Security & Compliance
Four Pillars of Trust
European Data Sovereignty
Your data never leaves European jurisdiction
EU-only Scaleway Sovereign Cloud infrastructure
GDPR-native architecture with data minimisation by design
Full compliance with EU data residency requirements
Financial Services Security
Multi-layered encryption (AES-256) for data at rest and in transit
Personal data anonymised before every language-model call
Independent penetration testing (first assessment scoped)
Regulatory Compliance
MiFID II documentation and audit-trail capabilities
DORA operational resilience alignment (company-level)
EU AI Act alignment for transparent, explainable algorithms
Operational Resilience
Hosted on Scaleway's EU infrastructure (Paris region)
Automated, encrypted database backups via managed PostgreSQL
Multi-region disaster recovery and automated failover on our roadmap
Infrastructure & Data Residency
European Sovereign Cloud Architecture
100% European Infrastructure
Powered by Scaleway's Sovereign Cloud, an EU-based provider.
European legal jurisdiction
Subject only to EU and member state laws.
Local support teams
European-based technical and security personnel.
Security Architecture
Multi-Layer Defence Strategy
01
Data Protection
Encryption at Rest — AES-256 with customer-managed keys (CMK)
Encryption in Transit — TLS 1.3 with perfect forward secrecy
Database Security — Field-level encryption for PII and financial data
Backup Encryption — Point-in-time encrypted backups with 30-day retention
02
Network Security
Zero-Trust Architecture — No implicit trust, continuous verification
Network Segmentation — Micro-segmented environments with least-privilege access
DDoS Protection — Multi-layer DDoS mitigation with traffic analysis
Intrusion Detection — 24/7 SIEM monitoring with automated threat response
03
Access Controls
Multi-Factor Authentication — Required for all administrative access
Role-Based Access Control — Granular permissions based on job function
Privileged Access Management — Time-limited, audited access to sensitive systems
Single Sign-On — Enterprise SSO integration with SAML 2.0/OpenID Connect
04
Monitoring & Incident Response
Continuous Monitoring — Real-time security event analysis and alerting
Vulnerability Management — Automated scanning with prioritised remediation
Incident Response — Documented procedures with <1 hour initial response
Forensic Capabilities — Complete audit logging with tamper-evident storage
Built from inception with European financial services security requirements, Luscent exceeds industry standards for data protection, system resilience, and regulatory compliance across all EU member states.
Certifications & Audits
Independent Validation of Our Security
Security Certifications
Current Certifications
ISO 27001:2022 — Information Security Management (Certification in Progress)
SOC 2 Type II — Security, Availability, and Confidentiality (Audit Scheduled Q1 2026)
Planned Certifications
ISO 27017 — Cloud Security (Q1 2026)
ISO 27018 — Cloud Privacy (Q1 2026)
Third-Party Assessments
Penetration Testing — Penetration testing by EU-based security firms
Vulnerability Scanning — Continuous automated scanning with monthly reports
Code Security Reviews — Static and dynamic analysis for all code releases
Infrastructure Audits — Annual comprehensive infrastructure security reviews
Audit & Compliance Reports
Available to enterprise customers under NDA: SOC 2 Type II Report (Available Q1 2026), Penetration Testing Executive Summary (Quarterly), Vulnerability Assessment Reports (Monthly), Business Continuity Test Results (Semi-Annual).
Privacy & Data Governance
Data Handling Principles
Data Classification
Highly Confidential: Client personal and financial information
Confidential: Business intelligence and portfolio data
Internal: System logs and operational metadata
Public: Product documentation and marketing materials
Data Lifecycle Management
Collection: Minimal necessary data with explicit purpose limitation
Processing: Automated workflows with human oversight checkpoints
Storage: Encrypted at rest with access logging and monitoring
Retention: Configurable retention periods based on regulatory requirements
Disposal: Secure deletion with cryptographic proof of destruction
Data Subject Rights (GDPR Article 12-23)
Right of Access: Automated data export within 30 days
Right to Rectification: Real-time data correction capabilities
Right to Erasure: Secure data deletion with audit trails
Data Portability: Standardised export formats (JSON, CSV, XML)
Right to Object: Granular consent management for processing activities
Cross-Border Data Transfers
Data Residency: All client data is stored and processed within the EU
Adequacy Decisions: Compliant with all EU adequacy frameworks
Intragroup Transfers: Engineering access is governed by intragroup data-processing agreements and EU-approved transfer safeguards
Artificial Intelligence & Ethics
Responsible AI Framework
AI Governance Principles
Human-Centric Design: AI augments human decision-making, never replaces it
Transparency: Clear explanations for all AI-generated recommendations
Fairness: Continuous monitoring for bias in algorithms and outcomes
Accountability: Human oversight required for all high-stakes decisions
Explainable AI (XAI) Implementation
Decision Trees: Visual representation of AI reasoning pathways
Feature Attribution: Clear identification of data points influencing decisions
Confidence Scoring: Probability assessments for all AI recommendations
Alternative Scenarios: "What-if" analysis for different input parameters
AI Training and Validation
AI Training & Validation
Diverse Datasets: Multi-jurisdictional training data to prevent regional bias
Continuous Monitoring: Real-time performance tracking with bias detection
Model Versioning: Complete audit trail of AI model changes and improvements
Regular Retraining: Quarterly model updates with validation testing
EU AI Act Compliance
Risk Assessment: Documented classification of all AI systems
Quality Management: Systematic approach to AI development and deployment
Documentation: Comprehensive technical documentation for regulators
Post-Market Monitoring: Continuous assessment of AI system performance
Business Continuity & Disaster Recovery
Operational Resilience
Availability Commitments
Uptime SLA: 99.9% (8.77 hours downtime/year maximum)
Planned Maintenance: <4 hours monthly with advance notification
Emergency Maintenance: <2 hour response time for critical issues
Disaster Recovery
Recovery Time Objective (RTO): <4 hours for full service restoration
Recovery Point Objective (RPO): <15 minutes maximum data loss
Backup Frequency: Continuous replication with hourly snapshots
Testing Schedule: Quarterly DR tests with documented results
Geographic Redundancy
Multi-Region Architecture: Active-passive setup across EU regions
Automated Failover: Transparent switching with minimal user impact
Data Synchronisation: Real-time replication between primary and backup sites
Crisis Management
24/7 Monitoring: European NOC with multilingual support
Escalation Procedures: Clear escalation paths for different incident types
Communication Plan: Automated customer notification systems
External Dependencies: Documented contingency plans for third-party outages
Vendor Risk Management
Third-Party Security
Vendor Assessment Process
Initial Screening: Security questionnaires and certification verification
Due Diligence: On-site assessments for high-risk vendors
Ongoing Monitoring: Quarterly reviews and annual recertification
Contract Requirements: Security terms and right-to-audit clauses
Supply Chain Security
Software Bill of Materials (SBOM): Complete inventory of all components
Dependency Scanning: Automated vulnerability detection in third-party libraries
License Compliance: Legal review of all open-source components
Update Management: Systematic patching with security priority levels
Key Technology Partners
Vendor
Service
Security Certifications
Data Location
Scaleway
Sovereign Cloud
ISO 27001, SOC 2
EU Only
Auth0 (Okta)
Identity Management
ISO 27001, SOC 2
EU Instance
Datadog
ISO 27001, SOC 2
EU Deployment
Incident Response & Communication
Security Incident Management
Incident Classification
P0 - Critical: Data breach, system compromise, service unavailability
P1 - High: Security vulnerability, privacy incident, regulatory non-compliance
P2 - Medium: Performance degradation, configuration issues
P3 - Low: Minor security findings, enhancement requests
Response Procedures
Detection: Automated monitoring with 24/7 SOC oversight
Initial Response: <1 hour acknowledgment for P0/P1 incidents
Investigation: Forensic analysis with external expertise if required
Containment: Immediate threat isolation and service stabilisation
Recovery: System restoration with enhanced monitoring
Post-Incident: Root cause analysis and preventive measures
Breach Notification
Internal Escalation: Immediate notification to executive team and legal counsel
Customer Notification: Within 24 hours for incidents affecting customer data
Regulatory Reporting: GDPR-compliant notification to supervisory authorities within 72 hours
Public Disclosure: Transparent communication through status page and direct outreach
Customer Communication
Email Notifications: Automated alerts for service incidents
Direct Outreach: Account manager contact for enterprise customers
Post-Incident Reports: Detailed analysis available within 5 business days
Resources
Documentation & Direct Contact
Available Security Documents
Enterprise customers can request access to: Security Architecture Overview, Data Processing Agreement (DPA) Templates, Vendor Risk Assessment Results, Business Continuity Plan Summary, Incident Response Playbook (Executive Summary).
Contact
Security team
Privacy officer
Compliance Team
Bug Bounty & Responsible Disclosure
We welcome security researchers to help us maintain the highest security standards. Please contact security@luscent.lu for our disclosure policy.
Trust Center Updates
Our Commitment to Transparency
This Trust Center is updated quarterly to reflect our evolving security posture, new certifications, and regulatory developments. All material changes are communicated to customers in advance.
