Trust & security

Built like a bank.
Audited like a fintech.

Every layer of the Luminar Invest platform — from custody to login — is engineered around one principle: client funds and data must be protected even if any single control fails.

System status Report a vulnerability

Certifications & attestations

Independently audited

SOC 2 Type II

AICPA — audited annually by Deloitte

ISO/IEC 27001:2022

Information Security Management System

ISO/IEC 27701

Privacy Information Management extension

PCI DSS v4.0

Card data environment, SAQ-D Service Provider

Defence in depth

Key security controls

Encryption everywhere

TLS 1.3 in transit, AES-256-GCM at rest. Database backups encrypted with customer-segregated keys held in AWS KMS HSM.

Strong authentication

TOTP 2FA enforced for all clients above USD 25,000. WebAuthn / passkeys supported. Anti-phishing code shown in every email.

Asset custody

Digital assets held in segregated MPC wallets with Fireblocks and BitGo. 95% cold storage, insured up to USD 250M (Lloyd's of London syndicate).

Continuous monitoring

24/7 SOC with Datadog, Wazuh and CrowdStrike. Anomaly detection on every login, withdrawal and API call.

Secure development lifecycle

Security by design

Threat model reviewed before every major release
Secure SDLC with mandatory code review and SAST (Semgrep, CodeQL)
Quarterly penetration tests by NCC Group and Cure53
Annual red-team exercise against production
Public vulnerability disclosure via /security.txt

Bug bounty programme

Researchers who responsibly disclose vulnerabilities are eligible for rewards up to USD 100,000 depending on severity (CVSS 3.1) and impact. We aim to triage within 24 hours and patch critical issues within 72 hours.

Critical

USD 25k – 100k

High

USD 5k – 25k

Medium

USD 1k – 5k

Low

USD 250 – 1k

contact@luminarinvest.com security.txt

Out of scope: social engineering, physical attacks, DoS, automated scanner output without proof of impact.

Built like a bank.Audited like a fintech.