Handing your client communications to any operator — human or AI — requires trust. Here's exactly how we protect your data, what certifications back our infrastructure, and what we commit to unconditionally.
Lumeairy runs on a stack of providers that each maintain their own rigorous security certifications. We chose these providers specifically because their compliance posture matches the trust our clients place in us.
| Provider | Role | Certifications |
|---|---|---|
| Anthropic | AI inference — the intelligence behind your operator | SOC 2 Type II |
| Supabase | Database, authentication, and row-level security | SOC 2 Type II |
| Vercel | Web hosting and application delivery | SOC 2 Type II |
| Stripe | Payment processing | SOC 2 Type IIPCI DSS Level 1 |
| Brevo | Transactional email delivery | GDPR CompliantISO 27001 |
Anthropic's API terms explicitly state that API usage does not train their models on your data. Your operator's intelligence is powered by Claude — your conversations with clients remain yours.
All client data encrypted with AES-256. API keys and platform credentials stored encrypted and never logged in plaintext.
All data transmitted over TLS. HTTPS enforced with HSTS preload on all Lumeairy web properties. No unencrypted connections permitted.
Every client's data is isolated from every other client at the database level. Strict row-level security policies enforced by Supabase.
Every operator action logged with timestamps. Logs available to you on request. Retained for 90 days.
Any security event affecting your data triggers notification within 24 hours. Full incident report within 72 hours. No hiding.
X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, HSTS, and Referrer-Policy enforced on all web responses.
These are not policies that could change under business pressure. They are built-in limits that hold regardless of circumstance.
If something goes wrong with your operator or your data, you hear from us first — within 24 hours, in plain language. We don't bury it in a monthly report.
You can request a full export of your data at any time. We'll send it to you in a readable format. If you cancel, you get everything before we delete it.
When you leave, your data is deleted from our systems within 30 days — or immediately on request. Billing records retained only as required by law.
Your data never touches another client's operator. Row-level security at the database layer ensures complete isolation between all client accounts.
Every metric in your briefings and reports reflects what actually happened. We don't inflate numbers or hide poor performance. If something isn't working, we tell you.
Lumeairy is a growing business. We are transparent about what we have today and what we're working toward. Our infrastructure providers all hold SOC 2 Type II certifications. Lumeairy's own audit is on our roadmap as we scale.
All core infrastructure (Anthropic, Supabase, Vercel, Stripe) maintains SOC 2 Type II certification. Verified April 2026.
AES-256 encryption at rest, TLS 1.2+ in transit, HTTPS enforced with HSTS preload. Live since launch.
Database-level isolation between all client accounts via Supabase RLS policies. Implemented at launch.
Full suite of security response headers enforced on all web properties. HSTS preload active.
Full row-level security policy audit completed. All database tables verified with row-level security enabled and enforced. Every client's data is isolated at the database layer.
Lumeairy's own SOC 2 Type I audit planned when we reach 20–30 paying clients. Vanta compliance tooling to be implemented at $20K MRR.
Formal DPAs (Data Processing Agreements) for clients who require them. Available on request for enterprise/regulated clients.
Full 12-month operational audit as we scale to 100+ clients. This is the standard enterprise clients will require.
If you discover a security vulnerability in Lumeairy's systems, please report it to us immediately. We take all reports seriously and respond within 24 hours.
We do not pursue legal action against researchers who report vulnerabilities in good faith. We appreciate the security community's help in keeping our clients safe.
Ask us directly. You'll get a straight answer, not a form letter.
shawn@lumeairy.com