Security & Compliance
Last updated: May 24, 2026
Technology
Encryption in transit
Communications between your browser and our API use HTTPS (TLS). Upload and download flows use time-limited presigned URLs so files are not exposed on public paths.
Object storage
Files are stored in private S3-compatible buckets with access restricted to application and worker roles. Files are deleted after 30 minutes; paid tiers may retain files up to 48 hours.
Worker isolation
Each conversion runs in an isolated worker process with dedicated temporary workspace. Workers do not share filesystem state between jobs and clean up after completion or failure.
Authentication & API access
Account sign-in uses industry-standard session handling (NextAuth). Future API access will use scoped API keys and rate limits. Passwords are hashed; we never store full payment card numbers (Stripe handles payments).
Monitoring
We log errors and operational metrics to detect abuse and improve reliability. Logs are minimized to what is needed for operations and security.
Practices
Access control
Production infrastructure access is limited to authorized personnel. Secrets are stored in environment configuration, not in source code.
Secure development
We follow a secure development lifecycle: dependency updates, code review, and automated checks in CI where configured.
Incident response
We maintain procedures to investigate security incidents, contain impact, and notify affected users when required by law.
Compliance posture
We design for GDPR-aligned principles (data minimization, purpose limitation, user rights). Formal certifications (e.g. SOC 2) may be pursued as the product scales.
Your responsibilities
- Upload only content you are permitted to convert
- Keep account credentials confidential
- Download results before automatic file deletion
- Report suspected abuse to help@lunaconvert.com