Security

Audit Logs and Activity Tracking

See who did what — guest history, check-ins, email delivery, and the security records available on every plan

Luma keeps a record of the actions that happen around your events, and a lot of it is visible to you directly — no Enterprise plan required. This article covers what you can see on a standard or Luma Plus plan, the compliance documentation available to support a security review, and what’s reserved for Enterprise.

Guest Activity Timeline

Every guest has a detailed activity timeline that acts as an audit trail for their registration. To view it, go to your event’s Manage Event page, open the Guests tab, and click any guest to open their Guest Details panel.

The timeline records, with the time each action happened and the host or manager who performed it:

  • Registration — when and how the guest registered (self-registered, invited, or added directly), and who invited or added them
  • Status changes — every change to their registration status (for example, Pending to Going), and which host or manager made it
  • Ticket changes — tickets added, removed, or transferred
  • Refunds — when a refund was issued and the amount
  • Check-in and check-out — when the guest was checked in or out, and by which team member
  • Email history — every email sent to the guest, with delivery and open status

This gives you a complete, per-guest record of who approved a registration, who processed a check-in, and what changed along the way. For more on managing guests, see Updating Guest Information.

Email Delivery and Open Tracking

For each email sent to a guest, the timeline shows whether it was delivered, opened, clicked, bounced, or marked as spam, along with timestamps. This is especially useful when a guest says they didn’t receive a message — you can confirm whether it reached their inbox and was opened, which helps you tell a delivery problem apart from an email that simply went unnoticed.

Check-In Records

When you check a guest in at an event, Luma records the time and the team member who performed the check-in. These records appear in the guest’s activity timeline, so you always have an accurate account of who was checked in, when, and by whom.

Calendar Activity Log

Calendars on Luma Plus include an Activity section in calendar settings that logs administrative changes — such as updates to your subscription, send limits, and admin seats — along with the person who made each change and when. This is available to calendar admins on a Luma Plus subscription.

Managing Your Data

Alongside these records, you control your event data directly:

  • Export your guest list to CSV or Excel at any time — see Download Guest CSV
  • Delete your data — you can delete your account and associated data from luma.com/settings, supporting data subject rights such as access, rectification, and erasure
  • Control visibility — set events to public, unlisted, or private, require approval for registration, password-protect events, and restrict search engine indexing

Security and Compliance Documentation

If you’re completing an internal security or compliance review, these resources are available on every plan:

  • SOC 2 Type II report, SOC 3 report, and live control status at trust.luma.com — third-party attestation that our security, monitoring, logging, and incident-response controls are in place and audited
  • Standard Data Processing Agreement at luma.com/dpa, which sets out our data protection and breach-notification commitments
  • Subprocessor list at luma.com/subprocessors
  • Third-party penetration testing — we engage an external firm for an annual penetration test of our web app and public API, combining automated scanning with manual testing, and run automated dependency scanning on an ongoing basis. Our most recent test passed with a top grade on both our web app and public API — see the penetration test certificate, which is independently verifiable

For a fuller picture of our security practices, see Enterprise Security and GDPR / Security.

What’s Included with Enterprise

Some capabilities that security and compliance teams ask for are part of our Enterprise plan:

  • Comprehensive, customer-accessible audit logging — direct access to platform-level logs of authentication, authorization, and administrative events, beyond the guest- and event-level records above
  • Committed log retention periods with written evidence for your records
  • Incident investigation support, including providing relevant logs to your team for a suspected incident
  • Completed security questionnaires, custom Data Processing Agreements, SSO, and a dedicated security review

To learn more, see our Enterprise Overview or contact [email protected].

Didn’t find what you are looking for?
Contact Us