Security

Last updated: March 20, 2026

At LunaRabbit, we take the security of your data seriously. This page describes the security measures we implement to protect your information when you use our Services.

1. Data Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3. This includes AI chat messages, custom function requests, and document content sent for processing.

At Rest

Sensitive data stored on our servers is encrypted using AES-256-GCM. This includes authentication tokens and any cached session data. Database connections use encrypted channels.

2. Authentication and Access Control

• Password security: User passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
• Session management: Authentication tokens expire after 24 hours, requiring re-authentication.
• Google Workspace: When signing in from Google Workspace, we use cryptographic signature verification (HMAC-SHA256) with timing-safe comparison and replay protection. We never see or store your Google password.
• Microsoft SSO: Microsoft authentication uses MSAL (Microsoft Authentication Library) with secure token exchange. We never see or store your Microsoft password.

3. AI Data Handling

This is how we handle your document data when processing AI requests:

• Document content: Your original document files are never uploaded or stored on our servers. Active document content (e.g., cell values, slide text) is sent only for AI processing. Conversations are held in server memory only during your active session and permanently deleted when the session ends. No original conversation data is stored on disk or in any persistent database. Only anonymized, non-identifiable usage patterns are retained for service improvement.
• No model training: Your data is never used to train AI models. We use commercial API agreements with our AI providers (OpenAI, Anthropic, Google) that explicitly prohibit the use of customer data for model training.
• Minimal data access: We only access the content of your active document that is necessary to fulfill your request. We do not access other files, closed documents, or unrelated data.
• Session isolation: Each user's AI session is isolated. Conversations and data from one user are never accessible to another user.

4. Infrastructure Security

• Network architecture: Our backend services run behind a reverse proxy with strict access controls. Production servers bind to localhost only, preventing direct external access.
• Rate limiting: We implement multi-layer rate limiting (IP-based and user-based) to prevent abuse and protect service availability.
• Input validation: All user inputs are validated and sanitized to prevent injection attacks, including SQL injection, XSS, and formula injection.
• SSRF protection: External URL requests are validated against allowlists to prevent server-side request forgery, including IPv6 and mapped address bypass attempts.

5. Third-Party AI Providers

We use the following AI providers under commercial API agreements:

• OpenAI — Commercial API terms: customer data is not used for training
• Anthropic — Commercial API terms: customer data is not used for training
• Google (Vertex AI) — Enterprise API terms: customer data is not used for training
• Perplexity — Used for web search features: queries are processed under API terms

All providers process data under strict contractual obligations. For questions about data processing, contact privacy@lunarabbit.ai.

6. Incident Response

In the event of a security incident affecting your data:

• We will notify affected users via email within 72 hours of becoming aware of the breach
• We will provide details about what data was affected and what remediation steps are being taken
• We will report to relevant data protection authorities as required by applicable law (GDPR, CCPA)

7. Responsible Disclosure

If you discover a security vulnerability in our Services, we encourage responsible disclosure. Please report it to us so we can address it promptly:

• Email: security@lunarabbit.ai

We ask that you:

• Do not publicly disclose the vulnerability until we have had a reasonable time to address it
• Do not access or modify other users' data
• Provide sufficient detail for us to reproduce and fix the issue

We appreciate your help in keeping LunaRabbit secure for everyone.

8. Continuous Improvement

Security is an ongoing process. We regularly review and update our security practices, including:

• Code security reviews for every release
• Dependency vulnerability scanning
• Regular updates to encryption standards and authentication mechanisms

9. Contact Us

For security-related questions or concerns, contact us at:

• Security issues: security@lunarabbit.ai
• General privacy: privacy@lunarabbit.ai