Menu
Request audit

Trust & data

Practical guardrails for applied AI.

We work with US-based clients on US-friendly hosting. Security and confidentiality are part of delivery—not a slide at the end of the deck.

Geography

US-focused services.

Our default engagements are with US-headquartered organizations, US contracts, and infrastructure aligned to US data residency expectations.

We do not offer EU/UK GDPR-grade programs or EU-region hosting as a standard offering today. If your requirements change, we’ll say so clearly during scoping rather than overpromise.

  • US-based client engagements
  • English-first delivery and documentation
  • Standard cloud providers with enterprise API terms
  • DPA available for client and processor roles

Data handling

How we treat your information.

No training by default

Client data is not used to train foundation models unless you explicitly agree in writing. We use vendor APIs with data handling appropriate to business use.

Isolation & access

Separate environments per client where practical. Role-based access for Lumera Labs staff; named engineers on production systems.

Retention & deletion

Retention periods are defined in the SOW—typically 30–90 days after engagement unless you require longer for operations. Deletion on request at end of contract.

Human-in-the-loop

High-impact outputs (client-facing replies, external deliverables) require human review before send by default.

Citations & evals

Knowledge systems prioritize source citations. We maintain evaluation sets to catch regressions when models or prompts change.

Incident response

If we confirm unauthorized access affecting your data, we notify you promptly per contract and work with you on containment.

Subprocessors

Who may process data.

Depending on your architecture, subprocessors may include cloud hosting and AI API providers—for example Google Cloud, Microsoft Azure, OpenAI, or Anthropic. We maintain a subprocessor list and disclose changes per your DPA.

Exact vendors are chosen during scoping based on your security requirements, existing stack, and pilot scope—not a one-size-fits-all default.

Boundaries

What we don’t take on by default.

  • HIPAA-regulated PHI
  • PCI cardholder data environments
  • EU/UK data residency as a standard offer
  • Fully autonomous client-facing decisions without review

Unsure if your use case fits? The AI Opportunity Audit is designed to surface data and compliance constraints early.

Discuss your requirements on a call—or start with the audit.

Request the $5,000 audit Book a 20-min intro call