// Trust & Security Report

    Luma Labs, Inc. logo

    Luma Labs, Inc.

    AI-powered creative intelligence platform including Ray (video generation), Uni-1 (brand intelligence model), and Luma Skills (workflow automation). Offers consumer, professional, and API access tiers.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    Privacy policy states 'We only process your personal information when we have a valid legal basis' including consent, contractual necessity, and legitimate interests. Details EU rights including data access, deletion, and portability.

    Verify on lumalabs.ai
    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No mention of SOC 2 in privacy policy, terms of service, or API documentation. (Note: SOC 2 claims found in search results belong to 'Luma' events platform at luma.com, not Luma AI at lumalabs.ai.)

    source: lumalabs.ai
    ISO 27001
    NOT CONFIRMED

    No mention in any vendor documentation. AWS infrastructure maintains ISO 27001, but that is the cloud provider's cert, not Luma AI's own.

    source: lumalabs.ai
    HIPAA
    NOT CONFIRMED

    From Terms of Service: 'the Services are not designed for HIPAA compliance and that Luma is not a Business Associate.' Explicitly prohibited: HIPAA-protected health information.

    source: lumalabs.ai
    ISO/IEC 42001 (AI ISMS)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification in vendor documentation or public sources.

    source: lumalabs.ai
    PCI DSS
    NOT CONFIRMED

    No mention in vendor documentation.

    source: lumalabs.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    US (Palo Alto, CA based)

    Luma explicitly uses customer data for AI model development. Privacy policy states: 'Train, develop, and improve the artificial intelligence, machine learning, and models that we use to support our Services.' Free tier users grant Luma broad rights including public display, reproduction, modification, and distribution of their input. Paid tier users restrict use to 'solely as reasonably necessary' to provide services.

    // Security controls

    Data Encryption

    Reasonable technical and organizational measures designed to protect Input from unauthorized access, use, or disclosure. Specific encryption methods not disclosed.

    lumalabs.ai

    Data Backup Responsibility

    Luma explicitly disclaims responsibility for input preservation. Customers bear sole responsibility for backing up their data.

    lumalabs.ai

    Penetration Testing

    No mention of regular penetration testing or third-party security assessments in vendor documentation.

    lumalabs.ai

    Prohibited Data Categories

    Users cannot submit special categories of data under EU law, HIPAA-protected health information, payment card data, or children's privacy-regulated data.

    lumalabs.ai

    // Products & data scope

    Ray 3.2 (Video Generation)Video Generation

    data: User videos, prompts, and generated content. Used for service delivery and model training.

    Free and paid tiers. Free tier: Luma gains broad rights to use, display, modify, and distribute content. Paid tier: restricted to service delivery and usage analytics.

    Uni-1 (Brand Intelligence Model)Model/API

    data: Brand references, style guides, character references, visual grounding data.

    API-available. Data used to understand and generate brand-consistent assets. Training usage not explicitly differentiated by tier.

    Luma Skills (Workflow Automation)Workflow Automation

    data: Workflow definitions, execution logs, generated outputs.

    Launched June 2026. Data retention and training usage not explicitly detailed in available documentation.

    Luma APIAPI

    data: API requests, inputs, outputs. Subject to same training and usage policies as platform.

    Enterprise API available. No special data residency, zero-retention, or compliance options documented.

    // What to watch

    • CRITICAL: Vendor explicitly states NOT HIPAA compliant and not a Business Associate. DO NOT use for healthcare, clinical, or regulated health data.
    • IMPORTANT: Luma trains on customer data by default. Free tier users grant especially broad rights (public display, derivative works).
    • GROWTH-STAGE: No SOC 2, ISO 27001, or other enterprise security certifications. Suitable for creative/marketing use, not regulated industries.
    • IDENTITY VERIFIED: Search results conflated Luma AI (lumalabs.ai) with Luma events platform (luma.com). The SOC 2 Type II cert belongs to Luma events platform, NOT Luma AI video generation.
    • DATA BACKUP: Vendor explicitly disclaims responsibility for data preservation. Users must implement their own backups.
    • EU-ONLY CLAIM: GDPR compliance is documented, but no Data Processing Addendum (DPA) URL found. EU businesses should verify DPA availability before contracting.

    // At a glance

    Pricing model

    Freemium (free tier with limited monthly generation; paid subscription; enterprise contracts)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Luma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    lumalabs.ai

    > Browse all vendor trust reports