At Lumo, security and trust are fundamental to everything we build. To help our customers use Lumo with confidence, we've summarized our approach to data protection, AI security, LINE integration security, and operational reliability on this page. For a more detailed overview, please download our Security & Trust Whitepaper.

Security Whitepaper Thumbnail 1

Security Resources

Our AI agents and customer data are managed using industry-standard security controls and operational safeguards.

Download Whitepaper

Compliance

Lumo's security program is designed and operated in accordance with recognized industry standards, regulatory requirements, and public security guidelines in Japan and internationally. We continuously strengthen our security posture through third-party certifications, regulatory compliance, and ongoing operational improvements.

Privacy Mark Certified

Our operating company maintains PrivacyMark certification issued by JIPDEC and operates a personal information protection management system based on JIS Q 15001. 

img-award-privacy-mark

LINE Yahoo Certified Technology Partner

We are recognized by LINE Yahoo as a certified technology partner that has successfully passed LINE Platform security and technical reviews.

260225_partner_program_badge_13_tech_communication_advanced 1

HubSpot Technology Partner

As an official HubSpot Technology Partner, we provide applications that meet HubSpot's security and privacy requirements.

img-award-rising-magenta

Standards and Regulations

  • Act on the Protection of Personal Information (APPI)
  • JIS Q 15001
  • Telecommunications Business Act
  • Unauthorized Computer Access Law
  • METI Cloud Service Security Checklist
  • Ministry of Internal Affairs and Communications ASP/SaaS Disclosure Guidelines
  • IPA Secure Web Development Guidelines
  • OWASP Top 10 for LLM Applications 2025

Third-Party Security Assessments

Independent security assessments are conducted at least annually by external security specialists. Assessment summaries can be shared under a mutual NDA upon request.

 

Data Protection

Customer data is the foundation of every feature offered by Lumo. We apply different protection measures based on data sensitivity, including where data is stored, how it is encrypted, and when it is deleted. For detailed information regarding personal data handling, please refer to our Personal Information Handling Policy.

Personal Data Management

Personal data entrusted to us is handled in strict compliance with applicable privacy regulations and our Personal Information Handling Policy. We enforce: Confidentiality obligations, Restrictions on unauthorized use, Security controls for personal data protection. All employees and contractors are bound by confidentiality agreements, and personnel with access to personal information receive ongoing training and oversight.Where data processing is delegated to third parties, equivalent obligations and supervision requirements are applied.

Workspace-Level Data Isolation

All customer data is logically isolated at the workspace level to prevent cross-customer access. Automated testing continuously validates data isolation, and any release that could compromise segregation is automatically blocked before deployment.

Data Deletion

Upon contract termination or customer request, customer data is deleted within 30 business days. A certificate of deletion can be provided upon request.

Data Residency

Primary databases and backups are hosted in Google Cloud Platform's Tokyo region (Japan)
File storage is hosted in Cloudflare R2's Asia-Pacific region

Encryption at Rest and in Transit

Data is encrypted using AES-256 at rest and TLS 1.2 or higher in transit. For highly sensitive information, additional application-level encryption is also applied.

Data Classification Based on Sensitivity

Data is classified into four sensitivity levels (Critical, High, Medium, and Low). Appropriate encryption, access controls, and audit logging are applied according to each classification level.

AI Security

AI agents are at the core of Lumo. From helping plan marketing campaigns to automating customer interactions on LINE, AI plays a critical role in day-to-day operations. That's why we have implemented rigorous safeguards to address risks unique to AI systems.

No Customer Data Used for AI Training

Customer data is never used to train or fine-tune external AI models. AI processing is limited to data within the relevant workspace, and generated outputs are stored only within that workspace.

AI Processing Stays Within Google Cloud

All AI processing is performed within a private Google Cloud environment. Customer data is never sent to external AI services, and all processing is conducted within Japan.

Human-in-the-Loop Approval Workflow

AI assists with campaign recommendations and content generation, but all execution decisions—including LINE message delivery and the activation of segments or workflows—remain under the user's control and require explicit approval.

Security Design Based on the OWASP Top 10 for LLM Applications 2025

We reference the OWASP Top 10 for LLM Applications 2025 and incorporate mitigations for all identified AI and LLM security risks into our design and operational practices. These measures are continuously reviewed and improved to reduce risk over time.

LINE Integration

Integration with LINE Official Accounts is a core part of the Lumo platform. As a certified LINE Yahoo Technology Partner, we implement integrations in accordance with LINE's security requirements and best practices.

Webhook Signature Verification

All webhooks received from LINE undergo signature verification. Channel secrets are managed and encrypted separately for each workspace.

Protection of LINE User Data

LINE user IDs, profile information, and channel access tokens are logically isolated by workspace. Access tokens are encrypted before storage.

Secure LINE Login

Authentication is implemented using industry-standard OAuth 2.0 and OpenID Connect flows. Only the minimum information required to provide the service is requested and stored.

Safe Message Delivery

AI-generated messages are sent only after customer review and approval. Audience segmentation references data exclusively within the customer's workspace, preventing accidental delivery to end users belonging to other organizations.

Reliability & Incident Response

To protect against service disruptions and data loss, we maintain continuous monitoring systems and well-defined incident response procedures.  

Redundant Architecture and Auto Scaling

Core services run across multiple instances to eliminate single points of failure. We target 99.9% monthly uptime and strive to provide uninterrupted service 24 hours a day, 365 days a year.

Backup and Disaster Recovery

Regular full backups and Point-in-Time Recovery (PITR) enable restoration to any desired recovery point. Our targets are an RTO of less than 1 hour and an RPO of less than 5 minutes.

24/7 Monitoring and Notifications

Service health and security events are continuously monitored. In the event of a security incident, affected customers will receive an initial notification within 72 hours.

Six-Phase Incident Response Process

Our incident response framework follows six standardized phases: Detection & Reporting, Initial Response, Investigation & Analysis, Recovery, Notification, and Prevention. Security incidents are immediately escalated to the designated security lead, who oversees the entire response process—from impact assessment and customer communication to remediation and prevention of recurrence.

 

About Lumo

Explore More about Lumo

Features Pricing Case Studies Resources