Our posture, stated plainly, including what we have not done yet. Last updated 12 June 2026.
Every record is scoped to your organization and every query carries that scope; cross-tenant isolation is enforced in code and covered by automated tests that attempt to cross the boundary. Managed service providers get a further tenant layer with the same guarantees per client.
Passwords are stored using Django's PBKDF2 hashing. API keys are shown once at creation and stored only as salted hashes; revocation is immediate. Sessions and all traffic run over TLS in production.
Closed months are immutable, enforced at the API, the app, imports, and the staff admin alike. Every figure traces to stored run events; nothing is ever silently dropped.
We are a young product and will not pretend otherwise: no SOC 2 report yet (controls are being built with that audit in mind), no SSO/MFA yet (on the roadmap for Business and Enterprise tiers), single-region hosting. If your security review needs specifics, ask: support@lumatrack.io, and you will get straight answers.
Email security@lumatrack.io. We acknowledge within 2 business days, we do not pursue good-faith researchers, and we credit fixes if you want credit.