Data & Security Policy

§1.1This Policy describes the measures we take to secure and protect data processed by Lumoza's services. It complements (but does not replace) our binding Terms of Service and Privacy Policy.

§2.1Personal data is processed for the purposes described in the Privacy Policy (see Privacy Policy §6).

§2.2Metadata and content are processed to support creation proofs, registrations, and analytics.

§2.3Temporary audio copies used for processing are deleted after processing completes.

§2.4AI Interaction Data: retention and deletion of prompts, inputs, and outputs follow the same standards as other personal data; verified deletion requests are honored as required by law.

§3.1In transit: TLS (HTTPS) for all client–server communications and service-to-service links where applicable.

§3.2At rest: platform-native encryption for databases, object storage, and backups.

§3.3Key management: encryption keys are managed using cloud KMS or platform equivalents with role-based access and audit trails.

§4.1Organizational controls include employee training, principle-of-least-privilege access, and periodic access reviews.

§4.2Strong authentication (e.g., MFA for privileged access) and SSO are enforced where supported.

§4.3Access is logged; critical administrative actions are monitored.

§5.1By default, Lumoza safeguards private keys required to operate your smart contracts.

§5.2Upon transfer of keys (shared or full custody), you assume responsibility for safeguarding keys; after full transfer Lumoza has no responsibility for their security, recovery, or future loss (see ToS §6.2; Privacy Policy §11.3).

§5.3Custodial keys are stored using hardened key-management controls; access is strictly limited and logged.

§6.1We use reputable cloud providers with robust physical and logical security controls.

§6.2Technical controls include continuous monitoring, intrusion detection, logging, and alerting for system health and anomalies.

§6.3Changes follow review and testing practices; critical changes are peer-reviewed.

§7.1We engage vetted providers (hosting, analytics, security, payments, support) under contracts requiring appropriate data protection and legal compliance.

§7.2A current list of material subprocessors is available upon request via legal@lumoza.io; we update that list as our stack evolves.

§8.1We welcome responsible vulnerability reports. Please email security@lumoza.io with details and reproduction steps.

§8.2Do not access, modify, or exfiltrate data you do not own. We will not pursue legal action for good-faith research aligned with these guidelines.

§9.1We maintain an incident response program covering detection, containment, remediation, notification, and post-incident review.

§9.2Notification will be provided without undue delay and in accordance with applicable law (see Privacy Policy §11.2).

§10.1Automated, encrypted backups are maintained and tested periodically.

§10.2We design for high availability and recovery from infrastructure failures.

§11.1We retain data only as long as necessary for the Service, compliance, dispute resolution, and other lawful purposes.

§11.2Retention criteria include the type of data, processing purpose, and legal/operational requirements.

§11.3Temporary audio copies are deleted after processing (see Privacy Policy §5). Verified account/data deletion requests are honored as required by law (see Privacy Policy §10).

§12.1We implement "reasonable security procedures" consistent with California Civil Code §1798.81.5 and align with applicable data-protection laws (see Privacy Policy §11).

§12.2International transfers may occur to countries with different protections (e.g., the U.S.); where required, we use SCCs/UK equivalents and conduct Transfer Impact Assessments (see Privacy Policy §8).

§13.1Security questions and vulnerability reports: security@lumoza.io.

§13.2Privacy, data rights, and subprocessor list requests: legal@lumoza.io.