Security at Luca Analytics

Our Security Commitment

At Luca Analytics, we understand that you're entrusting us with sensitive advertising data and business information. We've built our platform from the ground up with security as a core principle, not an afterthought.

Data Encryption

Access Controls

• Role-Based Access Control (RBAC): Employees only have access to systems and data necessary for their job functions
• Multi-Factor Authentication: Required for all employee access to production systems
• Single Sign-On (SSO): Available for enterprise customers to integrate with their identity providers
• Session Management: Automatic session timeouts and secure session handling
• Audit Logging: Comprehensive logging of all access and changes to sensitive data

Infrastructure Security

• Cloud Hosting: Our infrastructure is hosted on AWS with SOC 1, SOC 2, and ISO 27001 certifications
• Network Security: Firewalls, intrusion detection systems, and DDoS protection
• Isolated Environments: Production, staging, and development environments are fully isolated
• Regular Patching: Automated security patches and updates applied promptly
• Redundancy: Multi-availability zone deployment for high availability and disaster recovery

Application Security

• Secure Development: Security-focused code reviews and automated vulnerability scanning
• OWASP Compliance: Protection against common vulnerabilities (SQL injection, XSS, CSRF, etc.)
• Penetration Testing: Regular third-party security assessments and penetration tests
• Bug Bounty Program: Responsible disclosure program for security researchers
• Dependency Management: Continuous monitoring for vulnerabilities in third-party dependencies

OAuth Security

When you connect your Meta or Google Ads accounts, we use OAuth 2.0, the industry-standard protocol for authorization. This means:

• We never see or store your advertising platform passwords
• You can revoke Luca's access at any time from your Meta or Google account settings
• We request only the minimum permissions necessary to provide our services
• Access tokens are encrypted and securely stored with automatic rotation

Data Handling

• Data Minimization: We only collect and retain data necessary for our services
• Data Isolation: Each customer's data is logically separated from other customers
• Data Retention: Clear policies for data retention and deletion upon request
• No Data Selling: We never sell your data to third parties
• AI Training: Your advertising data is never used to train our AI models

Incident Response

We maintain a comprehensive incident response plan that includes:

• 24/7 security monitoring and alerting
• Defined escalation procedures and response teams
• Regular incident response drills and tabletop exercises
• Commitment to notify affected customers within 72 hours of a confirmed breach
• Post-incident analysis and continuous improvement

Employee Security

• Background checks for all employees with access to customer data
• Mandatory security awareness training
• Confidentiality agreements and acceptable use policies
• Secure workstation policies and endpoint protection
• Principle of least privilege for all system access

Compliance & Certifications

Report a Security Issue

We value the security research community. If you believe you've found a security vulnerability in our platform, please report it responsibly to: