---
title: "Enterprise Security"
subtitle: "Comprehensive overview of Luma’s security practices and infrastructure for enterprise customers"
slug: "enterprise-security"
url: "https://help.luma.com/p/enterprise-security"
tags: ["Enterprise", "Security"]
---

## Executive Summary

Luma is committed to maintaining strong security and data protection practices for our enterprise customers. Our security program is designed to protect event data, attendee information, and organizational assets while enabling seamless event management and collaboration.

This document provides an overview of our security practices, infrastructure, and controls for security teams, compliance officers, and decision-makers evaluating Luma for enterprise deployment. For information about Enterprise plan features including SSO and dedicated support, see our [Enterprise Overview](/p/enterprise-overview).

## Security Governance & Compliance

**Regulatory Compliance**

Luma aligns its practices with major data protection regulations:

- **GDPR (General Data Protection Regulation)**: Practices aligned with EU data protection requirements, including support for data subject rights, privacy by design, and cross-border transfer mechanisms
- **CCPA (California Consumer Privacy Act)**: Practices aligned with California privacy requirements, including support for consumer rights to access, delete, and opt-out of certain data uses
- **Data Processing Agreements**: Available for enterprise customers at [luma.com/dpa](https://luma.com/dpa)

**Certifications and Audits**

Luma maintains an annual SOC 2 Type II audit covering the Security trust services criteria, conducted by Sensiba LLP. Our most recent report covers the period January 1, 2026 to March 31, 2026. The SOC 2 Type II report and companion SOC 3 report are available publicly at [trust.luma.com](https://trust.luma.com), along with live compliance status and additional security documentation.

**Security Policies**

Our security program includes:

- Security policies and procedures covering data protection
- Incident response procedures with defined roles
- Regular policy reviews to address emerging threats
- Security training for all team members

## Infrastructure & Network Security

**Cloud Infrastructure**

Luma leverages Amazon Web Services (AWS) for reliable and secure infrastructure:

- Enterprise-grade cloud hosting with global availability
- AWS security best practices and shared responsibility model
- Regular infrastructure updates and patches
- Automated scaling to handle traffic spikes during large events

**Network Security**

- Network segmentation to isolate application tiers
- Private subnets for database and application servers
- Secure VPC configurations with controlled access
- CloudFlare integration for DDoS mitigation and Web Application Firewall (WAF)
- Rate limiting to prevent abuse

**Physical Security**

AWS data centers provide physical security monitoring, biometric access controls, environmental controls, and maintain SOC 2/ISO 27001 certifications.

## Data Protection & Encryption

**Encryption Standards**

All sensitive data is protected using industry-standard encryption:

- **At Rest**: AES-256 encryption for all stored data, including databases, file storage, and backups
- **In Transit**: TLS 1.2+ for all data transmission, with TLS 1.3 support
- **Key Management**: Secure key storage and rotation using AWS KMS
- **Database Encryption**: Transparent data encryption for all database instances

**Data Backup and Recovery**

- Automated daily backups with point-in-time recovery
- Geographically distributed backup storage
- Documented recovery procedures

**Data Retention and Deletion**

- Data retention policies aligned with legal requirements
- Automated data purging based on retention schedules
- Secure data deletion procedures
- Customer-initiated data deletion capabilities
- Right to erasure support for GDPR compliance

## Application Security

**Secure Development**

Our development process incorporates security best practices:

- Mandatory code reviews for all changes
- Automated security testing and dependency scanning
- Timely application of security patches
- Responsible disclosure program for security researchers

**Security Controls**

We implement protections against common vulnerabilities including:

- Input validation and parameterized queries to prevent injection
- Secure authentication and session management
- XSS protection through output encoding and CSP headers
- CSRF tokens for state-changing operations

**API Security**

- OAuth 2.0 and API key authentication
- Rate limiting per endpoint and per user
- Comprehensive API logging

**Penetration Testing**

Luma engages a third-party security firm to perform an annual penetration test covering both our web application and public API. Our most recent test was conducted by [Astra Security](https://www.getastra.com/) (CREST certified, CERT-In empaneled), combining automated vulnerability scanning with manual testing. Findings are triaged and remediated on defined SLAs, with a re-scan to validate fixes before the engagement closes. Summary reports and certificates are available to enterprise customers.

## Access Control & Identity Management

**Employee Access**

- Principle of least privilege for all access grants
- Multi-factor authentication (MFA) required for all employee accounts
- Separation of development and production environments
- Privileged actions logged and monitored

**Customer Identity Management**

- Support for enterprise SSO via SAML 2.0 and OAuth 2.0
- Integration with major identity providers (Okta, Google Workspace, etc.)
- Flexible role-based access control (RBAC) for team management
- Granular permissions for calendar and event management
- Audit logging of authentication and authorization events

## User Data Security

**Payment Security**

Luma uses Stripe for all payment processing. Card fields in our checkout are rendered by Stripe Elements embedded directly in the Luma page, so the card data is captured and transmitted by Stripe (not Luma) even though the checkout visually lives inside Luma. Luma only ever receives tokenized references, which keeps card data out of our environment entirely. Stripe maintains PCI DSS Level 1 certification (the highest level available), and their attestation of compliance covers the card data path. Because Luma does not store, process, or transmit cardholder data, we are not in scope for PCI DSS cardholder data environment requirements.

- No credit card data stored in Luma systems
- Tokenization for all payment processing
- Secure checkout process with fraud detection
- Support for 3D Secure authentication
- Encrypted payment receipts and invoices

**File Upload Security**

- File type validation and restrictions
- Size limits to prevent resource exhaustion
- Secure CDN delivery with signed URLs
- Image processing in isolated environments

**Registration and Check-in Security**

- Unique ticket codes with cryptographic validation
- Mobile app security for check-in operations
- Duplicate registration prevention
- Waitlist management with secure approval workflows

## Monitoring & Incident Response

**Security Monitoring**

- Automated monitoring and alerting for security events
- Centralized logging of system activities
- Performance and availability monitoring

**Incident Response**

- Documented incident response plan with defined roles
- Incident classification and severity levels
- Timely customer notification consistent with legal obligations
- Coordination with law enforcement when required
- Post-incident reviews and lessons learned

## Vendor & Third-Party Security

We partner with industry-leading providers:

- **AWS**: Cloud infrastructure and hosting
- **Stripe**: Payment processing (PCI DSS Level 1)
- **Twilio**: SMS and communication services
- **CloudFlare**: CDN and DDoS protection

All vendors are evaluated for security practices, and we maintain:

- Contractual security requirements for key vendors
- Data processing agreements with subprocessors
- List of subprocessors at [luma.com/subprocessors](https://luma.com/subprocessors)
- Automated dependency scanning for software vulnerabilities

## Business Continuity & Availability

**High Availability**

Our infrastructure is designed for reliability:

- High availability architecture with uptime SLAs available for enterprise plans
- Load-balanced application servers
- Database replication with automatic failover
- Multiple availability zones for redundancy
- Auto-scaling for traffic spikes
- Planned maintenance windows with advance notice

**Disaster Recovery**

- Documented disaster recovery procedures
- Automated failover capabilities
- Regular backups with geographic distribution

## Privacy & Data Rights

**Privacy by Design**

- Privacy considerations in all new features
- Data minimization - collect only what’s necessary
- Purpose limitation - use data only for stated purposes
- Privacy impact assessments for new processing
- Default privacy settings favor user protection

**Data Processing Agreements**

- Standard DPA available at [luma.com/dpa](https://luma.com/dpa)
- GDPR-compliant processing terms
- Clear roles and responsibilities
- Standard contractual clauses for international transfers
- Customizable DPAs for enterprise requirements

**User Rights Management**

We support all data subject rights:

- **Access**: Users can request their personal data
- **Rectification**: Ability to correct inaccurate data
- **Deletion**: Right to erasure (“right to be forgotten”)
- **Portability**: Export data in machine-readable format
- **Objection**: Opt-out of certain processing activities
- **Restriction**: Limit processing in certain circumstances

**International Data Transfers**

- Monitoring evolving EU–US transfer frameworks
- Standard contractual clauses for transfers
- Adequate safeguards for all international transfers
- Note: Luma does not currently offer data residency options

**Data Minimization and Purpose Limitation**

- Clear purposes for all data collection
- Regular review of data collection practices
- Automatic data purging based on retention policies
- Anonymous analytics where possible

## Customer Security Features

**Event Security Controls**

- Private events with password protection
- Approval-required registration workflows
- Guest list management and access controls
- IP-based restrictions for sensitive events
- Custom registration questions with data validation

**Data Management Tools**

- Full guest data export in CSV/Excel formats
- Bulk operations for guest management
- Data retention controls per event
- Automated data purging options
- GDPR-compliant consent management

**Privacy and Visibility Settings**

- Flexible event visibility (public, unlisted, private)
- Attendee list visibility controls
- Social sharing restrictions
- Search engine indexing controls
- Custom privacy policies per event

**Custom Domain Security**

- SSL/TLS certificates for custom domains
- Modern security headers (e.g., HSTS) where supported
- Secure redirect handling
- Domain verification process
- DNS security best practices

**API and Integration Security**

- Secure webhooks with signature verification
- API rate limiting and quota management
- OAuth 2.0 for third-party integrations
- Zapier integration with secure authentication
- Detailed API access logs

## Security Training & Awareness

**Employee Security**

- Security onboarding for all team members
- Ongoing security awareness and training
- Secure coding practices for developers
- Email security protections including DMARC
- Device encryption requirements
- Remote work security guidelines

## Contact & Additional Resources

**Getting Started with Enterprise**

To learn more about Luma Enterprise and access these security features:

- Visit our pricing page at [luma.com/pricing](https://luma.com/pricing) and fill out the Enterprise contact form
- Email our team directly at [enterprise@luma.com](mailto:enterprise@luma.com)
- Review our [Enterprise Overview](/p/enterprise-overview) for feature details

**Security Contacts**

- Security Team: [security@luma.com](mailto:security@luma.com)
- Enterprise Support: [enterprise@luma.com](mailto:enterprise@luma.com)
- Data Protection Officer: [security@luma.com](mailto:security@luma.com)

**Documentation and Policies**

- Privacy Policy: [luma.com/privacy](https://luma.com/privacy)
- Terms of Service: [luma.com/terms](https://luma.com/terms)
- Data Processing Agreement: [luma.com/dpa](https://luma.com/dpa)
- Subprocessor List: [luma.com/subprocessors](https://luma.com/subprocessors)

**Security Updates**

- Security bulletins via email for enterprise customers
- Security blog posts and best practices

**Security Assurance**

- Security questionnaire support for enterprise customers
- Custom security assessments available
- Virtual security reviews with our team
- SOC 2 Type II and SOC 3 reports available publicly at [trust.luma.com](https://trust.luma.com)
- Additional compliance documentation available to enterprise customers with paid contracts

**Responsible Disclosure**

- We welcome security research on our platform
- Responsible disclosure guidelines available
- Recognition for valid security findings
- Coordinated disclosure timeline
- Contact: [security@luma.com](mailto:security@luma.com)