# LuminaPath Trust And Security

LuminaPath keeps the public site simple and scopes higher-accountability work directly.

## Website controls

- luminapath.ai serves over HTTPS
- response hardening includes a Content Security Policy, HSTS, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, X-Frame-Options, nosniff, a strict referrer policy, and a restrictive permissions policy
- optional analytics are off today
- contact happens by direct email instead of site forms

## Data handling on the site

- essential browser storage is used only to remember the privacy notice state on your device
- direct inquiries sent by email go to `hello@luminapath.ai`
- do not send secrets, credentials, or production data in a first note

## Trust principles for delivery work

- scope model context before automation
- keep source systems as the source of record where appropriate
- place human judgment where the cost of a bad action is high
- keep rollout narrow until the workflow earns wider automation

## Operating environments

- managed cloud where the workflow allows it
- private network boundaries where the workflow demands it
- customer-controlled environments when operational risk requires it

## Security contact path

- security questions, operating-environment questions, and site issue reports can be sent to `hello@luminapath.ai`
- a useful note names the workflow, environment, or issue that needs attention