// Trust & Security Report
Luma Labs, Inc.
AI-powered creative intelligence platform including Ray (video generation), Uni-1 (brand intelligence model), and Luma Skills (workflow automation). Offers consumer, professional, and API access tiers.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lumalabs.ai“Privacy policy states 'We only process your personal information when we have a valid legal basis' including consent, contractual necessity, and legitimate interests. Details EU rights including data access, deletion, and portability.”
> Show 5 unconfirmed / not-held certifications
source: lumalabs.aiNo mention of SOC 2 in privacy policy, terms of service, or API documentation. (Note: SOC 2 claims found in search results belong to 'Luma' events platform at luma.com, not Luma AI at lumalabs.ai.)
source: lumalabs.aiNo mention in any vendor documentation. AWS infrastructure maintains ISO 27001, but that is the cloud provider's cert, not Luma AI's own.
source: lumalabs.aiFrom Terms of Service: 'the Services are not designed for HIPAA compliance and that Luma is not a Business Associate.' Explicitly prohibited: HIPAA-protected health information.
source: lumalabs.aiNo public evidence of ISO/IEC 42001 certification in vendor documentation or public sources.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
US (Palo Alto, CA based)
Luma explicitly uses customer data for AI model development. Privacy policy states: 'Train, develop, and improve the artificial intelligence, machine learning, and models that we use to support our Services.' Free tier users grant Luma broad rights including public display, reproduction, modification, and distribution of their input. Paid tier users restrict use to 'solely as reasonably necessary' to provide services.
// Security controls
Data Encryption
Reasonable technical and organizational measures designed to protect Input from unauthorized access, use, or disclosure. Specific encryption methods not disclosed.
lumalabs.aiData Backup Responsibility
Luma explicitly disclaims responsibility for input preservation. Customers bear sole responsibility for backing up their data.
lumalabs.aiPenetration Testing
No mention of regular penetration testing or third-party security assessments in vendor documentation.
lumalabs.aiProhibited Data Categories
Users cannot submit special categories of data under EU law, HIPAA-protected health information, payment card data, or children's privacy-regulated data.
lumalabs.ai// Products & data scope
data: User videos, prompts, and generated content. Used for service delivery and model training.
Free and paid tiers. Free tier: Luma gains broad rights to use, display, modify, and distribute content. Paid tier: restricted to service delivery and usage analytics.
data: Brand references, style guides, character references, visual grounding data.
API-available. Data used to understand and generate brand-consistent assets. Training usage not explicitly differentiated by tier.
data: Workflow definitions, execution logs, generated outputs.
Launched June 2026. Data retention and training usage not explicitly detailed in available documentation.
data: API requests, inputs, outputs. Subject to same training and usage policies as platform.
Enterprise API available. No special data residency, zero-retention, or compliance options documented.
// What to watch
- CRITICAL: Vendor explicitly states NOT HIPAA compliant and not a Business Associate. DO NOT use for healthcare, clinical, or regulated health data.
- IMPORTANT: Luma trains on customer data by default. Free tier users grant especially broad rights (public display, derivative works).
- GROWTH-STAGE: No SOC 2, ISO 27001, or other enterprise security certifications. Suitable for creative/marketing use, not regulated industries.
- IDENTITY VERIFIED: Search results conflated Luma AI (lumalabs.ai) with Luma events platform (luma.com). The SOC 2 Type II cert belongs to Luma events platform, NOT Luma AI video generation.
- DATA BACKUP: Vendor explicitly disclaims responsibility for data preservation. Users must implement their own backups.
- EU-ONLY CLAIM: GDPR compliance is documented, but no Data Processing Addendum (DPA) URL found. EU businesses should verify DPA availability before contracting.
// At a glance
Pricing model
Freemium (free tier with limited monthly generation; paid subscription; enterprise contracts)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Luma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lumalabs.ai