Security at Hi Luca

We design Hi Luca around four operating principles:

• Least privilege by default. Every role, service account, and sub-processor gets only the access it needs.
• Encryption everywhere. TLS 1.2+ in transit; AES-256 at rest for customer data stores.
• Audit before it’s asked for. Admin-level actions are logged, tamper-evident, and retained.
• Transparent sub-processor posture. Every third party we process data with is published at /sub-processors, with change notification for customers.

• SOC 2 Type II — in progress. We operate to the AICPA Trust Services Criteria today and are working toward attestation. Report requests go to security@hiluca.net.
• GDPR — compliant. Signable DPA with Standard Contractual Clauses available.
• LGPD (Brazil) — compliant. LGPD addendum attached to the DPA on request.
• LFPDPPP (México) — compliant. Privacy notice at /privacy.

We do not currently hold ISO 27001 or FedRAMP certifications. We can share the SOC 2 readiness report and our trust policies on request under NDA.

Encryption

• TLS 1.2+ for all traffic to hiluca.com and the Hi Luca platform.
• AES-256 at rest for primary customer data stores and backups.
• Secrets and API keys managed in a dedicated secrets manager with rotation policies.

Access control

• Role-based access control (RBAC) on every tenant.
• SSO via SAML / OIDC and SCIM provisioning on enterprise plans.
• Mandatory multi-factor authentication for all Hi Luca employees and contractors.
• Admin access to production requires just-in-time escalation and is logged.

Data residency

Data is hosted in the United States by default. EU-resident and region-specific deployments are available on enterprise plans. Contact security@hiluca.net to discuss.

• Network — traffic is fronted by a CDN/WAF with DDoS mitigation. Administrative ingress is restricted by IP allowlists and VPN where applicable.
• Application — dependency scanning on every pull request; CSP, HSTS, and modern security headers on the public site.
• Isolation — customer data is logically isolated per tenant; cross-tenant access requires explicit grant.
• Secrets — no long-lived shared secrets; key rotation enforced.

• Background checks on employees with access to production data, where permitted by law.
• Annual security and privacy training.
• Laptops with full-disk encryption, MDM, and endpoint protection.
• Acceptable-use policy enforced for all personnel handling customer data.

We maintain a written incident response plan reviewed quarterly. On confirmed incidents affecting customer data:

• We notify affected customers within 72 hours of discovery of confirmation.
• We preserve forensic evidence in an isolated environment.
• We publish a post-incident report to affected customers with timeline, root cause, and corrective actions.

To report a security issue: email security@hiluca.net. We acknowledge within one business day. Please encrypt sensitive details with PGP on request.

• Automated daily backups of customer data with point-in-time recovery windows documented in the DPA.
• Multi-AZ deployment for production services.
• Annual disaster-recovery exercises with documented RTO / RPO objectives.
• Uptime history and incident log published to enterprise customers through a status page.

We review sub-processors before engagement and annually thereafter. Every sub-processor has a signed DPA and (where applicable) SCCs. The full list is published at /sub-processors with a change-notification mechanism for enterprise customers.

We welcome coordinated disclosure of security issues. Our commitments:

• We will not pursue legal action against researchers acting in good faith within this policy.
• We will acknowledge reports within one business day and provide a remediation timeline.
• We will credit researchers in our internal post-incident report on request.

Scope: hiluca.com, app.hiluca.com, and published APIs. Out of scope: denial-of-service, social engineering, and third-party services hosted outside our control.