Built secure from day one.
Trust, earned every day.
Your data is yours. Keeping it safe, isolated, and yours alone is the foundation everything else at PanLuma is built on.
AWS-hosted in us-east-1
Application, database, cache, and object storage run on AWS in the N. Virginia region.
TLS 1.2+ everywhere
All traffic to PanLuma is encrypted in transit via CloudFront and the AWS load balancer.
Independently auditable
Our security policies are published and versioned. Pick any claim — find its source.
Our security practices
What we do to protect your data
Your data is isolated.
PanLuma is multi-tenant. Tenant isolation is enforced in the database — not just by convention — using PostgreSQL Row-Level Security with a tenant_id on every table.
Multi-tenant by design with PostgreSQL Row-Level Security
Every business record carries a tenant_id and is gated by RLS policies in the database itself — not just at the application layer.
Strict tenant scoping on every query
Application code uses tenant-scoped sessions; cross-tenant access is impossible by construction.
Isolated workloads
Each tenant's data lives in shared infrastructure with logical isolation enforced at the database, cache, and application layers.
Your data is encrypted.
Data is encrypted in transit and at rest. Sensitive secrets — OAuth tokens, API keys — are encrypted again at the application layer.
TLS 1.2 or higher in transit
CloudFront and the application load balancer enforce modern TLS for every request.
AWS-managed encryption at rest
RDS, S3, ElastiCache, and EBS volumes are encrypted at rest using AWS KMS-managed keys.
OAuth tokens encrypted with Fernet
Tokens for connected integrations (Google, Microsoft, Notion, etc.) are encrypted at the application layer before being written to the database.
Passwords hashed with bcrypt
PanLuma never stores plaintext passwords. SSO is supported and recommended.
Your data is recoverable.
Backup, retention, and restore targets are documented in our Backup & Disaster Recovery Policy.
Automated daily RDS snapshots
Retained for 7 days, with Point-in-Time Recovery for the same window.
S3 versioning
Uploaded files are versioned, so accidental overwrites or deletions can be recovered.
Restore-tested twice a year
We exercise the restore path on a real, isolated environment to confirm RTO/RPO targets are achievable — not just configured.
On the roadmap
Cross-region snapshot copy and S3 cross-region replication are on the backlog — we don't claim them yet.
Access is least-privilege.
Our Access Control Policy governs who can reach what, with what method, and for how long.
Tier-based access controls
Roles separate everyday users, admins, and sysadmin operators. Privileged tiers are tightly scoped.
MFA required for all PanLuma personnel
TOTP at minimum on every account that can reach production. SSO providers enforce MFA for federated logins.
Just-in-time elevation
Production access is not standing — it is requested, justified, time-bounded, and audited.
Every privileged action audited
Audit logs capture both the human actor and any AI agent acting on their behalf.
Code is reviewed before it ships.
Every change to PanLuma passes an automated, multi-specialist security review and a full test gate before it can reach production.
AI code review on every push
A multi-agent security/architecture/testing review runs on every push to main and on every pull request — no human can merge around it.
OWASP ASVS Level 2 alignment
Our internal application-security baseline targets ASVS Level 2 controls.
Dependency & secret scanning
Dependencies are scanned on every build; secret scanning is enforced in CI to catch accidental commits.
Pre-push test gates
Backend, frontend, and integration suites must pass before code can be pushed. Coverage is ratcheted to prevent regression.
Compliance & alignment
Where we stand today, and where we're going
Honest status — not aspirational badges.
In progress. We are preparing for CASA Tier 2 self-assessment as part of our Google Workspace integration verification.
Controller/processor framework in place. We sign DPAs with all sub-processors and offer a customer DPA on request.
On the roadmap. We have not started a SOC 2 audit yet and we do not claim certification today.
The certified infrastructure under us
What we lean on
We are honest about the difference between PanLuma's own certifications and the certifications of the vendors we build on. These are the latter.
SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI-DSS, HIPAA BAA-eligible, GDPR. aws.amazon.com/compliance/programs →
SOC 2 Type 2. Does not train on API customer data. trust.anthropic.com →
SOC 2, ISO 27001. twilio.com/security →
SOC 2/3, ISO 27001/17/18, FedRAMP. workspace.google.com/security →
SOC 1/2, ISO 27001/17/18, FedRAMP. microsoft.com/trustcenter →
SOC 2 Type 2. EU data residency for PanLuma (PostHog Cloud EU). posthog.com/security →
EU-hosted, GDPR-compliant analytics for our marketing site. No cookies, no personal data. plausible.io/data-policy →
SOC 1/2, ISO 27001. Hosts PanLuma source code; no customer data flows through GitHub at runtime. github.com/security →
See the complete catalogue of who processes what, where, and under which DPA. View sub-processors →
Found something? Tell us.
PanLuma operates a public Vulnerability Disclosure Program with safe-harbor terms for good-faith researchers. Email security@panluma.ai — or see our security.txt.
Hall of Fame
See the Security Researcher Hall of Fame →
The page is newly published and will be updated as researchers submit valid reports.
Public acknowledgement
Researchers who submit valid, in-scope reports — and consent to being named — are listed publicly.
Written acknowledgement on request
Anonymous researchers can request a written acknowledgement letter for their records.
Documents we publish
Read the source, not just the summary
Our security policies are version-controlled in the PanLuma repository. Pick any claim on this page — you should be able to find it here.
Scope, safe harbor, response targets. Read →
Every third party that processes customer data, what they do, where, and under which DPA. Read →
What we collect, why, and your rights as a data subject. Read →
The contract for using PanLuma. Read →
PanLuma's customer-facing DPA is available on request — email privacy@panluma.ai.
Information Security, Incident Response, Data Retention, Access Control, Backup & DR, and Data Flow diagrams. View on GitHub →