> ## Documentation Index
> Fetch the complete documentation index at: https://docs.luumen.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential security

> Where your credentials live, how they're encrypted at rest and in transit, and how LuumenAI uses them — backed by SOC 2 Type 2, ISO 27001, and CSA STAR certifications.

Luumen connects to your hosts using credentials you provide — usernames, passwords, and SSH keys. We know that asking you to store those credentials in someone else's cloud is a serious ask, especially for infrastructure professionals who treat credential hygiene as part of their daily work. This page explains how those credentials are stored, protected, and used.

## Where credentials live

Credentials you add to Luumen are stored in Luumen's cloud infrastructure. They are not stored on your local machine — this is what makes them available across your devices and shareable with teammates on workspace-scoped credentials.

## How credentials are protected

A few of the safeguards in place:

* **Encrypted at rest.** Credentials are encrypted before they're written to storage. They are never stored in plaintext.
* **Encrypted in transit.** All communication between your Luumen client and our servers uses TLS, and credential data is encrypted end-to-end.
* **Used only when you act.** Credentials are decrypted only when you initiate a connection or scan, and they remain in memory only as long as needed to complete the action.
* **Audited access.** Internal access to systems handling credential data is restricted and logged.
* **Independently verified.** Luumen is SOC 2 Type 2 attested, ISO 27001 certified, and CSA STAR certified. These third-party audits cover how we handle sensitive data — including credentials. See [luumen.ai/security](https://www.luumen.ai/security/) for more.

## How credentials are used

A few things to know about how credentials are used:

* **LuumenAI does not bypass your authentication.** When LuumenAI runs a command on a host, it does so over the same connection you established with your credentials — using your permissions, not its own. Every command requires your explicit approval.
* **You can delete credentials at any time.** Deleted credentials are removed from your workspace immediately and are not retained beyond what's required by our backup and retention policies.
* **Credentials are scoped where you put them.** Personal credentials are visible only to you. Workspace credentials are visible only to members of that workspace.

## Questions

* For technical details on our security architecture, see [luumen.ai/security](https://www.luumen.ai/security/).
* For details on how we handle and retain customer data, see [luumen.ai/privacy](https://www.luumen.ai/privacy/).
* If you're a security researcher or have a specific concern, contact us at [security@luumen.ai](mailto:security@luumen.ai).

## Related pages

<CardGroup cols={2}>
  <Card title="Managing credentials" icon="key" href="/guides/managing-credentials">
    Add, test, edit, and delete the credentials used to connect to your hosts.
  </Card>

  <Card title="Set up SSH keys" icon="lock" href="/guides/set-up-ssh-keys">
    Generate an SSH key, add it to your hosts, and import it into Luumen.
  </Card>
</CardGroup>
