← Back to lumenii.io

Security & Trust

How Lumenii protects your organisation's data

1. What access Lumenii requests

Lumenii requests read-only OAuth access to Microsoft Entra ID and the Google Workspace Admin SDK. We use the Microsoft Graph API with the following permissions:

  • Directory.Read.All — read service principals and OAuth grants to detect connected AI tools
  • AuditLog.Read.All — read sign-in activity logs to identify when AI tools were first used
  • DeviceManagementApps.Read.All — read Intune managed app data for mobile AI detection (optional)

We explicitly do NOT access and CANNOT access:

  • Email content — Mail.Read is not requested
  • Document or file content
  • Calendar entry content or meeting details
  • Microsoft Teams message content
  • User passwords or credentials of any kind

2. Data storage and encryption

Data in transitTLS 1.3 encrypted
Data at restAES-256 via Supabase
Database hostingSupabase — EU region
Application hostingVercel — EU edge network
OAuth token storageEncrypted — never plain text
Employee device storageNone — no local data

3. Who can access your data

  • Your tenant data is isolated per organisation — no cross-tenant data access is possible
  • Access to production data is restricted to the founding team only
  • No third-party sub-processors have access to raw tenant data
  • Sub-processors: Supabase (storage), Vercel (hosting), Stripe (payment processing only — no tenant data)

4. Certifications and security assessments

Cyber EssentialsIn progress
Penetration testing (CREST-accredited)Scheduled Q3 2026
ISO 27001Planned 2027
SOC 2 Type 2Planned 2027

We are transparent that as an early-stage product, formal certifications are in progress. We provide full security questionnaire responses on request — contact security@lumenii.io.

5. Data deletion on cancellation

  • OAuth tokens are revoked immediately on disconnection
  • Scan data is deleted within 7 days of cancellation
  • Account and billing data is deleted within 30 days
  • Written confirmation of deletion is provided on request
  • You can revoke access at any time from Azure AD → Enterprise Applications → Lumenii → Delete

6. Incident response and breach notification

  • Security incidents affecting your data are notified within 72 hours of discovery (UK GDPR Article 33)
  • Written incident report provided within 14 days of any confirmed incident
  • Incident response plan maintained and reviewed annually
  • Security contact: security@lumenii.io

7. Responsible disclosure

We welcome responsible disclosure of security vulnerabilities. Contact security@lumenii.io. We acknowledge all reports within 2 business days and provide updates within 14 days. We do not operate a paid bug bounty programme at this stage.

Security enquiries and vendor assessments

For security questionnaires, penetration test reports, vendor due diligence packs, or data processing documentation — contact us and we will respond within 24 hours.

Lumenii is a trading name of ForrTech Ltd · lumenii.io · Last reviewed May 2026