Security

How we protect your business data

Data Protection

  • All data transmitted over HTTPS (TLS)
  • Data stored in EU-compliant data centers (Hetzner, Germany)
  • Database backups performed regularly
  • Passwords stored using industry-standard hashing (bcrypt)

Access Controls

  • Secure authentication via industry-standard libraries (Devise)
  • Role-based access control (owner, admin, member, accountant)
  • Session management with automatic timeouts
  • Multi-tenant data isolation ensures clients cannot access each other's data

Audit & Transparency

  • Accountant actions logged with timestamps
  • Clients can see when their accountant accessed data
  • Activity history available in account settings

Your Data

  • You own your data
  • Export available in standard formats (CSV, PDF)
  • Account deletion available upon request

Frequently Asked Questions

Where is my data stored?

Your data is stored on Hetzner servers in Germany (EU). Hetzner provides enterprise-grade infrastructure with physical security controls, redundant power, and environmental protections. This ensures GDPR compliance for EU-based users.

Is my data encrypted?

Yes. All data transmitted between your browser and our servers is encrypted using HTTPS (TLS). Sensitive data at rest, such as passwords, is stored using industry-standard hashing algorithms.

How are backups handled?

Database backups are performed regularly and stored in geographically separate locations. Backups are encrypted and retained according to our data retention policies.

Who can access my data?

Access to your data is controlled through role-based permissions (owner, admin, member, accountant). You control who has access to your organization. Only authorized personnel with a legitimate business need can access customer data for support purposes.

Are accountant actions logged?

Yes. When an accountant accesses your data, their actions are logged with timestamps. You can view when your accountant accessed your account in your settings.

How do you protect my account?

We use secure password hashing (bcrypt), session management with automatic timeouts, and role-based access controls. Accountant access is logged and auditable. We continuously evaluate additional security features.

How long is my data retained?

Your data is retained for as long as your account is active. If you close your account, you can request deletion of your data. Some data may be retained as required by law or for legitimate business purposes.

What happens if there's a security incident?

We have incident response procedures in place. In the event of a security incident affecting your data, we will notify you as required by applicable law and provide information about the incident and steps being taken.

Can I export my data?

Yes. You can export your data in standard formats (CSV, PDF) at any time. You own your data and can take it with you if you decide to leave.

Do you support two-factor authentication (2FA)?

Two-factor authentication via authenticator apps is on our roadmap and coming soon. We will announce when 2FA is available.

Does LunoFlow support FTC Safeguards Rule compliance?

We understand that accountants and financial service providers must comply with the FTC Safeguards Rule. While compliance is the responsibility of each covered entity, LunoFlow provides features that support your compliance: encrypted data storage and transmission, access controls and audit logging, role-based user permissions, and data export and deletion capabilities. You should evaluate how LunoFlow fits into your overall information security program.

How do I report a security concern?

If you discover a potential security issue, please report it to security@lunoflow.app. We take all reports seriously and will investigate promptly.

Questions?

If you have additional questions about our security practices, please contact us:

Email: security@lunoflow.app
General Support: lunoflow.app/contact

See also: Privacy Policy | Terms of Service