// Trust & Security Report
Lumen5 Technologies Ltd.
AI video creation SaaS: turns blogs, articles, PDFs, and bullet points into marketing/social videos via drag-and-drop editor, AI script writing, AI voiceover, and clip-making tools. Self-serve web app for individuals/SMBs plus a separate 'Lumen5 for Enterprise' tier (brand-controlled templates, Creative Services, SSO, dedicated Customer Success).
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on help.lumen5.com“"Lumen5 is compliant with the GDPR" and the company applies its Privacy Policy universally across jurisdictions to the extent legally permissible; data subjects can "access, inspect, update and remove your personal information" via a dedicated GDPR contact.”
Verify on lumen5.com“Trust Center lists a downloadable 'CCPA Compliance' document under Privacy & Data Handling. This is a self-declared compliance posture document, not a third-party certification.”
> Show 6 unconfirmed / not-held certifications
source: lumen5.comLumen5's own Trust Center 'Audits & Reports' section lists exactly three downloadable items: 'Lumen5 Security Report', 'Penetration Test Report (2025)', and 'GCP SOC 2 Report — SOC 2 report for Google Cloud Platform, Lumen5's hosting provider.' No Lumen5-issued SOC 2 report is listed alongside these, even though the FAQ on the same page poses the question 'Does Lumen5 have a SOC 2 or ISO 27001 certification?'. The only SOC 2 report the vendor makes available is explicitly attributed to its cloud host, not to Lumen5 itself.
source: lumen5.comNo ISO 27001 certificate or audit report is listed among the Trust Center's downloadable resources (Security Report, Pentest Report, GCP SOC 2 Report, and various internal policy documents only). No independent source confirms an ISO 27001 certificate issued to Lumen5.
source: lumen5.comNo mention of HIPAA, Business Associate Agreements, or healthcare-specific safeguards found on the Trust Center, privacy policy, or help center. No public evidence Lumen5 supports HIPAA-covered use cases.
source: lumen5.comNo public evidence. Trust Center lists an 'AI Policy' document under Security Policies, but this is an internal policy document, not a certification, and no ISO 42001 certificate is referenced anywhere on the vendor's site.
source: lumen5.comNo public evidence of CSA STAR registration or certification on Lumen5's own domain.
source: lumen5.comNo public evidence Lumen5 itself holds PCI DSS certification; likely out of scope as payment processing is typically handled by a third-party billing processor rather than Lumen5 directly, though this was not independently confirmed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not explicitly disclosed on vendor pages reviewed; hosting infrastructure runs on Google Cloud Platform (GCP), per the Trust Center's own description of the 'GCP SOC 2 Report' as covering 'Lumen5's hosting provider'.
No explicit public statement found confirming or denying whether customer content (video scripts, uploaded assets, brand data) is used to train Lumen5's AI models. The Trust Center lists a downloadable 'AI Policy' document under Security Policies, but its contents were not accessible without an account/download. Lumen5 does not have a standard DPA template of its own ('Lumen5 does not have a DPA to send out, but we're happy to sign off on yours') but will execute a customer-supplied DPA on request, which functionally provides DPA coverage for enterprise customers.
// Security controls
Multi-factor authentication
Two-Factor Authentication (2FA) is an optional feature enabled from account settings for individual users; Enterprise admins can make it mandatory for all team members.
help.lumen5.comSingle sign-on
SSO via SAML available for Enterprise teams only, supporting both IdP-initiated and SP-initiated login. SCIM and OIDC are explicitly NOT supported. Requires signed SAML assertions/responses and a public key; contact required via account manager.
help.lumen5.comEncryption in transit / at rest
Not independently verified. The Trust Center FAQ poses the question 'Does Lumen5 provide encryption for both data in transit and data at rest?' but the answer text is rendered client-side on click and could not be retrieved via automated tools after repeated attempts.
lumen5.comPenetration testing
Third-party penetration test performed; 'Penetration Test Report (2025)' is available for download from the Trust Center.
lumen5.comCloud hosting
Google Cloud Platform (GCP) is Lumen5's hosting provider, per the Trust Center's own description of the GCP SOC 2 report.
lumen5.comGovernance documentation
Trust Center offers downloadable Information Security Policies, Incident Response Policy, Disaster Recovery and Business Continuity plan, Risk Assessment Policy, Secure Development Policy, Change Management Policy, Third Party Management Policy, Logging Policy, Password Policy, and Device Security Policy. Contents not independently reviewed (download-gated).
lumen5.com// Products & data scope
data: Uploaded source content (blogs, PDFs, bullet points), brand assets, generated video output
Free and paid individual/small-team plans; optional 2FA; no SSO.
data: Same content types plus team workspace data, brand template configurations, SAML SSO identity attributes (first name, last name, email)
Adds SAML SSO, admin-enforced 2FA, branded templates, dedicated Creative Services and Customer Success support. This is the tier most likely to have compliance requirements (SOC 2/ISO 27001 questions), yet the vendor's own Trust Center does not list a Lumen5-issued SOC 2 or ISO 27001 report.
// What to watch
- HOST-VS-VENDOR CERT AMBIGUITY: Lumen5's Trust Center explicitly offers a 'GCP SOC 2 Report' described as covering 'Google Cloud Platform, Lumen5's hosting provider' rather than Lumen5 itself. This is the textbook host-cert-not-vendor-cert case; AIFOXX must not credit Lumen5 with SOC 2 based on this document.
- The resource list strongly suggests the answer is 'no own SOC 2/ISO 27001, we rely on GCP's,' but the exact wording was not confirmed. A human reviewer with a real browser should open https://lumen5.com/trust/ and click that FAQ item to close this gap before publishing 'held: false' with full confidence.
- AI TRAINING POSTURE UNDISCLOSED: No public statement found on whether customer content is used to train Lumen5's AI/ML features. An 'AI Policy' document exists in the Trust Center but is access-gated.
- DPA IS COUNTERPARTY-SUPPLIED: Lumen5 does not offer its own DPA template ('we don't have a DPA to send out') and instead countersigns a customer's own template. This is functionally adequate for GDPR/CCPA purposes but should be listed as a caveat, not presented as a polished off-the-shelf DPA process.
// At a glance
Pricing model
Freemium + subscription tiers (self-serve plans) plus custom Enterprise contracts (demo/sales-assisted)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Lumen5 Technologies Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lumen5.com