// Trust & Security Report
Luma Labs, Inc.
Luma creative AI agents platform (formerly Dream Machine) — text-to-video, image generation, and multimodal reasoning for creative teams. Includes Ray video models, video editing, image generation, and team collaboration features. Offered in individual (Plus/Pro/Ultra) and team/enterprise tiers.
Certifications held
1
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lumalabs.ai“Privacy policy states: 'If you are located in the European Economic Area or the United Kingdom, we only process your personal information when we have a valid "legal basis"' and 'We may transfer personal information from the EEA or the UK to the United States and other third countries based on European Commission-approved or UK Government-approved Standard Contractual Clauses.' The DPA states: 'By signing this DPA, Company and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs' and incorporates the UK Addendum. The DPA applies to the GDPR, UK GDPR, Swiss Federal Data Protection Act, CCPA, and VCDPA.”
> Show 6 unconfirmed / not-held certifications
source: lumalabs.aiNo public SOC 2 audit report found on vendor domain. Nudge Security third-party profile claims SOC 2 compliance, but this is not backed by vendor-domain documentation. DPA states 'annual audits permitted' and enterprise materials note 'summary reports and certificates available to enterprise customers' but these are not publicly available.
source: lumalabs.aiNo public ISO 27001 certification found on vendor domain. Third-party claims exist (Nudge Security) but lack vendor-domain verification. Privacy policy and DPA do not reference ISO 27001.
source: lumalabs.aiEnterprise Terms of Service explicitly state: 'Luma has no liability for Prohibited Data or use of the Service for High Risk Activities.' Healthcare data (HIPAA-regulated) and special categories are excluded from coverage and protection. Product is explicitly not designed for healthcare data handling.
source: lumalabs.aiNo public PCI DSS compliance documentation found on vendor domain. While Luma handles payments via Stripe and Metronome (both PCI-compliant subprocessors), Luma Labs itself does not claim PCI compliance. No payment card data storage claimed.
source: lumalabs.aiNo public FedRAMP certification found on vendor domain. Third-party claims (Nudge Security) exist but lack vendor-domain verification. Luma does not market to US federal agencies or claim FedRAMP authorization.
source: lumalabs.aiNo public ISO/IEC 42001 certification found on vendor domain. While Luma Labs builds AI systems, they do not publicly claim ISO 42001 compliance.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
US-hosted. Privacy policy states: 'Our Services are hosted in the United States ("U.S.") and intended for visitors located within the U.S.' and that data 'may be transferred from the U.S. to other countries or regions in connection with storage and processing.' Subprocessors include AWS, Cloudflare, Microsoft Azure, Tensorwave, and Vercel (US/global). EU/UK customers' data is transferred to the US and other third countries under Standard Contractual Clauses; the DPA does not enumerate specific server locations.
CRITICAL TIER DIFFERENCE: (1) Non-enterprise users: Luma obtains 'irrevocable, royalty-free, fully paid right and license to use, host, and store Input...to improve the Services and develop new products'. Free tier users grant Luma rights to 'publicly display, publicly perform, reproduce, modify, create derivative works of, and distribute Input' indefinitely. (2) Enterprise users: Explicit opt-out—'Luma will not train its artificial intelligence or machine learning models on Input or Output.' Enterprise Terms state no model training on customer inputs. Product INCLUDES usage metadata collection for non-enterprise users. All inputs incorporated into systems persist indefinitely for Luma's model development.
// Security controls
Encryption in Transit
DPA states: 'encryption/tunneling of data sent via the Services between Customer and Company'
lumalabs.aiEncryption at Rest
DPA states: 'Encryption of Customer Personal Data at rest when under Company control'
lumalabs.aiAuthentication
DPA mentions 'User identification and authentication procedures' with strong password requirements. Enterprise plan includes 'enterprise-grade SSO'
lumalabs.aiAccess Controls
DPA: 'Internal policies, access logging' for data access. Enterprise plan includes 'access controls'
lumalabs.aiVulnerability Testing
DPA states: 'Vulnerability scanning and penetration testing' are performed. Enterprise materials note 'third-party security firm performs annual penetration test' by certified firm (CREST, CERT-In empaneled)
lumalabs.aiData Retention / Deletion
Privacy policy: 'We take measures to delete your personal information when no longer necessary.' Enterprise: 30 days to export after subscription termination, then Luma may delete
lumalabs.aiDisaster Recovery & Backup
DPA mentions: 'Backup procedures, RAID technology, UPS, disaster recovery plans'
lumalabs.aiPhysical Security
DPA mentions AWS-provided: 'Security areas, ID readers, door locks, surveillance systems'. Luma's own facilities not detailed
lumalabs.aiSubprocessor Oversight
DPA: Subprocessors must be 'bound by a written agreement including data protection terms and security measures, no less protective.' The public subprocessors page currently lists 41 subprocessors, including AWS, Cloudflare, Azure, OpenAI, Groq, Hive AI, Tensorwave, Vercel, Stripe, and Metronome. Advance-notice and objection windows for new subprocessors are governed by the DPA
lumalabs.ai// Products & data scope
data: User inputs used to train Luma models. Outputs available for free use but not commercial. No IP protection.
Non-paying users grant Luma 'irrevocable, royalty-free' rights to inputs for model development. Free usage prohibited for commercial purposes. Content moderation via Groq, OpenAI, Hive AI.
data: User inputs trained on by Luma. Outputs can be used commercially if subscription is active. Model training continues.
$30–$300/month tiers with 10K–150K monthly credits. Content ownership of outputs retained but model training on inputs persists. Metadata (operations, file types) collected for service improvement.
data: Inputs NOT trained on. Customer content never used for model development. IP fully protected.
Team: SSO, shared credits, team workspaces. Enterprise: dedicated support, custom fine-tuning, enterprise commitments. 30-day data export window post-subscription. Annual penetration testing. No training on inputs/outputs (opt-out fully honored).
data: Governed by separate API Terms of Use
API terms available but specific data training and IP policies not separately verified in this assessment
// What to watch
- OVER-CLAIM RISK: Nudge Security third-party profile claims SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR certifications for lumalabs.ai, but NO vendor-domain documentation (trust center, audit reports, public certifications) found to back these claims. Vendors sometimes inaccurately listed on third-party compliance dashboards. Recommend direct vendor contact for audit report verification.
- NO PUBLIC TRUST CENTER: Unlike many enterprise SaaS vendors, Luma Labs does not maintain a publicly accessible trust center (trust.lumalabs.ai, security.lumalabs.ai, etc.). Certifications claimed to be 'available to enterprise customers' only — not publicly verifiable.
- TIER-DEPENDENT DATA TRAINING POSTURE: Critical difference between tiers. Non-enterprise users' inputs ARE trained on (irrevocable license). Enterprise users' inputs explicitly NOT trained on. This is a material distinction for procurement and data residency analysis. Must be clearly disclosed to non-enterprise buyers.
- HEALTHCARE DATA EXCLUSION: Enterprise Terms explicitly exclude healthcare data (HIPAA) from coverage. Product is NOT designed for healthcare use cases. Any healthcare org considering Luma must understand this liability limitation.
- DATA REGION: Privacy policy states services are hosted in the United States ('Our Services are hosted in the United States'). However, the DPA does not enumerate specific server/data-center locations, and processing may extend to other countries via global subprocessors (AWS, Cloudflare, Azure). EU/UK data reaches the US and other third countries under SCCs. EU public-sector or data-residency-critical orgs should confirm exact processing locations directly.
- SUBPROCESSOR VOLATILITY: 41 active subprocessors (per the public subprocessors page) including third-party AI vendors (OpenAI, Groq, Hive AI) for content moderation. Advance-notice and objection windows for new subprocessors are set by the DPA. Any customer with strict vendor-approval requirements should flag this.
- IDENTITY CLARITY: Multiple 'Luma' companies exist (Luma Health, Luma Brighter Learning, Luma event platform, Luma Labs). Certifications held by other Luma entities (e.g., Luma Health's ISO 27001) do NOT apply to Luma Labs' Dream Machine.
- UNDEFINED ENCRYPTION STANDARDS: DPA confirms encryption in transit and at rest but does not specify algorithms (AES-256, TLS 1.2+, key rotation, etc.). Enterprise customers should request detailed encryption specifications.
// At a glance
Pricing model
Freemium (free tier with limited credits) + subscription (individual: $30–$300/mo with usage-based credits; team/enterprise: contact sales)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Luma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lumalabs.ai