Security

Last updated: April 6, 2026

Our Commitment

Security is a core part of how we build and operate Lunadeck. We apply defense-in-depth principles across our infrastructure, application, and processes to protect your data and the apps you publish through our platform. This page outlines our security practices and explains how to report a vulnerability if you find one.

Infrastructure Security

  • Cloud hosting: Lunadeck runs on enterprise-grade cloud infrastructure with SOC 2 Type II certified providers. Physical access to data centers is strictly controlled.
  • Network isolation: Production systems operate in private networks. Only necessary ports are exposed to the public internet, protected by firewall rules and DDoS mitigation.
  • Redundancy: Critical services are deployed across multiple availability zones to ensure resilience and minimize downtime.
  • Patch management: Operating systems and dependencies are kept up to date with security patches applied on a regular cadence.

Data Security

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect any plain HTTP requests.
  • Encryption at rest: Databases and file storage are encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service with strict access controls.
  • Data isolation: Customer data is logically isolated. No customer can access another customer's builds, assets, or account information.
  • Backups: Data is backed up regularly with encrypted, off-site copies. Backup restoration is tested periodically.
  • Retention and deletion: Data is retained only as long as necessary. Deleted accounts and their associated data are purged according to our retention schedule.

Application Security

  • Authentication: Passwords are hashed using a modern adaptive algorithm (bcrypt). We support multi-factor authentication (MFA) for all accounts and strongly recommend enabling it.
  • Session management: Sessions are signed, expire after periods of inactivity, and are invalidated on password change or logout.
  • CSRF and XSS protection: All forms are protected with CSRF tokens. Output is escaped and Content Security Policy headers are enforced to mitigate XSS attacks.
  • Dependency scanning: We continuously scan our software dependencies for known vulnerabilities and remediate critical issues promptly.
  • Secure development: Security review is part of our development process. We conduct code reviews with security considerations in mind and use automated static analysis tooling.

Access Controls

  • Least privilege: Internal access to production systems follows the principle of least privilege. Employees are granted only the access required for their role.
  • Multi-factor authentication: MFA is required for all employees accessing production systems and sensitive tooling.
  • Access reviews: Access rights are reviewed periodically and revoked promptly when no longer needed.
  • Audit logging: Access to customer data and sensitive operations is logged. Logs are retained and monitored for anomalies.

Incident Response

We maintain an incident response plan that defines roles, escalation paths, and communication procedures for security events. In the event of a breach that affects your data, we will notify affected users within the timeframes required by applicable law and provide clear information about what happened, what data was involved, and what steps we are taking.

Responsible Disclosure

We welcome security researchers and members of the public to report potential vulnerabilities in our platform. If you believe you have found a security issue, please disclose it to us responsibly:

  • Email us at security@lunadeck.app with a clear description of the issue and steps to reproduce it.
  • Include any relevant screenshots, proof-of-concept code, or affected URLs.
  • Do not access, modify, or delete data belonging to other users during your research.
  • Do not perform denial-of-service attacks or disrupt production services.
  • Give us reasonable time to investigate and remediate before any public disclosure.

We will acknowledge your report within 2 business days and keep you informed as we investigate. We will not pursue legal action against researchers who act in good faith and follow these guidelines.

Recommendations for Users

You can help keep your account secure by following these best practices:

  • Enable multi-factor authentication on your Lunadeck account.
  • Use a strong, unique password that you do not reuse on other services.
  • Keep your email address up to date so you can receive security notifications.
  • Review your active sessions periodically and revoke any you do not recognize.
  • Be cautious of phishing emails. Lunadeck will never ask for your password via email.

Contact

For security-related inquiries or to report a vulnerability, please contact our security team:

Lunadeck Security

Email: security@lunadeck.app