Luzmo Trust Center

Luzmo is an embedded data visualization platform built with security and privacy at its core. We understand that your data is one of your most valuable assets, which is why we've implemented industry-leading security measures and compliance certifications to ensure your information remains protected at all times.

Compliance

Download reports

SOC2 Type 2

HIPAA

Privacy Regulations

✓ 🇪🇺 GDPR (EU) >

✓ 🇺🇸 CCPA/CPRA (California) >

✓ 🇺🇸 VCDPA (Virginia) >

✓ 🇺🇸 CPA (Colorado) >

✓ 🇺🇸 CTDPA (Connecticut) >

✓ 🇺🇸 UCPA (Utah) >

✓ 🇬🇧 UK GDPR >

✓ 🇨🇭 FADP (Switzerland) >

✓ 🇦🇺 Privacy Act (Australia) >

✓ 🇨🇦 PIPEDA (Canada) >

Controls

View all controls

Reports

Certificates

SOC2 Type 2 Report 2025

SOC2 Type 2 Report for the reporting period of Jan 1st, 2024 until Dec 31st, 2024

SOC2 Type 2 Report 2024

SOC2 Type 2 Report for the reporting period of Jan 1st, 2023 until Dec 31st, 2023

SOC2 Bridge letter

2025 Bridge letter for the period since Jan 1st 2024

Penetration Tests

Penetration Test 2024 - 3rd party report

General

Data Processing Agreement

Standard Luzmo Data Processing Agreement template

Controls

Subprocessors

Amazon Web Services

Storage/processing of customer datasets.

Clickhouse Cloud

Storage/processing of uploaded or 'Warp'ed customer datasets.

OpenAI

Data analysis & summarization, for datasets analyzed by Luzmo IQ only.

Prompts and responses are not stored or used for training by the subprocessor.

Sendgrid

User e-mail address & name for sending of password resets, legal notices, scheduled dashboard exports, alerts via e-mail and/or SMS.

These messages may contain attached PNG or PDF exports of dashboards, or data matching the alert conﬁguration.

USA

Frequently Asked Questions

How does Luzmo protect my data?

Luzmo employs multiple layers of security including encryption at rest and in transit, regular security assessments, and strict access controls to protect your data.

Is Luzmo GDPR-compliant?

Yes, Luzmo is fully GDPR compliant. We act as a data (sub)processor for our customers and have implemented all necessary measures to comply with GDPR requirements.

If you wish to process Personally Identifiable Information (PII) on the Luzmo platform, you can sign a Data Processing Agreement (DPA) with us in Luzmo's Legal & Compliance section.

Does Luzmo store my data?

Whether we store your data depends on the data connector types you're using and your settings.

By default, Luzmo does not store your data, but only processes it in-memory after which it is promptly discarded.

If you enable query result caching on a connection or dataset, we temporarily cache your data in an in-memory store up to your configured Time-To-Live (TTL).

If you use any of the following data connector types or features, we persistently store your data in a secure, multi-dimensional analytical data store, until you delete the dataset or the license comes to an end.

Google Analytics
Google Drive
Luzmo API Push
Luzmo Warp

Where does Luzmo process and/or store my data?

Luzmo operates 2 multi-tenant clouds: in the European Union 🇪🇺 (AWS, eu-west-1 (Ireland) region) and in the United States 🇺🇸 (AWS, us-east-2 (Ohio) region). You can choose your data tenancy during sign-up. Your data is strictly processed and/or stored only in your selected regions.

Luzmo also offers dedicated cloud deployments in any public AWS, Azure or Google Cloud Platform region globally.

Data locations

How can I securely connect my data to Luzmo?

Luzmo connects to a variety of data sources natively, incl. relational databases (PostgreSQL, MySQL, MariaDB, SQL Server, Oracle, etc.), data warehouses (ClickHouse, Snowflake, BigQuery, Redshift, Athena, Synapse, etc.), file systems (Google Drive), Google Analytics, and more.

Luzmo uses TLS1.2+ encrypted connections. You can use IP whitelisting to allow our dedicated IP addresses to connect. We also offer AWS Private VPC endpoints on our Multi-tenant Cloud and AWS Private VPC Endpoints or AWS, Azure or Google Cloud VPC Peering on dedicated cloud deployments.

It's also possible to create your own data connectors using our Plugin API.

Connectivity

Does Luzmo train AI models with my data? Do you send my data to AI model providers?

Luzmo's AI features, including AI Chart Generator and Luzmo IQ, are not trained on customer datasets. Luzmo logs conversations for the duration of our regular log retention window to help in issue investigations or to identify areas where the service accuracy needs to be improved.

When using the AI Chart Generator feature, no customer data is sent to the Large Language Model (LLM). The model only takes into account metadata like dataset names, column names and descriptions.

When using the Luzmo IQ feature, the Large Language Model is sent aggregated, summarized data that is the result of data queries on connected datasets. The LLM uses this to spot trends and summarize the data. The LLM is not sent raw data, and it does not perform aggregations or calculations.

Is Luzmo compliant with HIPAA?

Yes, Luzmo is compliant with HIPAA (Health...) regulations. If you wish to process healthcare records that fall under HIPAA regulations, you can request a BAA.

Responsible Disclosure Program

We value the security research community and encourage responsible disclosure of security vulnerabilities. Our responsible disclosure program rewards security researchers who help us keep Luzmo secure.

Program Guidelines & Leaderboard

Hall of Fame

Special thanks to the following researchers who have reported vulnerabilities to us:

Rank	Researcher	Points
1	Anonymous 🇳🇱 Dutch researcher	105
2	Anonymous 🇵🇱 Polish researcher	100
3	Anonymous 🇪🇸 Spanish researcher	70
4	Anonymous 🇬🇧 UK researcher	65
5	Anonymous researcher	50
+ 25 other researchers

Guidelines

• Please provide a detailed report with reproducible steps.
• Only provide reports that have clear and important security implications. Not all product quality issues are vulnerabilities.
• Please provide sufficient time before reporting recently discovered CVEs or outdated dependency versions. We regularly scan for new CVEs, but releasing new versions takes time to provide sufficient quality control.
• We are especially interested in reports related to:
- - Remote code execution
- - SQL injection
- - Cross-organization privilege escalation
- - Data breaches
- - Exploitable SSRF (ie. blind SSRF leading just to a pingback is excluded)
- - Stored XSS
• Following reports are out-of-scope of our program:
- - Clickjacking, reverse tabnabbing
- - Phishing via user-generated content (eg. notification e-mails, dashboard sharing)
- - CORS configuration
- - Pre-Auth Account takeover/OAuth squatting
- - Disclosure of Luzmo API tokens of third parties -- you can report these, but we will not award points
- - Bugs without clear security impact, eg. missing rate-limits/security headers/cookie flags, best practices violations, autocomplete, self-XSS, version disclosure, disclosure of API keys meant to be public, etc.
• Luzmo allow security testing of its services for the purpose of responsible disclosure. Please do not abuse found vulnerabilities. Please do not use automated scanning tools that exceed the rate limits (10 req/s). We will ban abusers and reserve the right to take further steps in case of repeated abuse.
• To thank you for your submissions, we'd love to publish your name in our security leaderboard andsend you an official Luzmo swag package upon reaching 15 points worth of accepted vulnerabilities. Please provide your address in the submission form if you want to participate in this. We only process your address for the purpose of sending you a swag package.
• Leaderboard points are awarded for validated, accepted submissions. Duplicate submissions are rewarded with half points. Points are awarded by final severity of the finding:
- - Critical finding: 50 points
- - High severity finding: 25 points
- - Medium severity finding: 10 points
- - Low severity finding: 5 points

Submit a Vulnerability

Full Name *

Email Address *

Company

Vulnerability *

Severity Level *

Vulnerability Details *

Shipping Information

Your address is used in case you want to receive a swag package (as of 15 points):

Address Line 1

Address Line 2

City

State/Province

ZIP/Postal Code

Country