Lumipact Security

Built for businesses that cannot afford contract blind spots.

Security is product behavior, not a PDF checkbox. This page explains how we host data, protect access, and handle incidents so you can assess risk in plain language.

Hosting region and infrastructure

Lumipact is hosted in the EU. Application infrastructure runs in AWS (Frankfurt), and contract/auth data is stored in Supabase EU regions. We use managed infrastructure with regular patching and baseline monitoring.

Encryption

Data is encrypted in transit using TLS and encrypted at rest by our infrastructure providers. Credentials and server-side keys are stored outside source control and are rotated when needed.

Access control model

Access is tenant-scoped by default. Role-based permissions control who can see, edit, and administer contract records. Sensitive agreements can be restricted to narrow groups, and actions are captured in an audit log.

GDPR and data handling

Lumipact is designed for EU customers and GDPR expectations. Data processing stays in supported regions, customer data is segregated by tenant, and we support export and deletion workflows on request.

Data portability and deletion

Customers can export contracts and structured metadata. If you cancel, we provide an export path and remove account data within 30 days unless a shorter deletion window is requested.

Subprocessors

Core subprocessors currently include AWS (hosting), Supabase (database/auth/storage), and Resend (transactional email). A formal subprocessor register will be published before general availability.

TODO: publish full subprocessor list with regions and purpose.

Incident response

We monitor availability and investigate suspicious behavior as a priority. Security incidents that affect customer data are triaged immediately, contained, and communicated to impacted customers with mitigation steps.

Security contact: security@lumipact.com

    We use privacy-friendly analytics to understand which pages are useful. No ads, no cross-site tracking. Read our cookie policy.