Security, Compliance and Data Handling — Clear from Day One.
Security and procurement teams should not have to chase basic information. This page brings the essentials together in one place: the controls we operate, the compliance frameworks we align with, how we handle client data, and which documents you can request directly.
NDA before discovery
Mutual NDA signed before any commercially sensitive material is shared.
Least-privilege access
Engineers receive only the access required, scoped to the engagement.
No data resale, ever
Client data is never used to train models, build products, or sold downstream.
Disclosure within 72h
Confirmed security incidents are disclosed to affected clients within 72 hours.
Security controls
What's Actually in Place — Across People, Systems and Code
A working summary of the controls we operate. For audit-grade detail, request the Security Whitepaper at the bottom of this page.
Background checks
All engineers prior to client engagement.
Access provisioning
Just-in-time, scoped to the engagement, revoked on offboarding within 24h.
MFA
Required on all corporate and client systems. Hardware keys for admin access.
Security training
Mandatory annually for all staff, plus role-specific training for engineers.
Encryption
In transit (TLS 1.2+) and at rest (AES-256) for all client data on Lumitech systems.
Endpoint security
Managed devices with disk encryption, EDR, and remote wipe capability.
Secrets management
Centralized vault. Secrets are prohibited in repositories. Automated scanning on every commit.
Backup & recovery
Documented per-engagement BCP. Tested annually.
Code review
Mandatory peer review on all production code. AI-assisted review used as an additional check.
Dependency scanning
SCA on every build. CVE alerts triaged within SLA.
SAST/secrets scan
Run on every commit; blocking on confirmed findings.
Threat modeling
Done at design phase for every system handling sensitive data.
Compliance & certifications
Frameworks We Operate Against — and Where We Are on Each
We’re transparent about where we’re certified, where we’re aligned, and where work is in progress. No security theater.
Information security management system aligned; certification in progress.
Controls in place; first audit window scheduled for 2026.
Operational compliance for EU data; DPA available on request.
Aligned with UAE Federal Decree-Law No. 45 of 2021 on personal data protection.
Aligned with Saudi Arabia’s Personal Data Protection Law.
Operational alignment for California consumer privacy obligations.
Engagement-level controls for fintech work handling cardholder data.
For client engagements requiring PHI handling, with BAA on request.
Regional regulations
How We Handle Data Residency and Regulation by Region
Lumitech operates across the UAE, Saudi Arabia, the US and the EU. Each region has different obligations, and we honor each one specifically.
United Arab Emirates
UAE Federal Decree-Law No. 45 of 2021 · DIFC Data Protection Law · ADGM regs
- Local data residency available on request
- Cross-border transfer assessments for sensitive client data
- Mainland and free-zone engagement structures supported
- Aligned with TDRA cybersecurity guidance
Saudi Arabia
Personal Data Protection Law (PDPL) · NCA cybersecurity framework
- PDPL-aligned data handling for KSA client engagements
- Data residency in-Kingdom where required
- Vendor risk paperwork prepared in advance for SAMA/CMA-regulated clients
- Arabic-language NDAs available on request
United States
State privacy laws (CCPA / CPRA, VCDPA, etc.) · Sector regulations
- CCPA/CPRA operational compliance
- BAAs available for HIPAA-scoped engagements
- State-level privacy requirements honored per client jurisdiction
- US-based subprocessors used where required
European Union
GDPR · Sector regulations (DORA, NIS2 where applicable)
- GDPR-compliant data handling and DPA on request
- SCCs for transfers outside the EEA where required
- Subject access request processes documented
AI usage & data
How We Use AI — and What We Never Do with Your Data
We are AI-native by default. That makes the data policy more important, not less. The short version: we may use approved AI tools to support delivery when clients allow it, but client data is never used to train third-party models or reused outside the engagement.
What We Do
Use enterprise-grade AI providers with data-isolation guarantees. Use AI on client code only with engagement-level consent. Maintain prompt and tool logs to ensure auditability in regulated engagements.
What We Never Do
We don’t submit client data to consumer-tier AI services. Never use client code or data to train third-party models. Don’t persist client data in any AI system longer than the engagement requires.
Client Control
Clients can opt out of any AI tooling at the engagement level, restrict specific tools, or require on-prem AI deployment for sensitive work. The policy is co-defined, not imposed.
AI-Generated Code
All AI-drafted code passes senior human review before merge, with attribution captured in the change log. We treat AI output as a draft, never a deliverable.
Incident response
What Happens in the First 72 Hours of a Confirmed Incident
No complex environment can rely on prevention alone. What matters is how quickly a vendor detects, contains, communicates, and remediates an incident — and how clearly affected clients are informed throughout the process.
Trigger and triage
Internal detection from monitoring, third-party disclosure, or client report. On-call engineer engages within minutes.
Scope and contain
Client notification
Formal disclosure
Blameless review
Trigger and triage
Internal detection from monitoring, third-party disclosure, or client report. On-call engineer engages within minutes.
Scope and contain
Client notification
Formal disclosure
Blameless review
Documents & NDAs
Request What Your Team Needs
Standard documents are available on request, usually within one business day for active conversations.
Security Whitepaper
Audit-grade detail on controls, architecture, and processes.
Mutual NDA template
Our standard mutual NDA; also accept yours.
Data Processing Agreement
GDPR-aligned DPA for EU engagements.
Subprocessor list
Current list of subprocessors and their role.
Incident Response Plan
Full IRP and escalation contact matrix.
Security questionnaire
Pre-filled SIG / CAIQ-Lite for procurement.
Need something specific for your security team?
If your procurement or security team has a specific question that isn’t on this page, or needs a document fast for a review, write directly to security@lumitech.co and a real human (not a ticket bot) will respond within one business day.
Good To Know
Does Lumitech use client data with AI tools?
Can Lumitech support data residency or regional compliance requirements?
What happens if there is a security incident?
Ready to bring your idea into reality?
- 1. We'll sign an NDA if required, carefully analyze your request and prepare a preliminary estimate.
- 2. We'll meet virtually or in Dubai to discuss your needs, answer questions, and align on next steps.
- Careers → careers@lumitech.coPartnerships → partners@lumitech.co
Prefer a direct line to our CEO?
Prefer a direct line to our CEO?