Enterprise Grade

ARIA by Luminant Works Global Limited

Enterprise Grade Terms & Conditions Privacy Policy Sub-Processors

Legal Compliance

Data Protection Rights

Users can export their data in structured, portable formats at any time. Account deletion triggers complete cascade removal across every data table, with a formal erasure record. Consent management is granular, timestamped, and honours the Global Privacy Control browser signal. ARIA does not make automated decisions with legal effect; all outputs are advisory.

Multi-Jurisdiction Coverage

ARIA's policies address the requirements of GDPR, UK Data Protection Act 2018, US state privacy laws (including CCPA/CPRA, TDPSA, VCDPA, and CPA), and India's Digital Personal Data Protection Act. International data transfers are governed by EU Standard Contractual Clauses, UK International Data Transfer Agreements, and the Data Privacy Framework.

Zero Commercial Exploitation of Client Data

We do not train AI models on your data. We do not sell or share data with advertisers. No third-party analytics, tracking pixels, or behavioural profiling tools are present in the platform. Our sub-processors are limited to AI inference, hosting infrastructure, and transactional email, each contractually bound to equivalent data protection standards.

Security Controls

Encryption

All data in transit is protected by TLS 1.2+ with a two-year HSTS policy. Database connections enforce SSL. Infrastructure storage uses AES-256 encryption at rest under SOC 2 Type II certification. Passwords are individually salted and hashed. MFA secrets are encrypted with AES-128 and authenticated with HMAC-SHA256. Uploaded documents are processed in memory and never written to persistent storage; only distilled summaries are retained.

Authentication

Sessions use HttpOnly, Secure, SameSite-Strict tokens that cannot be accessed by client-side scripts. Two-factor authentication is available for all users and mandatory for every administrator account, with no exceptions. Sessions are instantly revocable across all devices.

Data Isolation

Every database query is scoped to the authenticated user. No user can access another user's engagements, documents, or assessment data. This is enforced at the data layer, not just the application layer.

Opaque by Design

No entity identifiers, filenames, organisation names, or engagement details ever appear in URLs. Browser history, server access logs, and network traces reveal nothing about the business data being accessed. A network observer sees only that ARIA is being used, never what for or by whom.

Audit Trail

Every API request carries a unique correlation ID that traces through to AI agent calls. Authentication events, consent changes, data exports, and administrative actions are recorded with timestamps and metadata. Every AI decision is traceable: the model used, the evidence provided, and the reasoning context are logged for post-hoc audit.

Security Headers and Permissions

Content Security Policy, frame denial, content type enforcement, strict referrer policy, and explicit denial of camera, microphone, geolocation, and payment API access are enforced on every response.

Responsible AI

AI model training on client data is contractually excluded and technically enforced with both providers. Input and output guardrails are applied to every AI interaction. Every generated report carries an AI-generated content disclaimer.

Certifications and Standards

ARIA's hosting infrastructure is SOC 2 Type II certified, with independent third-party validation of encryption, access, and operational controls. Luminant Works Global Limited's own ISO 27001 and SOC 2 certification programme is underway and will be announced on this page when complete. We believe in being precise about this distinction: infrastructure certification is in place today; company-level certification is in progress.

Further Reading