Security
How we handle your data.
Lumis sits alongside your PM tool, not above it. We handle credentials the way we’d want ours handled. This page is the current accounting of controls, policies, and subprocessors. Security contact: security@lumis.work.
Controls in production
What’s live today on lumis.work and api.lumis.work.
Credentials encrypted at rest
Every OAuth token, API key, and sensitive config field is encrypted with AES-256-GCM before persistence. Plaintext secrets never touch disk. The encryption key is held in Railway’s secret store, separate from the database.
TLS 1.3 in flight
Every connection between the browser, the API, the worker, and the database is TLS 1.3. The custom domain + api subdomain are both live with valid certificates.
Argon2id password hashing
Passwords are hashed with Argon2id using per-user salt. A plaintext password is never stored or logged. Login attempts are rate-limited.
Scoped OAuth + per-org credentials
When connecting a PM tool, you can use the platform OAuth app (standard) or bring your own OAuth app (regulated / IT-controlled). Scopes are the minimum required and surfaced to you before consent.
Audit log for every mutation
Role changes, integration connects/disconnects, credential changes, AI prompt overrides, staff impersonation — every event is recorded with actor, target, timestamp, and IP/UA. Admins can export.
Staff access is opt-in + visible
Lumis staff cannot access your organization unless your admin enables support access in settings. Any access is recorded in your own audit log, not just ours, with the staff member’s email and timestamp.
Webhook signature verification
Inbound webhooks from PM tools are signature-verified and dedup-keyed. Timestamps older than five minutes are rejected. Handshake verification runs on every webhook registration.
AI usage bounded per-organization
Every AI call is logged with model, tokens, cost, and outcome. Organizations have a monthly budget cap with an 80% alert. No call is made without assertWithinBudget passing first.
Policies
What we commit to when the bad day happens, plus where we are on the compliance path.
Incident response
When something breaks, we fix it, write it up, and post it to the public changelog. Material incidents also get an email to affected accounts within 72 hours of detection. We'd rather say what went wrong than pretend it didn't.
Vulnerability disclosure
If you find a security issue, email security@lumis.work. We respond within one business day and acknowledge the report publicly (with your consent) once the fix ships. No bug bounty program yet; that lands at GA.
SOC 2
The controls are in place. The SOC 2 Type I audit is on the GA roadmap (targeting Q4). Once we hold the Type I report we publish it here, along with the gap report from the pre-audit. SOC 2 Type II follows six months after Type I.
GDPR + data residency
Private beta is US-only. EU data residency requires multi-region infrastructure we do not have yet; EU rollout waits for a DPA + subprocessor arrangement that survives legal review. International waitlist responses feed which region opens up next.
Subprocessors
The infrastructure vendors that see a subset of your data in flight or at rest. A full DPA + subprocessor list with contractual terms ships at GA.
| Vendor | Purpose | Region | Data |
|---|---|---|---|
| Railway | Application hosting + Postgres + Redis | United States | All operational data at rest |
| Cloudflare | DNS + TLS edge for lumis.work and api.lumis.work | Global | Request metadata in flight |
| Resend | Transactional email — invites, digests, alerts | United States | Recipient email + rendered email content |
| Anthropic | AI clarity review, title suggestion, description suggestion (Claude) | United States | Task title + description + prompt metadata (per-call) |
| OpenAI | Text embeddings for cross-tool correlation | United States | Task title + description (per-call) |
| GitHub | Source hosting. Not a data path for customer data. | United States | Codebase only — no customer data |
If we add a subprocessor, we update this table before they see any customer data, and list the change in the changelog.
Procurement questions welcome.
Due-diligence questionnaires, SOC 2 pre-audit reports, custom DPAs — email security@lumis.work. We respond within one business day.