LLucumo

Trust centre

Controls you can verify, not promises you cannot.

This page lists what the product does today for governance and access boundaries. It does not replace your security review, legal agreements, or procurement questionnaire. For encryption, isolation, and export or deletion of your account, see our Security page.

Last updated 21 April 2026

Data flow, in plain terms

Leaders and operators use the web app or the headless API inside a workspace. Authentication is handled by Clerk. Application data lives in our Postgres database with row scoping by user and workspace. AI requests go to configured model providers for generation; see Security for training and transport posture.

Lucumo data flowUsers and integrators connect through Clerk authentication to the Lucumo application. The application persists data in Postgres and sends AI requests to external model providers.Web & API clientsBrowser, headless APIClerkAuthenticationLucumo applicationNext.js, workspace scopehosted on VercelPostgresApp data, embeddingsModel providersInference onlyTLS in transit to the app; encryption at rest on the database per Security.
Simplified view. Your workspace row scope and visibility rules apply inside the application and database layer.

Implemented controls

The items below reflect the codebase and configuration as of the date above. If we have not built it, we do not list it.

Workspace activity record

Owners and admins can review workspace-scoped audit events in the app (Settings, Trust), including filters for action text and severity. Events cover product usage, trust actions, and membership changes where the app logs them.

Support access

Owners and admins can grant time-bound support access to a named email address with a recorded reason. Active grants are listed in Trust settings. Expired grants are closed by an automated job and recorded in the workspace audit log.

Audit log retention

Owners and admins can configure how long workspace audit log rows are kept. When set, a scheduled job deletes audit rows older than that window for the workspace. This applies to audit history, not yet to every domain object type.

Headless API roles

Workspace API keys carry a role. Keys scoped as Support or Board viewer cannot mutate workspace objects through the API, cannot run the full workspace export endpoint, and cannot read the full organisation snapshot endpoint.

Billing boundary

Opening the Stripe customer portal and saving an overage payment method is limited to the workspace owner, so billing stays with the economic buyer of the deployment.

Workspace membership roles

The product uses workspace roles (owner, admin, member, operator, board viewer, support) for in-app permissions and API behaviour. Support memberships require an active, unexpired support grant for that workspace.

Procurement artefacts

Data processing agreements, a formal subprocessor register, and security questionnaire packs are not published on this page yet. If you need them for evaluation, use the deployment conversation linked from pricing and we will route the request.

Need a deeper review?

Book a deployment call and we will walk through architecture, roles, and what is on the roadmap next.

Trust centre | governance and controls | Lucumo