Skip to main content
TRUST CENTER

The platform you use for compliance should itself be compliant.

LukaGRC protects your compliance data with the same standards you are working to meet. Here is exactly how we do it.

SOC 2 Type II
Annual audit of security controls
In Progress
GDPR Compliant
EU data protection regulation
Compliant
CCPA Compliant
California privacy rights
Compliant
HIPAA Ready
Healthcare data protection
Ready
Cloud Infrastructure

Built on AWS with defense-in-depth architecture.

LukaGRC runs on Amazon Web Services (AWS), a SOC 2, ISO 27001, and FedRAMP certified cloud provider. Your data stays within AWS infrastructure with VPC isolation, DDoS protection, and auditable deployments from day one.

Multi-Region Deployment
Automatic failover with AWS VPC isolation
Active
DDoS Protection
AWS Shield and WAF on all endpoints
Enforced
Infrastructure as Code
Consistent, auditable deployments
Active
Data Encryption

Encrypted everywhere your data exists.

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed and rotated through AWS KMS.

TLS 1.3 In Transit
All data encrypted with forward secrecy
Active
AES-256 At Rest
All stored data and backups encrypted
Enforced
AWS KMS Key Rotation
Scheduled rotation with managed KMS
Enforced
Secure Evidence Storage
Evidence stored and organized securely
Active
Access Controls

Multiple layers between attackers and your data.

Role-based access with least privilege, MFA enforcement, SSO integration, and a complete audit log of every access and action. Multiple layers between attackers and your data, not just one.

RBAC with Least Privilege
Role-based access with minimal permissions
Enforced
Multi-Factor Authentication
MFA enforced for all accounts
Enforced
SSO Integration
SAML 2.0 with Okta, Azure AD, Google
Active
Session Management
Auto-timeout after 30 min inactivity
Enforced
Tenant Isolation

Your data is invisible to every other tenant.

Every query is scoped by tenant_id at the database level. Separate encryption keys per organization, zero shared data paths, and independent backup capabilities. Your compliance data is invisible to every other customer.

Database-Level Scoping
All queries filtered by tenant_id
Enforced
Cross-Tenant Prevention
Zero shared data paths between orgs
Enforced
Per-Tenant Encryption Keys
Independent key management per org
Active
Data Privacy

Your data, your rules.

Clear data practices. Full compliance with GDPR, CCPA, and other global privacy regulations. No surprises.

Data Ownership

You own your data, full stop. We never sell it, share it, or use it for anything other than running LukaGRC for you.

  • Your data belongs to you
  • No third-party data sharing
  • Export your data at any time
  • Delete your data on request

Data Residency

Data is stored in AWS US regions by default. EU regions are available if your compliance requirements call for it.

  • Primary: AWS US-East-1 (N. Virginia)
  • EU region available for GDPR
  • Data backups in same region
  • Cross-region replication optional

Privacy by Design

Privacy is part of how we build, not something we add later. Minimal data collection, enforced retention policies, and impact assessments on every feature.

  • Minimal data collection
  • Purpose limitation enforced
  • Data retention policies
  • Privacy impact assessments

Data Processing Agreement (DPA)

Our DPA covers GDPR Article 28 requirements, Standard Contractual Clauses (SCCs), and international data transfers.

View Data Processing Agreement
Availability

Always on, always recoverable.

Automated backups, tested disaster recovery, and continuous monitoring so your compliance program is never down when you need it.

Backup & DR

Your data is protected and recoverable.

Daily automated backups with 30-day retention, point-in-time recovery, encrypted backup storage, and quarterly disaster recovery testing to verify our targets hold up.

Daily Automated Backups
30-day retention with point-in-time recovery
Active
RTO: 4 Hours / RPO: 24 Hours
Quarterly DR testing validates targets
Verified
Monitoring

24/7 monitoring with automated alerting.

Infrastructure, application, and security event monitoring around the clock. Health checks every 60 seconds, real-time alerting, and on-call incident response.

Real-Time Alerting
PagerDuty integration for critical alerts
Active
SIEM + APM
Security event and performance monitoring
Active
Health Checks Every 60s
Public status page at status.lukagrc.com
Active
Security Testing

We test our own security the way auditors would test yours.

Automated scanning on every commit, annual penetration testing, and a coordinated vulnerability disclosure program.

SAST & Dependency Scanning

Every commit is scanned for security vulnerabilities and dependency issues before it reaches production.

  • Bandit for Python security scanning
  • Safety for dependency vulnerability checks
  • Pre-commit hooks for secret detection
  • Automated security reviews in CI/CD

Penetration Testing

Independent third-party penetration testing validates that our security controls work as intended.

  • Annual external penetration tests
  • OWASP Top 10 web app testing
  • API security assessments
  • Reports available to enterprise customers

Vulnerability Management

Ongoing vulnerability scanning with defined SLAs for patching. Critical issues fixed within 48 hours.

  • Weekly vulnerability scans
  • Critical patches within 48 hours
  • High-severity patches within 7 days
  • Coordinated disclosure program
Incident Response

Prepared to detect, respond, and recover.

Documented incident response plan, tested quarterly with tabletop exercises. Defined escalation procedures, 24/7 availability, and customer notification within 72 hours of a confirmed breach.

24/7 Incident Response Team
On-call with defined escalation procedures
Active
72-Hour Breach Notification
Customer notification within 72 hours
Enforced
Quarterly Tabletop Exercises
Post-incident reviews and remediation tracking
Active
Secure Development

Security is built in, not bolted on.

Parameterized queries only. Threat modeling for every new feature. Security code reviews on every pull request. Secrets managed through AWS, never hardcoded. This is how we build, every day.

Parameterized Queries Only
100% SQL injection prevention
Enforced
Security Code Reviews
Mandatory on all pull requests
Enforced
Secrets Management
AWS Secrets Manager, no hardcoded creds
Enforced
Threat Modeling
Required for all new features
Active

Security & Compliance Inquiries

Need our SOC 2 report, a penetration test summary, or help with a security questionnaire? Want to report a vulnerability? Reach out directly. PGP key available for encrypted communications.

Security Questions: security@lukagrc.com

Compliance Documentation: compliance@lukagrc.com

General Inquiries: hello@lukagrc.com

One platform for your entire compliance program.

Request our security documentation or try LukaGRC with your team.

Request Security Docs Try LukaGRC free