Lucevo is built around a simple principle: systems that handle operationally sensitive data should be secure by default, limited by design, and reviewable in practice. Security is not treated as a sales-layer promise. It is implemented through access control, encryption, monitoring, secure development, vendor oversight, and documented response processes.

For hospitality businesses, the risk is not only data loss. It is also workflow misuse, guest privacy failure, operational disruption, and poor visibility into automated systems. Lucevo is designed to reduce those risks through scoped access, auditability, and controlled AI use.

This page is a high-level summary only. Contractual commitments are defined in the applicable customer agreement and Data Processing Agreement.

Lucevo operates a documented security programme covering access control, secure configuration, logging and monitoring, incident response, business continuity, secure development, vendor management, and privacy obligations. The objective is not only to protect data at rest, but to maintain control over how systems are built, accessed, changed, and monitored over time.

The programme is designed to map cleanly onto the frameworks and review expectations commonly used by enterprise buyers, legal teams, and technical security reviewers. Supporting documentation is available as part of pre-contract review where appropriate.

• Role-based access controls for internal and customer-facing operations.
• Authenticated administrative access with multi-factor authentication and logged actions.
• Audit trails for operational and security-relevant events.
• Encrypted backups with documented restore procedures.
• Defined change control and release practices for production updates.
• Security review materials available for customers undergoing diligence.

Hospitality operators are right to ask whether connecting an AI-enabled platform to bookings, communications, and revenue workflows could expose sensitive data to public models. Lucevo’s position is straightforward: customer data is used to deliver the service, not to improve shared models.

Where language or reasoning models are used, they are used as controlled inference layers within the service. Lucevo aims to use provider configurations that support no-training processing where available, and those vendor relationships are addressed during customer review and in contractual documentation where applicable.

AI assurance also requires more than a no-training statement. Workflow permissions, access boundaries, logging, change control, and human review for sensitive use cases are all part of maintaining safe and accountable AI operations.

• Customer and guest data is not used to train shared or public AI models.
• AI vendors are selected and configured for privacy-preserving processing modes where supported.
• Sensitive workflows can be restricted by role, approval path, or deployment configuration.
• AI-supported actions and outputs can be logged for operational review and incident analysis.
• Material model or provider changes are reviewed before production rollout.

Lucevo supports UK GDPR and EU GDPR obligations through its contractual and operational controls. Customers may review the applicable Data Processing Agreement, and transfer mechanisms are addressed where relevant to the deployment and customer geography.

The platform is designed to minimise unnecessary data exposure and to define processor responsibilities clearly. Privacy, retention, subprocessor use, and incident-notification commitments are handled through documented policies and customer-facing legal terms.

UK GDPR / EU GDPR

Supported through contractual commitments, operational controls, and the applicable Data Processing Agreement.

International transfers

Where relevant, transfer mechanisms such as the UK International Data Transfer Agreement or Standard Contractual Clauses are addressed in customer documentation.

PCI DSS

Lucevo is designed to remain out of cardholder-data scope where possible. It does not position itself as the merchant’s payment processor, and payment flows remain with the customer’s certified processor.

DPA availability

A Data Processing Agreement is available during customer review and contracting on request to [email protected].

Security pages are most credible when they distinguish clearly between what is achieved today, what is contractually supported, and what is still in progress. Lucevo follows that approach here.

Framework alignment

Controls are operated against documented security and governance requirements designed to map to recognised assurance expectations and enterprise review criteria.

Customer assurance

Customers undergoing diligence may request the current controls summary, subprocessor information, penetration test summary, and additional supporting materials under NDA where appropriate.

External audit

Formal third-party audit engagements (such as SOC 2 or ISO/IEC 27001) are on the roadmap rather than in place today. We will publish the certification status here once an engagement is live.

Security depends on how software is built as much as how it is hosted. Lucevo applies secure development practices intended to reduce risk before code reaches production, including controlled change management, review of infrastructure changes, and recurring security testing.

• Code is reviewed against documented secure development standards, with independent peer review expanding as the engineering team grows.
• Infrastructure changes are managed through documented and reviewable processes.
• Dependency, secret-scanning, and vulnerability checks are integrated into engineering workflows.
• Secure coding standards are reviewed internally and applied through engineering practice.
• Independent penetration testing will be conducted as part of our pre-production security readiness programme, and on a recurring basis once live customer processing begins.

No security programme is credible without a defined way to detect issues, respond to them, recover safely, and communicate clearly with customers. Lucevo maintains documented incident and recovery procedures intended to support prompt containment, investigation, remediation, and customer communication.

Where customer data is affected, notification timing and response obligations are handled in line with applicable law and contractual commitments.

• Monitoring across infrastructure, application, and workflow layers, with alerts routed to the founding team and acknowledged within defined response windows.
• Documented incident handling with severity, escalation, and remediation paths.
• Material security incidents communicated to affected customers in line with the DPA and applicable law, with target notification timing aligned to UK GDPR Article 33 where relevant.
• Encrypted backups with documented restoration procedures appropriate to the deployment.
• Post-incident review used to improve controls, processes, and recovery readiness.

Lucevo is designed for hospitality and service environments where guest communications, staff workflows, booking activity, revenue recovery, and operational coordination may all intersect. That means the security model must protect not only stored records, but also live workflows, integrations, and AI-assisted actions.

The platform is therefore designed to support scoped integration access, controlled automation, auditable actions, and customer-specific configuration for higher-sensitivity use cases. This matters most where systems influence guest experience or revenue operations.

• Scoped permissions for connected systems and operational workflows.
• Separation between guest data, workflow metadata, and support activity where applicable.
• Controls for automations that affect communications, bookings, or revenue-related actions.
• Deployment-specific review for customers with stricter operational or privacy requirements.

Customers and their security teams often need more than a public summary. Lucevo makes additional assurance materials available during review so technical, legal, and procurement stakeholders can evaluate the platform against their internal requirements.

Publicly available

Security page · Privacy policy · DPA request path · Vulnerability reporting contact · Additional trust information as published.

Available on review

Security overview or controls summary · Data Processing Agreement · Subprocessor information · Penetration test findings summary (available once initial assessment completed) · Additional architecture or assurance materials where appropriate under NDA.

Lucevo welcomes responsible disclosure of security issues. If you believe you have identified a vulnerability, please report it with sufficient detail to allow triage and validation — including affected assets, reproduction steps, impact, and any suggested remediation where available.

Please do not access, modify, or exfiltrate data that is not yours, and please do not perform testing that could degrade service or disrupt customer operations. Where research is conducted in good faith, within these boundaries, and reported responsibly, Lucevo aims to work constructively with researchers.

Contact

[email protected]

Please include

Reproduction steps, affected endpoints, and relevant supporting detail.

Acknowledgement

Target within 48 hours for valid submissions.

Security reviews are part of how serious businesses buy software. If your technical, legal, or procurement team needs further detail, Lucevo can provide the relevant materials during diligence and walk through the architecture, controls, subprocessors, and contractual safeguards in context.

To begin a review, request security review materials, request a Data Processing Agreement, or open a formal audit conversation with a Lucevo partner.