Security & Compliance
Four Pillars of Trust
European Data Sovereignty
Your data never leaves European jurisdiction
EU-only Scaleway Sovereign Cloud infrastructure
GDPR-native architecture with data minimisation by design
Full compliance with EU data residency requirements
Financial Services Security
Bank-grade protection standards
Multi-layered encryption (AES-256) for data at rest and in transit
Zero-trust network architecture with continuous monitoring
Regular third-party security assessments and penetration testing
Regulatory Compliance
Built for European financial regulation
MiFID II documentation and audit trail capabilities
DORA operational resilience framework implementation
EU AI Act compliance for transparent, explainable algorithms
Operational Resilience
99.9% availability with comprehensive backup systems
Multi-region disaster recovery with <4 hour RTO
Automated failover systems with continuous data replication
24/7 European security operations centre monitoring
Infrastructure & Data Residency
European Sovereign Cloud Architecture
100% European Infrastructure
Powered by Scaleway's Sovereign Cloud, an EU-based provider.
Zero international data transfers
All processing occurs within EU boundaries.
European legal jurisdiction
Subject only to EU and member state laws.
Local support teams
European-based technical and security personnel.
Security Architecture
Multi-Layer Defence Strategy
Built from inception with European financial services security requirements, Luminary exceeds industry standards for data protection, system resilience, and regulatory compliance across all EU member states.
Certifications & Audits
Independent Validation of Our Security
Security Certifications
Current Certifications
ISO 27001:2022 — Information Security Management (Certification in Progress)
SOC 2 Type II — Security, Availability, and Confidentiality (Audit Scheduled Q1 2026)
Planned Certifications
ISO 27017 — Cloud Security (Q1 2026)
ISO 27018 — Cloud Privacy (Q1 2026)
Third-Party Assessments
Penetration Testing — Quarterly assessments by EU-based security firms
Vulnerability Scanning — Continuous automated scanning with monthly reports
Code Security Reviews — Static and dynamic analysis for all code releases
Infrastructure Audits — Annual comprehensive infrastructure security reviews
Audit & Compliance Reports
Available to enterprise customers under NDA: SOC 2 Type II Report (Available Q1 2026), Penetration Testing Executive Summary (Quarterly), Vulnerability Assessment Reports (Monthly), Business Continuity Test Results (Semi-Annual).
Privacy & Data Governance
Data Handling Principles
Data Classification
Highly Confidential: Client personal and financial information
Confidential: Business intelligence and portfolio data
Internal: System logs and operational metadata
Public: Product documentation and marketing materials
Data Lifecycle Management
Collection: Minimal necessary data with explicit purpose limitation
Processing: Automated workflows with human oversight checkpoints
Storage: Encrypted at rest with access logging and monitoring
Retention: Configurable retention periods based on regulatory requirements
Disposal: Secure deletion with cryptographic proof of destruction
Data Subject Rights (GDPR Article 12-23)
Right of Access: Automated data export within 30 days
Right to Rectification: Real-time data correction capabilities
Right to Erasure: Secure data deletion with audit trails
Data Portability: Standardised export formats (JSON, CSV, XML)
Right to Object: Granular consent management for processing activities
Cross-Border Data Transfers
No International Transfers: All data processing occurs within the EU
Adequacy Decisions: Compliant with all EU adequacy frameworks
Standard Contractual Clauses: Not required due to EU-only processing
Artificial Intelligence & Ethics
Responsible AI Framework
AI Governance Principles
Human-Centric Design: AI augments human decision-making, never replaces it
Transparency: Clear explanations for all AI-generated recommendations
Fairness: Continuous monitoring for bias in algorithms and outcomes
Accountability: Human oversight required for all high-stakes decisions
Explainable AI (XAI) Implementation
Decision Trees: Visual representation of AI reasoning pathways
Feature Attribution: Clear identification of data points influencing decisions
Confidence Scoring: Probability assessments for all AI recommendations
Alternative Scenarios: "What-if" analysis for different input parameters
Data Subject Rights (GDPR Article 12-23)
AI Training & Validation
Diverse Datasets: Multi-jurisdictional training data to prevent regional bias
Continuous Monitoring: Real-time performance tracking with bias detection
Model Versioning: Complete audit trail of AI model changes and improvements
Regular Retraining: Quarterly model updates with validation testing
EU AI Act Compliance
Risk Assessment: Documented classification of all AI systems
Quality Management: Systematic approach to AI development and deployment
Documentation: Comprehensive technical documentation for regulators
Post-Market Monitoring: Continuous assessment of AI system performance
Business Continuity & Disaster Recovery
Operational Resilience
Availability Commitments
Uptime SLA: 99.9% (8.77 hours downtime/year maximum)
Planned Maintenance: <4 hours monthly with advance notification
Emergency Maintenance: <2 hour response time for critical issues
Disaster Recovery
Recovery Time Objective (RTO): <4 hours for full service restoration
Recovery Point Objective (RPO): <15 minutes maximum data loss
Backup Frequency: Continuous replication with hourly snapshots
Testing Schedule: Quarterly DR tests with documented results
Geographic Redundancy
Multi-Region Architecture: Active-passive setup across EU regions
Automated Failover: Transparent switching with minimal user impact
Data Synchronisation: Real-time replication between primary and backup sites
Crisis Management
24/7 Monitoring: European NOC with multilingual support
Escalation Procedures: Clear escalation paths for different incident types
Communication Plan: Automated customer notification systems
External Dependencies: Documented contingency plans for third-party outages
Vendor Risk Management
Third-Party Security
Vendor Assessment Process
Initial Screening: Security questionnaires and certification verification
Due Diligence: On-site assessments for high-risk vendors
Ongoing Monitoring: Quarterly reviews and annual recertification
Contract Requirements: Security terms and right-to-audit clauses
Supply Chain Security
Software Bill of Materials (SBOM): Complete inventory of all components
Dependency Scanning: Automated vulnerability detection in third-party libraries
License Compliance: Legal review of all open-source components
Update Management: Systematic patching with security priority levels
Key Technology Partners
Vendor
Service
Security Certifications
Data Location
Scaleway
Sovereign Cloud
ISO 27001, SOC 2
EU Only
Auth0 (Okta)
Identity Management
ISO 27001, SOC 2
EU Instance
Datadog
ISO 27001, SOC 2
EU Deployment
Incident Response & Communication
Security Incident Management
Incident Classification
P0 - Critical: Data breach, system compromise, service unavailability
P1 - High: Security vulnerability, privacy incident, regulatory non-compliance
P2 - Medium: Performance degradation, configuration issues
P3 - Low: Minor security findings, enhancement requests
Response Procedures
Detection: Automated monitoring with 24/7 SOC oversight
Initial Response: <1 hour acknowledgment for P0/P1 incidents
Investigation: Forensic analysis with external expertise if required
Containment: Immediate threat isolation and service stabilisation
Recovery: System restoration with enhanced monitoring
Post-Incident: Root cause analysis and preventive measures
Breach Notification
Internal Escalation: Immediate notification to executive team and legal counsel
Customer Notification: Within 24 hours for incidents affecting customer data
Regulatory Reporting: GDPR-compliant notification to supervisory authorities within 72 hours
Public Disclosure: Transparent communication through status page and direct outreach
Customer Communication
Status Page: Real-time service status at status.luminary.ai
Email Notifications: Automated alerts for service incidents
Direct Outreach: Account manager contact for enterprise customers
Post-Incident Reports: Detailed analysis available within 5 business days
Resources
Documentation & Direct Contact
Available Security Documents
Enterprise customers can request access to: Security Architecture Overview, Data Processing Agreement (DPA) Templates, Vendor Risk Assessment Results, Business Continuity Plan Summary, Incident Response Playbook (Executive Summary).
Contact
Security team
Privacy officer
Compliance Team
Bug Bounty & Responsible Disclosure
We welcome security researchers to help us maintain the highest security standards. Please contact security@luminary.lu for our disclosure policy.
Trust Center Updates
Our Commitment to Transparency
This Trust Center is updated quarterly to reflect our evolving security posture, new certifications, and regulatory developments. All material changes are communicated to customers in advance.
