// Trust & Security Report

    Luma Labs, Inc. logo

    Luma Labs, Inc.

    Luma creative AI agents platform (formerly Dream Machine) — text-to-video, image generation, and multimodal reasoning for creative teams. Includes Ray video models, video editing, image generation, and team collaboration features. Offered in individual (Plus/Pro/Ultra) and team/enterprise tiers.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Privacy policy states: 'If you are located in the European Economic Area or the United Kingdom, we only process your personal information when we have a valid "legal basis"' and 'We may transfer personal information from the EEA or the UK to the United States and other third countries based on European Commission-approved or UK Government-approved Standard Contractual Clauses.' The DPA states: 'By signing this DPA, Company and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs' and incorporates the UK Addendum. The DPA applies to the GDPR, UK GDPR, Swiss Federal Data Protection Act, CCPA, and VCDPA.

    Verify on lumalabs.ai
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public SOC 2 audit report found on vendor domain. Nudge Security third-party profile claims SOC 2 compliance, but this is not backed by vendor-domain documentation. DPA states 'annual audits permitted' and enterprise materials note 'summary reports and certificates available to enterprise customers' but these are not publicly available.

    source: lumalabs.ai
    ISO 27001
    NOT CONFIRMED

    No public ISO 27001 certification found on vendor domain. Third-party claims exist (Nudge Security) but lack vendor-domain verification. Privacy policy and DPA do not reference ISO 27001.

    source: lumalabs.ai
    HIPAA
    NOT CONFIRMED

    Enterprise Terms of Service explicitly state: 'Luma has no liability for Prohibited Data or use of the Service for High Risk Activities.' Healthcare data (HIPAA-regulated) and special categories are excluded from coverage and protection. Product is explicitly not designed for healthcare data handling.

    source: lumalabs.ai
    PCI DSS
    NOT CONFIRMED

    No public PCI DSS compliance documentation found on vendor domain. While Luma handles payments via Stripe and Metronome (both PCI-compliant subprocessors), Luma Labs itself does not claim PCI compliance. No payment card data storage claimed.

    source: lumalabs.ai
    FedRAMP
    NOT CONFIRMED

    No public FedRAMP certification found on vendor domain. Third-party claims (Nudge Security) exist but lack vendor-domain verification. Luma does not market to US federal agencies or claim FedRAMP authorization.

    source: lumalabs.ai
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public ISO/IEC 42001 certification found on vendor domain. While Luma Labs builds AI systems, they do not publicly claim ISO 42001 compliance.

    source: lumalabs.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US-hosted. Privacy policy states: 'Our Services are hosted in the United States ("U.S.") and intended for visitors located within the U.S.' and that data 'may be transferred from the U.S. to other countries or regions in connection with storage and processing.' Subprocessors include AWS, Cloudflare, Microsoft Azure, Tensorwave, and Vercel (US/global). EU/UK customers' data is transferred to the US and other third countries under Standard Contractual Clauses; the DPA does not enumerate specific server locations.

    CRITICAL TIER DIFFERENCE: (1) Non-enterprise users: Luma obtains 'irrevocable, royalty-free, fully paid right and license to use, host, and store Input...to improve the Services and develop new products'. Free tier users grant Luma rights to 'publicly display, publicly perform, reproduce, modify, create derivative works of, and distribute Input' indefinitely. (2) Enterprise users: Explicit opt-out—'Luma will not train its artificial intelligence or machine learning models on Input or Output.' Enterprise Terms state no model training on customer inputs. Product INCLUDES usage metadata collection for non-enterprise users. All inputs incorporated into systems persist indefinitely for Luma's model development.

    // Security controls

    Encryption in Transit

    DPA states: 'encryption/tunneling of data sent via the Services between Customer and Company'

    lumalabs.ai

    Encryption at Rest

    DPA states: 'Encryption of Customer Personal Data at rest when under Company control'

    lumalabs.ai

    Authentication

    DPA mentions 'User identification and authentication procedures' with strong password requirements. Enterprise plan includes 'enterprise-grade SSO'

    lumalabs.ai

    Access Controls

    DPA: 'Internal policies, access logging' for data access. Enterprise plan includes 'access controls'

    lumalabs.ai

    Vulnerability Testing

    DPA states: 'Vulnerability scanning and penetration testing' are performed. Enterprise materials note 'third-party security firm performs annual penetration test' by certified firm (CREST, CERT-In empaneled)

    lumalabs.ai

    Data Retention / Deletion

    Privacy policy: 'We take measures to delete your personal information when no longer necessary.' Enterprise: 30 days to export after subscription termination, then Luma may delete

    lumalabs.ai

    Disaster Recovery & Backup

    DPA mentions: 'Backup procedures, RAID technology, UPS, disaster recovery plans'

    lumalabs.ai

    Physical Security

    DPA mentions AWS-provided: 'Security areas, ID readers, door locks, surveillance systems'. Luma's own facilities not detailed

    lumalabs.ai

    Subprocessor Oversight

    DPA: Subprocessors must be 'bound by a written agreement including data protection terms and security measures, no less protective.' The public subprocessors page currently lists 41 subprocessors, including AWS, Cloudflare, Azure, OpenAI, Groq, Hive AI, Tensorwave, Vercel, Stripe, and Metronome. Advance-notice and objection windows for new subprocessors are governed by the DPA

    lumalabs.ai

    // Products & data scope

    Luma (formerly Dream Machine) - Free TierText-to-Video & Image Generation

    data: User inputs used to train Luma models. Outputs available for free use but not commercial. No IP protection.

    Non-paying users grant Luma 'irrevocable, royalty-free' rights to inputs for model development. Free usage prohibited for commercial purposes. Content moderation via Groq, OpenAI, Hive AI.

    Luma - Paid Individual Plans (Plus/Pro/Ultra)Text-to-Video & Image Generation

    data: User inputs trained on by Luma. Outputs can be used commercially if subscription is active. Model training continues.

    $30–$300/month tiers with 10K–150K monthly credits. Content ownership of outputs retained but model training on inputs persists. Metadata (operations, file types) collected for service improvement.

    Luma - Team & Enterprise PlansText-to-Video & Image Generation with Collaboration

    data: Inputs NOT trained on. Customer content never used for model development. IP fully protected.

    Team: SSO, shared credits, team workspaces. Enterprise: dedicated support, custom fine-tuning, enterprise commitments. 30-day data export window post-subscription. Annual penetration testing. No training on inputs/outputs (opt-out fully honored).

    Luma APIText-to-Video & Image Generation API

    data: Governed by separate API Terms of Use

    API terms available but specific data training and IP policies not separately verified in this assessment

    // What to watch

    • OVER-CLAIM RISK: Nudge Security third-party profile claims SOC 2, ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR certifications for lumalabs.ai, but NO vendor-domain documentation (trust center, audit reports, public certifications) found to back these claims. Vendors sometimes inaccurately listed on third-party compliance dashboards. Recommend direct vendor contact for audit report verification.
    • NO PUBLIC TRUST CENTER: Unlike many enterprise SaaS vendors, Luma Labs does not maintain a publicly accessible trust center (trust.lumalabs.ai, security.lumalabs.ai, etc.). Certifications claimed to be 'available to enterprise customers' only — not publicly verifiable.
    • TIER-DEPENDENT DATA TRAINING POSTURE: Critical difference between tiers. Non-enterprise users' inputs ARE trained on (irrevocable license). Enterprise users' inputs explicitly NOT trained on. This is a material distinction for procurement and data residency analysis. Must be clearly disclosed to non-enterprise buyers.
    • HEALTHCARE DATA EXCLUSION: Enterprise Terms explicitly exclude healthcare data (HIPAA) from coverage. Product is NOT designed for healthcare use cases. Any healthcare org considering Luma must understand this liability limitation.
    • DATA REGION: Privacy policy states services are hosted in the United States ('Our Services are hosted in the United States'). However, the DPA does not enumerate specific server/data-center locations, and processing may extend to other countries via global subprocessors (AWS, Cloudflare, Azure). EU/UK data reaches the US and other third countries under SCCs. EU public-sector or data-residency-critical orgs should confirm exact processing locations directly.
    • SUBPROCESSOR VOLATILITY: 41 active subprocessors (per the public subprocessors page) including third-party AI vendors (OpenAI, Groq, Hive AI) for content moderation. Advance-notice and objection windows for new subprocessors are set by the DPA. Any customer with strict vendor-approval requirements should flag this.
    • IDENTITY CLARITY: Multiple 'Luma' companies exist (Luma Health, Luma Brighter Learning, Luma event platform, Luma Labs). Certifications held by other Luma entities (e.g., Luma Health's ISO 27001) do NOT apply to Luma Labs' Dream Machine.
    • UNDEFINED ENCRYPTION STANDARDS: DPA confirms encryption in transit and at rest but does not specify algorithms (AES-256, TLS 1.2+, key rotation, etc.). Enterprise customers should request detailed encryption specifications.

    // At a glance

    Pricing model

    Freemium (free tier with limited credits) + subscription (individual: $30–$300/mo with usage-based credits; team/enterprise: contact sales)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Luma Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    lumalabs.ai

    > Browse all vendor trust reports