Security

SecurityData close to you. Functionality attentive to local legal requirements.

SOC-2 / ISO-27001 aligned controls, regional data residency (EU and US), federated SSO with tenant-branded subdomains, field-level audit trail, and AI outputs that cite their sources. GDPR processor model and EU AI Act forward-compatibility for European customers.

What customer's security teams ask first

And the answers we ship by default.

These are the questions we field on every evaluation. Here's the documentation we provide and the architecture behind it."

Where does our data live?

EU customers default to Frankfurt or Dublin; US customers default to US East. Customer data does not cross regions without explicit opt-in.

EU & US residency by default

How do you keep customer tenants apart?

Strong logical isolation at the database and service layers. Every record is tagged with its tenant; cross-tenant access is impossible by construction. Federated SSO with tenant-branded subdomains (tenant.lucendus.com).

Tenant-isolated by construction

What's actually in the audit log?

Field-level structured diffs across every domain object. Activity tab on every record. Provenance envelope (OriginType, DataQuality, SourceRef, AI Context) on every entry. Per-tenant retention.

Field-level diffs, append-only

Do you train AI models on our data?

No. Customer data is never used for general model training. AI outputs cite sources, are flagged with confidence and human-approval state, and are auditable.

Tenant-only, with citations

What's your SOC-2 posture.

Aligned controls; not yet certified. ISO 27001 in progress. SOC-2 Type II audit on roadmap.

Aligned, not certified

How does access control work?

Multi-tier IAM: Policy / Permission / Role / Group / User. Fine-grained conditions on policies. Structured denial responses with actionable reason codes (MISSING_PERMISSION, MISSING_ROLE, etc.). Federated SSO via Entra ID / generic OIDC.

Fine-grained, structured
GDPR: Structural details

We are the processor for tenant data and the controller for platform account data. Customer data subject access requests (DSARs) flow through documented procedures. Retention is configurable per data class. We don't sell personal data. The DPA template, sub-processor list, and full GDPR documentation are available under NDA during evaluation.

Want the full security questionnaire?

We share the controls map, sub-processor list, DPA template, and audit-log schema under NDA during evaluation.

  • Lifetime early-access pricing — locked for the duration of your relationship
  • Direct roadmap influence — your problems drive prioritisation
  • Platform configured against your actual data — not a demo environment
  • Initial cohort limited to five organisations
Request access

Personal review of every application. Response within five business days.

Security & Compliance. Lucendus