LUNARI
Resources · Security & compliance · The posture

We hold the ledger.
We hold the line.

Finance data is the most consequential data in a company. We treat it that way at every layer — from the encryption at rest to the segregation of duties enforced in code, to the tamper-evident vault that holds every piece of evidence.

Request the security packRead the architecture

Security written in policy is security you hope holds. Security written in code is security you can prove.

Security thesis · written on the wall
Six pillars · the posture

The controls beneath the ledger.

06 controls → 01 ledger
01
Attestation

SOC 2 Type II

Annual audit covering security, availability, and confidentiality. The current report is available under NDA — write to security@lunari.cloud.

02
Certification

ISO 27001

Information security management certified end-to-end across people, process, and infrastructure. Externally audited annually.

03
Encryption

AES-256 · TLS 1.3

At rest and in transit. Customer-managed keys (CMK) on the Constellation tier — your KMS, your rotation policy, your revocation.

04
Identity

SSO, SCIM, RBAC

SAML and OIDC for sign-on. SCIM for provisioning. Granular roles, segregation of duties, and approval matrices defined once across every suite.

05
Hosting

Regional residency

Multi-region cloud with EU, US, and UK residency. Written SLAs on availability, recovery point, and recovery time. Quarterly DR tests.

06
Evidence

Tamper-evident vault

Content-addressed storage with cryptographic hashing. Documents, approvals, and bank messages cannot be altered without detection — and the chain is queryable.

How we think about it

Three principles the
posture follows.

Compliance is the floor. The principles below are how we decide what's above it — and why we sometimes make trade-offs that other vendors don't.

I

Finance data is consequential data.

We treat the ledger like the most sensitive system in the company — because for most companies it is. Same controls, same posture, same scrutiny.

II

Evidence cannot be edited.

Every document, approval, and bank message lands in a content-addressed vault. The hash travels with the journal. Tampering is provable, not preventable-by-policy.

III

Access is governed by code.

Segregation of duties, role boundaries, and approval thresholds are enforced by the platform — not by a quarterly access review someone runs in Excel.

Ready when you are

Need our security pack?

Email security@lunari.cloud and we'll send the SOC 2 report and ISO 27001 certificate under NDA.

Request a demoTalk to sales