Trust is not optional.
It’s the architecture.
LumenFlow is built on the principle that AI should prove its work. That same transparency extends to how we handle your data — encrypted, auditable, and under your control.
Encryption at rest & in transit
Model API keys are encrypted with AES-256 via envelope encryption with per-workspace key derivation. All traffic is served over HTTPS with HSTS enforced. Database encryption is managed by Supabase (managed Postgres).
Managed inference + BYOK
Start with LumenFlow managed inference for zero-config setup, or connect your own model keys for OpenAI, Anthropic, and compatible providers when you need direct provider billing or stricter vendor choice.
Action logging & audit export
Governed actions, approvals, and cost outcomes are visible in-product today. Enterprise trust builds on the same evidence stream with export-ready records for review and compliance workflows.
Workspace roles & enterprise governance
Row-level security keeps workspace data isolated. On top of that, LumenFlow ships workspace roles plus org-scoped reviewer and admin posture for higher-trust environments without creating a second control plane.
Data retention & deletion
Retention is configurable per plan: 7 days (Free), 90 days (Team), 365 days (Enterprise). When data expires, it's permanently deleted by an automated cron job — not archived or soft-deleted.
SOC 2 readiness
We are building toward formal SOC 2 Type II readiness. Product controls and export surfaces are in place, but the certification itself is not complete yet.
Security is a process, not a checkbox
Our governance kernel is open-source (AGPL) so you can audit the code yourself. We’re a small team building in the open — if you find an issue or have a question, reach out at hello@hellm.ai.
Need a security review?
We’re happy to walk through our security architecture, provide documentation, or complete your vendor security questionnaire.