Trust Centre
Your data security is our priority
LuwaSuite is built with security at its core. We protect your sensitive employee and compliance data with enterprise-grade security measures and full GDPR compliance.
Branded 2-page PDF for enterprise prospects & stakeholders
UK & EU Data Hosting
Your data never leaves the UK or EU. We use enterprise-grade data centres with physical security, redundant power, and 24/7 monitoring.
Primary Data Centre
United Kingdom
Backup Data Centre
European Union
Cloud Provider
Enterprise-grade infrastructure
Data Residency
UK/EU only – never transferred outside
Schrems II Compliant
With data hosted exclusively in the UK and EU, your data is protected under UK GDPR and the EU GDPR. We do not transfer personal data to third countries without appropriate safeguards.
Enterprise-Grade Security
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol.
Encryption at Rest
All stored data is encrypted using AES-256, the same standard used by banks and government agencies worldwide.
Secure Authentication
Industry-standard authentication with secure password hashing, optional two-factor authentication, and session management.
Role-Based Access
Granular permissions ensure users only see data relevant to their role. Admins, managers, and employees have appropriate access levels.
Platform Security Architecture
Defence-in-depth architecture with multiple layers of protection ensuring your data is secure at every level.
Multi-Tenant RLS Isolation
Every database query is enforced through Row-Level Security policies. Organisation data is cryptographically isolated — one tenant can never access another's records.
PII Masking in Audit Logs
Sensitive fields (NI numbers, passport numbers, bank details, salaries) are automatically redacted in audit trails, ensuring compliance with data minimisation principles.
Immutable Audit Trail
All create, update, and delete operations are logged with 7-year GDPR retention. Audit records cannot be modified or deleted by any user, including administrators.
Brute-Force Protection
Accounts are automatically locked after 5 failed login attempts within 15 minutes. Suspicious login patterns, new countries, and off-hours access trigger real-time security alerts.
How We Handle AI Data
Our AI-powered features are designed with privacy-first principles. Your data is processed securely, never stored, and never used for training.
Stateless Processing
AI features (AI Advisor, Mock Audit, Document Generation) process data in real-time and do not retain any input data after the response is returned.
No Model Training
Your organisation data is never used to train AI models. Inputs are processed ephemerally and discarded immediately after generating a response.
Encrypted Transmission
All AI requests are encrypted end-to-end using TLS 1.3. Data is transmitted securely to the inference endpoint and never stored in transit.
Zero Data Retention
AI processing has a strict zero-retention policy. No prompts, employee data, or compliance information is logged or cached by AI services.
AI-Powered Features & Data Handling
Feature
AI Compliance Advisor
Data Processed
Organisation compliance metrics
Retention Policy
Stateless — no data retained after response
Feature
Mock Home Office Audit
Data Processed
Employee compliance scores
Retention Policy
Ephemeral processing — discarded post-generation
Feature
AI Document Generation
Data Processed
Template fields + org details
Retention Policy
Generated document stored; input discarded
Feature
AI Candidate Screening
Data Processed
CV text + job description
Retention Policy
Score stored; raw input discarded immediately
GDPR Compliance
LuwaSuite is fully compliant with the UK GDPR and EU GDPR. We respect data subject rights and maintain transparent data processing practices.
Right to Access
Request a copy of all personal data we hold about you at any time.
Right to Rectification
Request correction of any inaccurate personal data we hold.
Right to Erasure
Request deletion of your personal data, subject to legal retention requirements.
Right to Portability
Export your data in standard formats to transfer to another service.
Compliance Measures
Data Processing Agreement (DPA) available on request
Regular security audits and penetration testing
Employee security training and background checks
Incident response procedures and breach notification
Data minimisation and purpose limitation
Privacy by design and default
Regular backup and disaster recovery procedures
Vendor security assessments for third-party services
Data Processing Agreement
We provide a comprehensive Data Processing Agreement (DPA) that meets UK GDPR and EU GDPR requirements. The DPA includes Standard Contractual Clauses and details our security measures and obligations.
Security Incident Response
In the unlikely event of a security incident affecting your data, we commit to:
- Notify affected customers within 72 hours
- Provide full details of the incident and data affected
- Take immediate steps to contain and remediate
- Conduct post-incident review and implement improvements