Security & Trust

Built for confidential portfolio data.

Luceryn isolates every organisation's data at the database layer, encrypts it in transit and at rest, and keeps a deliberately small, transparent set of sub-processors. This page is a factual summary — including what's on our roadmap rather than already shipped.

Tenant isolation

Every organisation is a separate tenant. Projects and all project data — RAID, plans, documents, reports, meeting minutes — plus the user directory and templates are isolated by PostgreSQL Row-Level Security (hundreds of policies enforced in the database, not just the UI). One customer can never see another's data.

Authentication & access

Sign-in via password or SSO (Microsoft / Google). Multi-factor authentication is supported and can be required per workspace. Inside the app, role-based permissions plus row-level security govern who can see and do what.

Data storage & encryption

Your data lives in a managed PostgreSQL database (Supabase, on AWS), with files in object storage. Everything is encrypted in transit (TLS) and at rest. The application host (Vercel) runs code and holds no copy of your database.

Data residency

Application compute runs on Vercel; your data is stored in Supabase (PostgreSQL on AWS). For organisations with Canadian or regional data-residency requirements, we can provision the database in a specific region — including Canada (AWS ca-central). Tell us before onboarding so we set the workspace up in the right region from day one.

AI transparency & your data

AI features are powered by Anthropic's Claude via its commercial API. We send only the specific text needed for the task you trigger — the transcript you paste, a proposal's fields, a project's details — never your whole database. Per Anthropic's commercial terms, your data is not used to train models or retained for training.

Semantic search (finding similar past projects and documents) sends project and document text to Voyage AI to generate vector embeddings; only the embeddings are stored, in your own database.

Every AI-written item is attributed to Luceryn and stays fully editable — you review and approve before anything is final. Admins can also switch a workspace to No-AI / manual mode, which turns off all AI calls entirely.

Confidential meetings

The AI Notetaker reads meeting transcripts from your own Microsoft 365 tenant via Microsoft Graph, only with the permissions your admin grants. The generated minutes are stored in your workspace, with configurable retention for minutes and transcripts.

No tracking

Luceryn wires in no analytics, advertising, or behavioural-tracking third parties. The complete sub-processor list is below — nothing else touches your data.

Sub-processors

ProviderPurposeData it processes
VercelApplication hostingRuns the application; transient request data
Supabase (on AWS)Database, authentication, file storageYour stored data (projects, RAID, documents, users, minutes)
AnthropicAI features (Claude)The specific text submitted for a given AI task
Voyage AISemantic-search embeddingsProject + document text, converted to vector embeddings for similar-work matching
ResendOutbound emailRecipient addresses + email content (invites, minutes)
StripeSubscription billingBilling contact + subscription details (card data is handled by Stripe and never stored by Luceryn)
Microsoft GraphMeeting notetaker / calendar (opt-in)Transcripts/calendar — read within your own Microsoft 365 tenant

On our roadmap

We believe in being explicit about what is shipped versus in progress:

  • SOC 2 — pursuing Type I → II.
  • Independent penetration test + published report summary.
  • Data Processing Agreement (DPA) and signed sub-processor agreements.
  • Customer-managed encryption keys (BYOK) for enterprise.
  • Expanded regional data-residency options.

Already shipped: tenant isolation, encryption in transit + at rest, MFA, SSO, an admin audit log with CSV export, configurable data retention, a No-AI / manual mode, and Canadian-region data residency on request.

Security questions or a vendor review? Contact us — we're glad to walk your team through the architecture.