Data Security

We take data security extremely seriously. A number of measures have been implemented to ensure the safety and security of your data.


Lunary is in the process of becoming certified as SOC 2 Type 1 compliant, following an external audit.


To support SOC 2 compliance, we have established numerous policies. All team members are required to review these policies and complete security training and background checks as part of their onboarding process.

The following policies are available for review upon request:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Business Continuity Plan
  • Code of Conduct
  • Data Classification Policy
  • Data Deletion Policy
  • Data Protection Policy
  • Disaster Recovery Plan
  • Encryption Policy
  • Incident Response Plan
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Lifecycle Policy
  • System Access Control Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

These policies are also pertinent to GDPR compliance (see below).


Customers can use Lunary in one of two ways:

  • Lunary Cloud
  • Self-hosting a Lunary instance

When using Lunary Cloud, Lunary acts as the Data Processor and the customer is the Data Controller. In this scenario, we have certain GDPR obligations to the customer's end users.

When self-hosting a Lunary instance, the customer is both the Data Processor and the Data Controller, as they are responsible for their instance. Since we do not have access to any user data in this case, we do not have specific GDPR obligations to the customer's end users.

Lunary's Obligations as a Data Processor

We have examined our architecture, data flows, and agreements to ensure that our platform is GDPR compliant. Lunary Cloud does not interact directly with our customers’ end users, nor does it automatically collect personal data. However, our customers may collect and send personal data to Lunary for processing.

Lunary does not require personally identifiable information or personal data to enable LLM observability.


Under the California Consumer Privacy Act (CCPA), Lunary serves as a Service Provider to Lunary Cloud customers only. This role is similar to the Processor role under GDPR. Our Privacy Policy includes a CCPA Addendum.

We equip all Lunary customers with the tools necessary to comply with their end users' requests under CCPA, including data deletion. We provide detailed guidance for our customers on how to use Lunary in a CCPA-compliant manner in our documentation.

We process data collected by our customers from end-users and enable them to understand usage metrics of their products. We do not access customer end-user data unless directed by a customer, and we never sell customer data to third parties. We do not have access to data collected by customers who self-host Lunary from their end-users, unless they grant us access to their instance.


By self-hosting Lunary on your own infrastructure, you maintain full control of your data, making it an ideal solution for LLM analytics in healthcare settings.

Since you retain full control, there is no need to sign a Business Associate Agreement with us.

Lunary Cloud is not suitable for HIPAA-compliant data collection.

Security Contact

Please reach out at for any security-related question.

Questions? We're here to help.