Security at Jovea is a continuous practice, not a checklist. Below is a summary of the controls we maintain to protect your data and our platform.
Infrastructure
- Hosted on tier-1 cloud providers with SOC 2 and ISO 27001 certified data centers.
- Edge runtime with global load balancing and DDoS protection.
- Production isolated from development; no production data in non-production environments.
Encryption
- TLS 1.2+ for all data in transit.
- AES-256 encryption at rest, including backups.
- Secrets managed via a dedicated vault with rotation.
Access control
- Row-Level Security enforced on every customer-data table.
- Role-based access for internal staff with least-privilege defaults.
- Mandatory SSO + 2FA for all employee accounts.
- Quarterly access reviews and immediate offboarding on role change.
Application security
- Input validation, parameterized queries, and output encoding to prevent injection.
- CSP, HSTS, X-Frame-Options, and modern security headers.
- Dependency scanning and automated patching of vulnerabilities.
- Annual third-party penetration test and continuous bug-bounty program.
AI & data handling
- AI providers operate under enterprise contracts prohibiting model training on your data.
- Sensitive content is minimized before being sent to model endpoints.
- Audit logs capture every AI-generated outreach send-approval.
Business continuity
- Daily backups with point-in-time recovery (PITR).
- Cross-region replication for critical data stores.
- Documented disaster-recovery runbooks tested annually.
Compliance & certifications
- SOC 2 Type II — in progress.
- GDPR & UK GDPR aligned, including Data Processing Addendum on request.
- CCPA/CPRA, HIPAA-conscious data handling (not a covered entity).
Responsible disclosure
Found a vulnerability? Please email security@lumora.app. We acknowledge within 2 business days, aim to triage within 5, and publicly credit researchers (with consent) after a fix ships. Do not access data that doesn't belong to you, disrupt the Service, or exfiltrate data.