Enterprise Security & Compliance

Security & Trust at Luminee

Protecting clinical research data with enterprise-grade security, qualified systems, and industry-leading compliance standards.

SOC 2
HIPAA
EU AI Act
CDASH/SDTM
SV-01-003-C
GDPR
ISO 27001
DPF
Luminee logoA product of Anju Clinical

Compliance & Certifications

Luminee maintains rigorous compliance standards to meet the demanding requirements of clinical research and life sciences organizations.

Active

SOC 2 Type II (via Azure)

via Microsoft Azure

Luminee is hosted on Microsoft Azure infrastructure, which holds a SOC 2 Type II attestation covering security, availability, and confidentiality of customer data. This attestation applies to Azure as Luminee's hosting provider.

Active

HIPAA Organizational Alignment

Luminee does not access, process, or store protected health information (PHI). Anju Clinical maintains HIPAA-aligned administrative, physical, and technical safeguards at the organizational level.

Active

EU Artificial Intelligence Act

Luminee is designed in alignment with the EU Artificial Intelligence Act requirements for AI systems used in clinical research contexts.

Active

CDASH & SDTM Standards

via CDISC

Luminee generates clinical trial designs conforming to CDISC CDASH and SDTM data standards for regulatory submissions.

Active

SV-01-003-C Software Qualification

via Anju Clinical

Luminee is qualified for production use under Anju's SV-01-003-C Software Development Life Cycle Procedure for clinical software products.

Active

GDPR

General Data Protection Regulation compliance for the handling of personal data of EU residents.

Active

ISO/IEC 27001:2013 (via Azure)

via Microsoft Azure

Luminee's hosting provider, Microsoft Azure, holds ISO/IEC 27001:2013 certification for its information security management system. This certification applies to Azure as Luminee's infrastructure provider.

Active

EU-U.S. & Swiss-U.S. Data Privacy Framework

Participation in the EU-U.S. and Swiss-U.S. Data Privacy Framework for lawful cross-border data transfers.

Security Architecture

Multi-layered security controls protecting every aspect of your clinical research data.

User Authentication

Authentication

Secure user authentication with admin-controlled provisioning and email-based verification workflows.

  • Admin approval workflow for new user provisioning
  • OTP-based email verification for account activation
  • Secure password reset token workflow
  • Session management with automatic expiration

API Authentication

Authentication

Secure token-based API authentication with automatic session expiration and server-side validation.

  • Token-based authentication for all API requests
  • Automatic session expiration with secure logout
  • Server-side token validation on every request
  • Session invalidation on logout

Password Security

Authentication

Passwords hashed using a modern memory-hard algorithm. Complexity and expiry policies enforced with lockout.

  • Passwords hashed and salted — never stored in plaintext
  • Minimum length and complexity enforced
  • Password history prevents reuse
  • Expiry policy with mandatory rotation

Bot Protection

Monitoring

Google reCAPTCHA v2 integration to prevent automated attacks on authentication endpoints.

  • Challenge-based verification to distinguish human vs. bot traffic
  • Applied to signup endpoint
  • Server-side verification for tamper resistance

Role-Based Access Control

Access Control

Granular access control with admin approval workflows ensuring only authorized users access the platform.

  • Admin and User role separation
  • Self-signup users automatically provisioned without approval workflow
  • Access start/end date enforcement
  • Monthly token usage limits per user
  • Real-time access revocation capabilities

Encryption & Data Protection

Encryption

End-to-end encryption for data in transit and at rest, leveraging Azure infrastructure security controls.

  • TLS/HTTPS enforcement for all communications
  • Encrypted database connections
  • Azure infrastructure-level encryption at rest
  • Security headers enforced (HSTS, content-type protection, clickjacking prevention)
  • CORS policy enforcement for cross-origin requests

Data Privacy

Comprehensive data protection practices ensuring the privacy and confidentiality of clinical research information.

GDPR Compliance

GDPR

Luminee processes Luminee user personal data in accordance with the General Data Protection Regulation. Luminee does not process clinical subject data.

  • Processing of personal data for defined purposes using contracts, legitimate interests with safeguards, explicit consent when required, or legal obligations
  • Data minimization and purpose limitation enforced
  • Data subject rights (access, rectification, erasure, portability) processes implemented
  • Retention periods defined by purpose; personal data deleted or anonymized when no longer needed or on contract termination
  • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing
  • Records of Processing Activities (ROPA) maintained under Article 30
  • Data Protection Officers (DPOs) appointed
  • Annual GDPR data-protection training for personnel and Privacy by Design training for developers
  • Breach notification to controllers without undue delay, supporting the 72-hour regulator notification timeline
  • Data subject rights and privacy inquiries: privacy@anjusoftware.com

Data Privacy Framework

EU-U.S. & Swiss-U.S. DPF

Anju participates in the EU-U.S. and Swiss-U.S. Data Privacy Framework, providing a lawful mechanism for cross-border personal data transfers.

  • Self-certified under the Data Privacy Framework principles
  • Notice, Choice, and Accountability for Onward Transfer principles upheld
  • Independent recourse mechanism available for complaints
  • Subject to FTC enforcement jurisdiction

Data Residency

Azure Infrastructure

All customer data is hosted on Microsoft Azure infrastructure in the United States and Germany.

  • Azure hosting infrastructure holds ISO 27001 and SOC 2 attestations at the platform level
  • Azure supports GDPR compliance through contractual and technical safeguards, including Standard Contractual Clauses (SCCs) and a Data Processing Addendum
  • Data centers in the United States and Germany serving their respective regions
  • Physical security controls inherited from Azure facilities
  • Disaster recovery and business continuity procedures in place

Data Handling Practices

Internal Policy

Luminee implements strict data handling practices to ensure user data integrity and confidentiality. Luminee does not create, update, or store clinical trial data.

  • Structured logging with 30-day retention and daily rotation
  • Database-level encryption for sensitive fields
  • Audit trails for all data modifications
  • User access time-boxing with configurable start/end dates
  • Automated data cleanup and retention enforcement
  • Data Processing Agreements (DPAs) in place with all subprocessors
  • Customers notified in advance of new subprocessors via the Trust Center updates page, with a reasonable window to object

Subprocessors

Third-party services that process data on behalf of Luminee, each subject to our security and privacy requirements. Data Processing Agreements (DPAs) are in place with all subprocessors.

ProviderPurposeLocation
Microsoft AzureCloud hosting and infrastructureUnited States and Germany
SendGrid (Twilio)Transactional email deliveryUnited States
Google reCAPTCHABot protection and abuse preventionUnited States
TrialMaster TrialBuilderStudy build, setup, and testing integrationUnited States and Germany

System Validation

Our approach to ensuring the systems that support Luminee meet regulatory and quality standards.

GxP-Assessed Systems Are Appropriately Validated

Systems used in core activities and assessed as GxP have appropriate validation in accordance with Anju's system validation procedures. Luminee itself is a non-GxP system and is formally qualified under Anju's SV-01-003-C Software Development Life Cycle Procedure.

Qualification and validation activities include documented requirements, design controls, execution of test cases with full traceability to requirements, change control on production releases, and periodic review to ensure ongoing fitness for purpose.

Frequently Asked Questions

Common questions about Luminee's security, compliance, and data handling practices.

Anju Clinical adheres to GDPR requirements and participates in the EU-U.S. and Swiss-U.S. Data Privacy Framework. Luminee is designed in alignment with the EU Artificial Intelligence Act for AI systems in clinical research, and Anju maintains an Artificial Intelligence Policy along with annual GDPR, EU AI Act, and Responsible Use of AI workforce training. Luminee does not process protected health information; HIPAA-aligned organizational safeguards are maintained across Anju Clinical. Luminee is formally qualified under Anju's SV-01-003-C Software Development Life Cycle Procedure. Luminee is hosted on Microsoft Azure, which holds SOC 2 Type II and ISO/IEC 27001:2013 certifications at the platform level. For more details, see the Anju Privacy Policy at https://www.anjusoftware.com/privacy-policy.
Luminee uses secure email-based authentication with OTP verification. All API access is protected with server-validated session tokens and automatic expiration. Role-based access control separates admin and user permissions, with an admin approval workflow for new user provisioning. Passwords must meet complexity requirements and expire every 90 days.
Your user account information is hosted on Microsoft Azure infrastructure in the United States and Germany. Azure data centers hold ISO 27001 and SOC 2 attestations and support GDPR compliance through contractual and technical safeguards, including a Data Processing Addendum and Standard Contractual Clauses (SCCs). Luminee does not store clinical data or protocol information.
For Luminee user accounts, data subject rights including access, rectification, erasure, and data portability processes are implemented. Luminee does not process clinical subject data. Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities, and Records of Processing Activities (ROPA) are maintained under Article 30. Data Protection Officers (DPOs) are appointed. Breach notification to controllers is provided without undue delay, supporting the 72-hour regulator notification timeline under GDPR Article 33. Requests can be submitted to privacy@anjusoftware.com.
Luminee does not access, process, or store protected health information (PHI) and is not a HIPAA-covered workload. Anju Clinical maintains HIPAA-aligned administrative, physical, and technical safeguards at the organizational level, with Business Associate Agreements in place with applicable subprocessors where required. Regular risk assessments and workforce training support ongoing organizational compliance.
All communications are encrypted via TLS/HTTPS. Database connections are encrypted in transit. Azure infrastructure provides encryption at rest for all stored data. Security headers including HSTS are enforced, along with input validation and CORS policies across all API endpoints.
Luminee is formally qualified under Anju's SV-01-003-C Software Development Life Cycle Procedure. Qualification testing executed 100% of the qualification protocol test cases, covering documented requirements with full traceability from requirements through implementation. Luminee itself is a non-GxP system, focused on the administrative effort involved in study build; it does not process or store clinical trial data and does not require FDA 21 CFR Part 11 validation. It integrates with TrialMaster EDC, which maintains its own separate validation for regulatory compliance.
Luminee uses Microsoft Azure for cloud hosting, SendGrid (Twilio) for transactional email, Google reCAPTCHA for bot protection, and integrates with TrialMaster's TrialBuilder module for study build and setup. Data Processing Agreements (DPAs) are in place with all subprocessors. A full list of subprocessors with their roles and data processing details is available in the Subprocessors section above.
If you discover a potential security vulnerability, please contact our security team at security@anjusoftware.com. We take all reports seriously and will respond within 48 hours to acknowledge receipt and begin investigation.
No. Luminee is focused on the administrative effort involved in study build, not clinical trial conduct. It does not process or store clinical trial data. Luminee allows users to perform actions in TrialMaster's TrialBuilder module, and all user requests are restricted based on the user's existing access permissions in TrialMaster. All data resides on Microsoft Azure infrastructure. Anju's company-wide data retention, privacy, and security policies apply to Luminee.
Luminee is hosted in separate data centers in the United States and Germany to serve their respective regions. For cross-border personal data transfers where required, Anju relies on the EU-U.S. and Swiss-U.S. Data Privacy Framework as its primary mechanism, with Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum used as supplementary safeguards as applicable.

Updates

Recent compliance milestones, security improvements, and audit activities.

April 12, 2026Audit

Compliance Content Review

Completed a compliance content review of the Trust Center, refining GDPR, EU AI Act, HIPAA, and subprocessor disclosures; clarifying SOC 2 and ISO 27001 attribution to Azure; and adding transfer-mechanism, training, and breach-notification detail.

February 28, 2026Feature

Trust Center Launch

Launched the Luminee Trust Center providing transparent access to our security posture, compliance certifications, and data handling practices.

February 14, 2026Audit

Jira Validation In Progress

Following expanded company-wide adoption, a comprehensive validation process for Jira has been initiated in accordance with our system validation procedures.

January 31, 2026Certification

EU AI Act Compliance Assessment

Completed risk classification and compliance assessment for Luminee under the EU Artificial Intelligence Act, confirming appropriate measures for AI systems used in clinical research.

January 9, 2026Certification

Data Privacy Framework Certification

Anju Clinical completed self-certification under the EU-U.S. and Swiss-U.S. Data Privacy Framework for lawful cross-border data transfers.

November 19, 2025Audit

Luminee Production Qualification

Completed qualification of Luminee under SV-01-003-C Software Development Life Cycle Procedure, executing 100% of the qualification protocol test cases covering documented requirements.

June 30, 2025Certification

Azure SOC 2 Type II Renewal

Microsoft Azure infrastructure successfully completed annual SOC 2 Type II audit renewal covering security, availability, and confidentiality.