Compliance posture

Version 2026-05-24 · F1661 · Plain-English overview.

GDPR (EU)

• EU hosting (Oracle Frankfurt).
• Data export endpoint (Art. 20): /pro/data/export.
• Right to erasure (Art. 17): /pro/account — 30d max retention after request.
• Data Processing Addendum: downloadable template.
• Lawful basis: contract performance (Art. 6.1.b) + legitimate interest for security audit log (6.1.f).

CCPA (California)

• "Do Not Sell My Personal Information": we don't sell. Request: privacy@eliteaiempire.com.
• Right to know / delete: same endpoints as GDPR.

SOC2 readiness (track)

• Encryption at rest (AES-256-GCM) ✓
• Encryption in transit (TLS 1.2+) ✓
• Audit log (hash-chained) ✓
• RBAC: pending (Business tier seats — Phase 6)
• Pen test: pending (NIS for Iskra after first enterprise lead)
• Type II report: pending (~12 months observation needed)

HIPAA

Not HIPAA-compliant by default. Do NOT route PHI through Lumen-Pro. Enterprise BAA available on request once SOC2 Type I in place.

OAuth scope minimization

Every connector requests the smallest plausible scope (mostly read-only). You see the scopes in plain English at /pro/connections. You can revoke per-vendor with one click.

Agent transparency

Every agent decision (fire/skip) is logged with reason + confidence at /pro/runs. Decisions are explicitly tagged as non-deterministic. New flows are in review-mode (always fire, agent decision recorded for your review) for 10 runs.

Last updated: 2026-05-24.