← Back to lumenii.ioSecurity & Trust
How Lumenii protects your organisation's data
1. What access Lumenii requests
Lumenii requests read-only OAuth access to Microsoft Entra ID and the Google Workspace Admin SDK. We use the Microsoft Graph API with the following permissions:
- ✓Directory.Read.All — read service principals and OAuth grants to detect connected AI tools
- ✓AuditLog.Read.All — read sign-in activity logs to identify when AI tools were first used
- ✓DeviceManagementApps.Read.All — read Intune managed app data for mobile AI detection (optional)
We explicitly do NOT access and CANNOT access:
- ✗Email content — Mail.Read is not requested
- ✗Document or file content
- ✗Calendar entry content or meeting details
- ✗Microsoft Teams message content
- ✗User passwords or credentials of any kind
2. Data storage and encryption
Data in transitTLS 1.3 encrypted
Data at restAES-256 via Supabase
Database hostingSupabase — EU region
Application hostingVercel — EU edge network
OAuth token storageEncrypted — never plain text
Employee device storageNone — no local data
3. Who can access your data
- •Your tenant data is isolated per organisation — no cross-tenant data access is possible
- •Access to production data is restricted to the founding team only
- •No third-party sub-processors have access to raw tenant data
- •Sub-processors: Supabase (storage), Vercel (hosting), Stripe (payment processing only — no tenant data)
4. Certifications and security assessments
Cyber EssentialsIn progress
Penetration testing (CREST-accredited)Scheduled Q3 2026
ISO 27001Planned 2027
SOC 2 Type 2Planned 2027
We are transparent that as an early-stage product, formal certifications are in progress. We provide full security questionnaire responses on request — contact security@lumenii.io.
5. Data deletion on cancellation
- ✓OAuth tokens are revoked immediately on disconnection
- ✓Scan data is deleted within 7 days of cancellation
- ✓Account and billing data is deleted within 30 days
- ✓Written confirmation of deletion is provided on request
- ✓You can revoke access at any time from Azure AD → Enterprise Applications → Lumenii → Delete
6. Incident response and breach notification
- •Security incidents affecting your data are notified within 72 hours of discovery (UK GDPR Article 33)
- •Written incident report provided within 14 days of any confirmed incident
- •Incident response plan maintained and reviewed annually
- •Security contact: security@lumenii.io
7. Responsible disclosure
We welcome responsible disclosure of security vulnerabilities. Contact security@lumenii.io. We acknowledge all reports within 2 business days and provide updates within 14 days. We do not operate a paid bug bounty programme at this stage.
Security enquiries and vendor assessments
For security questionnaires, penetration test reports, vendor due diligence packs, or data processing documentation — contact us and we will respond within 24 hours.
Lumenii is a trading name of ForrTech Ltd · lumenii.io · Last reviewed May 2026