Skip to main content
LUMORQ

Trust Center

Security & Trust

Last updated: May 2026

Security is built into our product—not bolted on. This page summarizes the controls we operate today. We align with enterprise expectations for Meta messaging platforms while being transparent about our maturity path toward formal certifications.

Official Meta integrations

WhatsApp Business, Instagram, and Messenger via official APIs—no scraping or unofficial clients.

Verified webhooks

HMAC-SHA256 signature validation with timing-safe comparison on inbound Meta events.

Encrypted credentials

Integration tokens and secrets encrypted at rest (AES-256-GCM). Secrets never returned in browser API responses.

Tenant isolation

Every data path scoped by business_id in application code, with automated cross-tenant denial tests in CI.

Access control

Role-based team permissions, session rotation on login, HttpOnly cookies, and Origin checks on mutating requests.

Abuse prevention

API and webhook rate limits, burst protection, plan quotas, and human escalation workflows.

Threat model & mitigations

ThreatMitigation
Webhook forgeryMeta HMAC-SHA256 (x-hub-signature-256), timing-safe compare
Replay / duplicate deliveryExternal message idempotency on inbound messages
Credential theftEncryption at rest; redacted API responses; no secrets in logs
Cross-tenant accessbusiness_id scoping + automated isolation tests
Spam / floodRate limits, burst limiter, plan quotas
Session hijackHttpOnly cookies, hashed session tokens, rotation on login
Supply-chain riskDependabot, npm audit in CI, lockfile enforcement

Authentication

  • Browser sessions use a first-party HttpOnly session_token cookie (7-day TTL).
  • Session tokens are stored as HMAC-SHA256 hashes in the database—never plaintext at rest.
  • Public API tokens are not issued to browsers today.
  • Production cookies: Secure, HttpOnly, SameSite per deployment (lax, or none+Secure for cross-site setups).

Data isolation architecture

Our database uses Supabase with a service-role backend. Row-level security is not the primary isolation boundary—application-layer enforcement on every repository call is.

Automated security tests in continuous integration verify that one tenant cannot access another tenant’s resources by identifier guessing.

Responsible disclosure

Report vulnerabilities privately to {securityEmail}. Please include steps to reproduce and impact assessment.

We aim to acknowledge reports within 3 business days and provide a remediation timeline for confirmed issues.

Please do not access data belonging to other customers or disrupt production systems.

Operations & resilience

  • Encrypted backups via our database provider; documented RPO/RTO targets and restore procedures.
  • Security audit events for OAuth, role changes, exports, deletions, and token refresh failures.
  • Incident response: revoke provider keys, rotate encryption material, global AI kill switch, session invalidation.
  • SOC 2 Type II is on our roadmap—we do not claim certification today.

Payments & PCI

Subscription payments are processed by Stripe using Stripe Checkout. Card numbers are entered on Stripe-hosted pages and are not stored on our servers.

Merchants using Stripe Checkout typically qualify for PCI SAQ A scope. You remain responsible for securing your account credentials and workspace access.

Infrastructure partners

See our Privacy Policy for full subprocessor detail and data-processing context.