[ Trust ] Security & data practices
We practice
what we advise.
Compliance buyers check how their advisors handle data before they share anything sensitive. This page documents our own security practices, data handling commitments, and sub-processor disclosure — aligned with the Digital Personal Data Protection Act, 2023 (India) and GDPR.
Questions not answered here? hello@luminarisk.io
Client data
- — Mutual NDA signed before any engagement begins.
- — We request only what the specific engagement requires — nothing more.
- — Evidence stored encrypted and access-controlled in cloud storage only.
- — Retained for 5 years per professional standards, then securely destroyed.
Communications
- — All client communications over encrypted channels, no exceptions.
- — Deliverables and evidence shared via secure portals, not email attachments.
- — Encrypted conferencing only — no recordings without explicit consent.
Sub-processors
- — Minimal third-party tools, each assessed for security before client use.
- — Full sub-processor list available on request at any time.
- — Client data is never submitted to AI services or used to train models.
Our own controls
- — Full-disk encryption and endpoint protection on all devices used for client work.
- — Clients notified within 72 hours of any security incident — GDPR and DPDP Act.
Questions about
our data practices?
We're happy to answer specific questions about how we handle client data, run a security review call with your InfoSec team, or provide additional documentation for your vendor assessment.
hello@luminarisk.io