Security
Last updated: May 26, 2026
At LunaRabbit, we take the security of your data seriously. This page describes the security measures we implement to protect your information when you use our Services.
1. Data Encryption
In Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3. This includes AI chat messages, custom function requests, and document content sent for processing.
At Rest
Sensitive data stored on our servers is encrypted using AES-256-GCM. This includes authentication tokens and any cached session data. Database connections use encrypted channels.
2. Authentication and Access Control
- Password security: User passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
- Session management: Authentication tokens are valid for up to 24 hours; expired sessions require re-authentication.
- Google Workspace™ / Microsoft SSO: When signing in from Google Workspace™ or Microsoft 365™, we use cryptographic signature verification (HMAC-SHA256) with timing-safe comparison and replay protection. Microsoft flow uses MSAL. We never see or store your Google or Microsoft password.
3. AI Data Handling
How we handle your data when processing AI requests across our Services:
LunaRabbit Office
- Document content: Your original document files are never uploaded or stored on our servers. Active document content (e.g., cell values, slide text) is sent only for AI processing. Office conversation history is stored to provide continuity across sessions and can be deleted at any time — see our Privacy Policy for retention details.
- Minimal data access: We only access the content of your active document that is necessary to fulfill your request. We do not access other files, closed documents, or unrelated data.
LunaRabbit Chat
- Conversation storage: Chat conversations are stored on our servers for up to 365 days from creation, after which they are automatically deleted. You can delete conversations at any time via Settings. See our Privacy Policy for full details.
- Account required: A LunaRabbit account is required to use Chat; we do not offer anonymous (non-logged-in) access.
Common Safeguards
- No third-party model training: We use commercial API agreements with our AI providers (OpenAI, Anthropic, Google, Together AI) that explicitly prohibit the use of customer data for model training. Any internal service-improvement use of pseudonymized data is strictly governed by our Privacy Policy.
- Session isolation: Each user's AI session is isolated. Conversations and data from one user are never accessible to another user.
4. Infrastructure Security
- Network architecture: Our backend services run behind a load balancer with strict network access controls. Production application servers are isolated within a private network and accept traffic only from the load balancer; direct external access is blocked at the network and security-group layer.
- Rate limiting: We implement multi-layer rate limiting (IP-based and user-based) to prevent abuse and protect service availability.
- Input validation: All user inputs are validated and sanitized to prevent injection attacks, including SQL injection, XSS, and formula injection.
- SSRF protection: External URL requests are validated against allowlists to prevent server-side request forgery, including IPv6 and mapped address bypass attempts.
5. Third-Party AI Providers
We use the following AI providers under commercial API agreements:
- OpenAI — Commercial API terms: customer data is not used for training
- Anthropic — Commercial API terms: customer data is not used for training
- Google (Vertex AI) — Enterprise API terms: customer data is not used for training
- Together AI — Commercial API terms: customer data is not used for training (Zero Data Retention available)
All providers process data under strict contractual obligations. No provider uses your data for model training. For questions about data processing, contact [email protected].
6. Incident Response
In the event of a security incident affecting your data:
- We will notify affected users via email within 72 hours of becoming aware of the breach
- We will provide details about what data was affected and what remediation steps are being taken
- We will report to relevant data protection authorities as required by applicable law (such as the US CCPA and Korea's PIPA)
7. Responsible Disclosure
If you discover a security vulnerability in our Services, we encourage responsible disclosure. Please report it to us so we can address it promptly:
- Email: [email protected]
We ask that you:
- Do not publicly disclose the vulnerability until we have had a reasonable time to address it
- Do not access or modify other users' data
- Provide sufficient detail for us to reproduce and fix the issue
We appreciate your help in keeping LunaRabbit secure for everyone.
8. Product-Specific Security
LunaRabbit Chat
- All conversations transmitted over HTTPS (TLS 1.2/1.3).
- Conversations stored with AWS RDS encryption at rest (KMS-managed keys).
- A LunaRabbit account is required to use Chat; anonymous (non-logged-in) access is not offered.
- Rate limiting: IP-based and credit-based limits to prevent abuse.
- Input sanitization: All user inputs are sanitized before processing (NFKC normalization, zero-width character removal, length caps).
- Tool access control: Backend tier verification prevents unauthorized tool usage regardless of frontend manipulation.
- AI output safety: Content moderation via provider filters (OpenAI, Anthropic built-in safety).
9. Continuous Improvement
Security is an ongoing process. We regularly review and update our security practices, including:
- Code security reviews for every release
- Dependency vulnerability scanning
- Regular updates to encryption standards and authentication mechanisms
10. Contact Us
For security-related questions or concerns, contact us at:
- Security issues: [email protected]
- General privacy: [email protected]