Security at Lumi

Lumi accesses your most personal tools. Here's exactly how we protect your data.

Architecture

Lumi is designed with a privacy-first architecture. Your data stays on your device whenever possible, and only leaves when you explicitly request an action that requires a network call.

On-device processing

Voice-to-text conversion, routine AI tasks, and conversation history are processed and stored locally on your device. No audio recordings are retained after transcription.

Cloud processing

Complex multi-step reasoning and connections to third-party services require cloud processing. When data is sent to our servers, it is encrypted in transit (TLS 1.3) and processed in memory without persistent storage.

Third-party connections

When you connect Lumi to a service like Slack or Google Drive, Lumi authenticates directly with that service using OAuth 2.0. Access tokens are stored in your device's hardware-backed secure storage (Android Keystore or iOS Keychain). We never see or store your passwords.

What we never do

  • Never use your data to train AI models
  • Never sell, rent, or trade your personal information
  • Never display ads or use your data for ad targeting
  • Never store voice recordings beyond the instant of transcription
  • Never access services you haven't explicitly connected
  • Never share data with third parties except to fulfill your requests

Encryption

In transit: All data transmitted between the App, our servers, and third-party services uses TLS 1.3 with forward secrecy.

At rest: Account data and organizational data stored on our servers is encrypted with AES-256. Service access tokens are stored in your device's hardware-backed secure enclave.

Key management: Encryption keys are managed through industry-standard key management services with automatic rotation.

Enterprise controls

Lumi Business and Enterprise plans include controls that IT teams expect:

  • SSO/SAML: integrate with Okta, Azure AD, Google Workspace
  • Role-based access: executive, manager, IC, and guest permission levels
  • Audit logging: every action logged with timestamp, user, service, and result
  • Admin console: manage integrations, policies, seats, and data retention
  • Data residency: choose storage region for organizational data
  • Scoped indexing: admins control which services and channels are searchable

Compliance

SOC 2

Type II in progress

GDPR

Compliant

CCPA

Compliant

HIPAA

BAA available

Responsible disclosure

Found a security issue? We take all reports seriously. Email security@lumi.app with details. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.