the incident is closed.
Vulnerability management
- Dependency scanning. npm and Supabase advisor scans run on every push to main; high-severity findings are triaged within five business days.
- Internal security review. We perform regular internal reviews of authentication, authorization, and data-handling code paths.
- Third-party penetration test. A third-party penetration test is scheduled for 2026 H2. We will publish a summary of the results to customers under mutual non-disclosure after remediation is complete.
Responsible disclosure
If you believe you have found a security vulnerability in Lumear, email letschat@lumear.ai with the details. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith and follow this process.
Subprocessors
See the Privacy Policyfor the complete list of subprocessors, including each one’s role and the categories of data it processes.
Contact
Security questions or trust requests: letschat@lumear.ai.