Security Overview

Enterprise-grade security built into every layer. Designed for procurement teams that demand the highest standards of data protection.

Data Security

All data is protected using industry-standard encryption both at rest and in transit.

Encryption at Rest

AES-256

Google-managed encryption keys with automatic key rotation

Encryption in Transit

TLS 1.3

All API communication secured with the latest TLS protocol

EU Primary Region

All customer data is stored and processed within the European Union, ensuring compliance with data residency requirements.

Region

europe-west3

Location

Frankfurt, Germany

Provider

Google Cloud Platform

Access Controls

Fine-grained access controls ensure that users only see and modify what they are authorized to.

  • Role-Based Access Control (RBAC)

    Predefined roles (Admin, Sales, Distribution, Customer) with configurable module-level permissions

  • Multi-Factor Authentication (MFA)

    Firebase Authentication with support for email/password, phone, and third-party identity providers

  • Session Management

    Automatic session expiry, rate limiting per user (30 req/min), and Firebase App Check attestation

Audit Logging

Every data-modifying action is recorded in an append-only audit trail, designed for GoBD compliance and full traceability.

  • Append-Only Audit Trail

    Immutable log of all create, update, delete, and status change operations

  • GoBD-Ready

    Compliant with German GoBD requirements for digital record-keeping in commercial operations

  • Field-Level Diffs

    Each audit event captures exactly which fields changed, by whom, and when

Data Retention

Configurable data retention policies that comply with legal requirements while respecting your data minimization preferences.

Invoice Retention

8 years (default)

German AO §147 and HGB §257 compliant retention for tax-relevant documents

Configurable Policies

Per tenant

Tenants can configure retention periods above the legal minimum via admin settings

Incident Response

We maintain a comprehensive incident response plan to detect, contain, and recover from security incidents with minimal impact.

24-Hour Notification Commitment

In the event of a confirmed data breach affecting your tenant, we commit to notifying affected customers within 24 hours, exceeding the GDPR 72-hour requirement.

Compliance Roadmap

Our ongoing commitment to achieving and maintaining recognized security certifications.

GDPR Compliance

Full GDPR compliance including data export, deletion, and consent management

Active

GoBD Audit Trail

Append-only audit logging compliant with German digital record-keeping standards

Active

ISO 27001

Information security management system certification — readiness assessment underway

Q4 2026

BSI C5

German Federal Office for Information Security Cloud Computing Compliance Criteria Catalogue

2027

Security Whitepaper

Download our detailed security whitepaper for a comprehensive overview.

Download PDF

Contact Security Team

Have questions? Reach our security team directly for any concerns.

security@luniops.de
Security | Luniops