Product Security

Lumeo takes security seriously. Our platform is designed to analyze your website without putting your data or infrastructure at risk. This page explains how we interact with your content, what we store, and how we protect it.

Lumeo crawls your website in read-only mode. Our agents request publicly available pages, parse HTML and metadata, and extract structural and semantic information. We do not modify, inject, or alter your live content during analysis.

We do not execute JavaScript in a way that could trigger forms, cookies, or state-changing actions on your site. Our crawlers identify themselves via a standard User-Agent and respect robots.txt directives. You can block our crawlers if you prefer not to be analyzed.

• We recommend testing scans on staging or non-production URLs when possible.
• Crawl depth and frequency are configurable for enterprise customers.

We are designed to process metadata and structural content—titles, headings, links, schema, and text—not your visitors' personal information. We do not store personally identifiable information (PII) from your users. Your visitors' data stays on your infrastructure.

Account-level data (email, billing) is stored with industry-standard encryption and access controls. We do not use your site's content for advertising or third-party analytics.

• If your site exposes PII in publicly crawlable content, consider using robots.txt or noindex to limit indexing.
• We recommend reviewing our Privacy Policy for full details on data handling.

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256. API keys and credentials are hashed and never stored in plaintext.

We use reputable cloud infrastructure providers that maintain strong security postures and comply with relevant certifications.

Lumeo maintains SOC 2 Type II compliance for security, availability, and confidentiality. Our controls are independently audited on an annual basis by a qualified third party.

SOC 2 reports are available under NDA for enterprise customers and prospects. Contact security@lumeoagent.com to request access.

• We are committed to maintaining and extending our security program as we scale.
• We welcome security questionnaires from enterprise prospects.

Lumeo Identity provides cryptographic attestation for bot-to-bot trust. When you use Identity, we issue verifiable credentials that AI agents can validate without exposing sensitive data. Tokenization follows W3C Verifiable Credentials standards and is designed for zero-knowledge verification where appropriate.

Credentials are signed with Lumeo's attestation key and stored in your control. We never retain the raw credential payload after delivery. Revocation and rotation are supported through our Identity API.

• Identity credentials are optional and additive—they do not replace your existing auth.
• Enterprise customers can use their own HSM or key management for attestation.

All agentic code generated by Lumeo (e.g., llms.txt, JSON-LD snippets, citation maps) is produced in isolated environments. We do not ship untested or speculative implementations. Every recommendation is validated for compatibility and basic security before delivery.

When you choose to deploy generated code via GitHub PR or manual copy, you remain responsible for final review and testing in your own environment. We recommend running security scans and tests before production deployment.

• Generated code follows current best practices for AI readability and does not include hardcoded secrets or credentials.
• We do not execute or deploy code on your infrastructure—delivery is file-based only.

We maintain an incident response plan and will notify affected customers of significant security incidents in accordance with applicable law and our contractual obligations. We aim to provide clear, timely communication during any security event.

To report a security vulnerability or for security-related questions, contact security@lumeoagent.com. We appreciate responsible disclosure and will respond promptly.