Security

Security

How Lurion currently approaches authentication, company data separation, frontend secrets, uploads, and responsible disclosure.

Plain English

Practical trust information for pilot customers.

Lurion is early-stage software for organizing marketing, lead, sales, and reporting data. This page explains the current baseline in clear language.

Contact Lurion

Security approach

Lurion handles business data, lead records, customer contact details, service addresses, marketing spend, revenue, and reporting data. The security approach is to keep access scoped, use established providers where practical, and avoid collecting data that is not needed for reporting.

Lurion is early-stage and does not currently claim formal security certifications.

Authentication

Lurion uses Supabase Auth for authentication. Users sign in through the product, and protected app pages require an authenticated account before loading workspace data.

Users should protect their email accounts and sign-in access because account access can expose company workspace data.

Data separation

Product data is scoped by company or workspace. Lurion is designed so users see records tied to the company they belong to, such as leads, imports, goals, marketing spend, source mappings, and stage mappings.

Internal founder visibility is also limited by current access policies and does not use a service role in the frontend.

Row-level security

The product uses row-level security policies to help separate company data. These policies are intended to limit reads and writes to users who belong to the relevant company workspace.

RLS is one part of the security model. It should be reviewed and tested as Lurion moves from pilot use toward broader rollout.

Secrets and access

Secret keys should not be exposed in the frontend. Lurion frontend code should use public publishable keys only where required for browser-based Supabase access.

Service role keys and other secrets should remain server-side or in protected provider settings, not in committed code or public browser bundles.

Data uploads

CSV uploads should only include data needed for reporting. Typical fields may include lead IDs, lead dates, sources, status, customer contact details, service addresses, sold revenue, spend source, spend date, and spend amount.

Users should avoid uploading highly sensitive personal data that is not needed for marketing performance reporting.

Current limitations

Lurion is an early-stage product and does not currently claim SOC 2, HIPAA, GDPR, CCPA, or enterprise compliance certifications.

Security practices, policies, access controls, and operational procedures should be reviewed before formal customer rollout and as the product matures.

Responsible disclosure

If you discover a security concern, please contact Lurion with enough detail to understand and reproduce the issue. Do not access, copy, modify, or delete data that does not belong to you.

Lurion will review practical security reports and respond as appropriate for the early pilot stage.

Contact

Security questions or concerns can be sent to fcabrera96@icloud.com.

Get your first scorecard.

Upload your data and see what your marketing is actually producing.

Start free preview
© 2026 Lurion. All rights reserved.Built for owner-led remodeling and home service companies.