Skip to content

Security & Compliance

LukeAPI is built with security and compliance at the core. Here's how we protect your data.

Data Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Passwords hashed; API keys never stored in plain text
  • Row-level security and RBAC

Compliance

  • GDPR: data subject rights, DPAs, lawful basis
  • SOC 2 Type II roadmap
  • HIPAA: BAA available for enterprise

Infrastructure

  • Trusted, enterprise-grade cloud providers
  • DDoS protection, CDN, edge network
  • Regular security assessments

Incident Response

Defined procedures for detecting, containing, and resolving incidents. Affected users notified per law and contracts.

Infrastructure Security

Our platform runs on enterprise-grade cloud infrastructure with strong security postures across hosting, CDN, and data storage. We leverage:

  • DDoS protection: Edge network and CDN with built-in DDoS mitigation
  • Global CDN: Content and API responses served from edge locations for low latency and resilience
  • Redundancy: Multi-region deployment where available
  • Dependency updates: Regular patching of dependencies and security advisories

Application Security

We follow security best practices throughout the development lifecycle:

  • OWASP Top 10: Measures to mitigate injection, XSS, CSRF, broken auth, and other common vulnerabilities
  • Secure coding: Code review, static analysis, and dependency scanning
  • Security testing: Regular internal testing and penetration testing on a schedule
  • CI/CD security: Automated checks in the deployment pipeline

Data Security

All data is protected with industry-standard encryption and access controls:

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: AES-256 for stored data
  • Key management: Secrets managed via environment variables and provider secret stores
  • Password hashing: Industry-standard bcrypt/argon2 algorithms

API Key Security

API keys and credentials are handled with care:

  • Hashing: API keys are hashed; plain-text keys are never stored
  • Display: Keys shown only at creation; partial display for identification
  • Rotation: Users can rotate keys from the dashboard; compromised keys should be rotated immediately
  • Compromise response: Report suspected exposure via our ; we will assist with rotation and investigation

Authentication & Authorization

User authentication and authorization are built on a secure, enterprise-grade auth system:

  • Authentication: Secure sign-up, sign-in, and session management
  • MFA: Multi-factor authentication support where available
  • SSO: Enterprise SSO (SAML/OIDC) on our roadmap
  • RBAC: Role-based access control for dashboard and API access
  • RLS: Row-level security in the database for multi-tenant isolation

Network Security

Network-level protections include:

  • Firewalls: Managed by cloud providers with restrictive rules
  • WAF: Web application firewall where applicable
  • Rate limiting: Per-user and per-API rate limits to prevent abuse
  • VPC: Isolated network environments for sensitive workloads

Access Control

Access to production systems follows the principle of least privilege:

  • RBAC: Role-based access control for users and internal teams
  • RLS: Row-level security ensures tenant data isolation
  • Production access: Limited to authorized personnel; access is logged and reviewed
  • Credentials: Separate credentials for dev/staging/production

Compliance Certifications

We are committed to compliance with major frameworks:

  • GDPR: Data subject rights, lawful basis, DPAs. See our Privacy Policy and DPA.
  • SOC 2 Type II: On our roadmap; controls aligned with trust principles (security, availability, confidentiality)
  • HIPAA: BAA and HIPAA-aligned handling available for Enterprise customers;

Incident Response & Vulnerability Disclosure

We have defined procedures for security incidents and vulnerability reports:

  • 24/7 monitoring: Automated monitoring and alerting for anomalies
  • Incident response: Detect, contain, remediate, and post-mortem
  • User notification: Affected users notified per GDPR, contracts, and applicable law
  • Vulnerability disclosure: Responsible disclosure policy;
  • Scope: Our platform and services; third-party APIs are out of scope

To report a vulnerability: . Include a description, steps to reproduce, and impact. We aim to acknowledge within 48 hours and respond within 7 days.

Third-Party Security

We use trusted Sub-Processors with strong security practices:

  • Payment processing: PCI DSS Level 1 certified provider
  • Database & auth: SOC 2 compliant; encryption and row-level security
  • Hosting & CDN: Enterprise-grade edge infrastructure

All sub-processors are contractually bound to protect data. See our Data Processing Agreement for the full list.

TrustGDPR alignedSOC 2 roadmapTLS 1.3AES-256 at rest

For detailed terms, see our Terms of Service, Privacy Policy, and Data Processing Agreement.

Contact UsBack to Home
Security & Compliance | LukeAPI