LuxAI Security Overview

1. Purpose and Commitment

At LuxAI, we are committed to safeguarding the security, privacy, and integrity of the data entrusted to us. This document outlines the key principles and safeguards we apply to protect our systems, services, and customer data.

We design our products, including QTrobot, tablet applications, and cloud-based services, with security and privacy as core priorities. Our practices align with the Center for Internet Security (CIS) Controls Version 8 and comply with data protection and student privacy laws in the U.S., UK, Canada, and EU, including, where applicable, FERPA, COPPA, PIPEDA, GDPR and UK GDPR. For more detailed legal and operational commitments, please refer to our Business Terms and Privacy Policy, which incorporate region-specific protections and public sector requirements.

Security is a shared responsibility. We aim to provide our customers with clear, transparent information about how we protect data and support safe use of our technologies.

2. Security Governance

LuxAI maintains a structured information security program overseen by senior leadership and integrated across all departments. Security is embedded into our operations, from development and deployment to administration and support.

Our approach is built on the CIS Controls v8 framework, a globally recognized set of cybersecurity best practices, and is tailored to the specific risks and responsibilities associated with educational environments.

Internal policies, regular reviews, and technical controls ensure that our security posture remains effective, adaptive, and aligned with both operational goals and regulatory requirements.

3. Data Protection and Privacy

LuxAI applies layered technical and organizational safeguards to protect personal data across its systems and services. Our practices are aligned with the CIS Controls v8 framework and designed to meet or exceed data protection and student privacy laws in the U.S., UK, Canada, and EU, including, where applicable, FERPA, COPPA, PIPEDA, GDPR and UK GDPR.

Data Classification and Access Control

We classify all data based on sensitivity, regulatory requirements, and business need. Personally identifiable information (PII), including child, student and educator data, is treated as “Restricted” and is subject to heightened controls.

Access to sensitive data is governed by role-based access control (RBAC) and the principle of least privilege. All access is logged and regularly reviewed for compliance and anomaly detection.

Encryption and Secure Transmission

All sensitive data is encrypted both in transit and at rest. In transit, we use modern encryption protocols such as TLS 1.2. For cloud data at rest, we rely on AES-256 encryption, applied through secure Microsoft Azure infrastructure, ensuring protection across all hosted regions.

Device-level encryption is enforced for laptops, tablets, and cloud storage platforms. Backup files are also encrypted and protected against unauthorized access.

Cloud Hosting and Data Residency

LuxAI stores and processes the most sensitive categories of Customer Data, including all data related to students and children, using secure cloud infrastructure provided by Microsoft Azure, as follows:

• U.S.-based Customers – Data is hosted in the United States
• U.K.-based Customers – Data is hosted in the United Kingdom
• Canada-based Customers – Data is hosted in Canada
• EU/EEA-based Customers – Data is hosted within the European Union, or in a jurisdiction recognized by the European Commission as providing adequate protection
• Other international Customers – Data is hosted in one of the above regions, or in a jurisdiction explicitly specified in the applicable customer agreement, consistent with applicable data protection laws

Other types of Customer Data may be hosted using trusted third-party business platforms or infrastructure providers located outside the Customer’s jurisdiction, provided such hosting complies with applicable data protection and information security standards.

For more information on our hosting practices, please refer to our Privacy Policy at https://luxai.com/privacy-policy

Endpoint Protection and Data Lifecycle Management

All devices accessing sensitive systems are secured through mandatory screen locks, compliance monitoring, and malware protection.

Data retention is governed by regulatory and contractual requirements. We retain sensitive data only as long as necessary and ensure secure deletion at the end of its lifecycle using appropriate methods based on data type and sensitivity.

Monitoring and Platform Safeguards

We maintain centralized logging and monitoring of access to high-sensitivity data. Automated alerts are reviewed by technical staff to promptly identify and investigate any suspicious activity.

Platform-level safeguards, including Azure’s Data Loss Prevention (DLP) features, are configured to detect and restrict unauthorized data access or movement. Security configurations are reviewed periodically to ensure coverage of high-risk areas.

Backup and Recovery

Critical systems and customer data are backed up using automated processes. Continuous and point-in-time backups ensure high availability and rapid recovery.

All backups are encrypted and stored in isolated environments to protect against ransomware and accidental deletion. Recovery procedures are tested regularly to validate integrity, timing, and operational readiness.

4. Infrastructure and Application Security

LuxAI implements layered security measures across its infrastructure, devices, networks, and software development processes. These safeguards are designed to ensure system integrity, prevent unauthorized access, and support secure service delivery.

Device and System Management

All corporate and development devices are centrally managed using modern compliance platforms. Security configurations—including disk encryption, automatic session locking, and firewall enforcement—are applied based on user roles. Only authorized software is permitted, and all assets are tracked throughout their lifecycle.

Endpoint and Threat Protection

Devices are protected with real-time anti-malware, behavioral threat detection, and application allowlisting. Lost or compromised devices can be remotely locked or wiped. Compliance status is continuously monitored to enforce security baselines.

Vulnerability and Patch Management

We conduct regular vulnerability scans informed by threat intelligence. Patches are prioritized based on severity and applied through automated or managed processes. Exceptions are documented and tracked until resolved.

Logging, Monitoring, and Alerting

Security logs are collected across systems and platforms. High-severity events trigger automated alerts, which are reviewed by technical staff and escalated as needed. Logs are retained securely in line with policy and regulatory expectations.

Secure Software Development

All software is developed through a controlled CI/CD pipeline with strict separation of environments. Code changes undergo automated scanning and manual review before deployment. Third-party components are vetted and tracked, and only authorized personnel may release production code. Developers are trained in secure coding and follow industry-standard practices.

5. Incident Response and Breach Notification

LuxAI maintains a formal incident response plan to manage cybersecurity events that could impact systems, data, or customer trust. Our process is designed to detect incidents promptly, assess impact, contain threats, and restore secure operations. Response efforts are coordinated across relevant teams, and roles are clearly defined to ensure timely and consistent actions.

Security alerts are generated from automated monitoring systems, user reports, and third-party service providers. All confirmed or suspected incidents are investigated, documented, and may undergo formal review to assess causes, response quality, and corrective actions.

Breach Notification Commitments

If LuxAI becomes aware of a confirmed or reasonably suspected incident involving unauthorized access to or disclosure of personal data, it will notify affected customers without undue delay, in accordance with applicable data protection laws.

For student data and other sensitive categories, LuxAI will notify affected customers within 72 hours of confirming unauthorized access or disclosure, or sooner if required by law. We also offer appropriate support to help customers meet their regulatory or contractual responsibilities.

6. Third-Party Risk Management

LuxAI relies on a select group of trusted third-party providers to support its infrastructure, operations, and service delivery. These include cloud platforms, IT vendors, logistics providers, and manufacturing partners. To manage associated risks, we follow a structured due diligence and oversight process.

All third-party services are evaluated for security, compliance, and operational reliability before engagement. Contracts include clear obligations around data protection, breach notification, confidentiality and access control. LuxAI maintains an up-to-date inventory of service providers and performs ongoing risk-based monitoring to ensure third-party security remains strong and consistent.

When a vendor relationship ends, access is revoked and data is securely removed in accordance with our offboarding procedures.

7. Security Awareness and Shared Responsibility

Security at LuxAI is a shared responsibility between our internal teams and our customers. While LuxAI is responsible for securing its infrastructure, applications, and data environment, our users are responsible for using the platform securely and protecting the data they access.

All employees at LuxAI receive structured security training during onboarding and annually thereafter. Training covers phishing prevention, secure data handling, regulatory compliance, and incident reporting. It is tailored to each role and updated regularly based on emerging threats and internal insights.

Customer and Institutional User Responsibilities

Administrators, educators, and other authorized users play a vital role in maintaining security. To support this, LuxAI encourages users to:

• Keep login credentials secure and avoid sharing passwords with others.
• Limit data access and sharing to what is strictly necessary
• Secure any personal or institutional devices used to access LuxAI services
• Promptly report any suspected data exposure or unauthorized access

To facilitate responsible usage, LuxAI provides in-product safeguards, role-based access controls, and guidance through our platform and support channels.

8. Compliance and Ongoing Improvement

LuxAI is committed to maintaining a high standard of information security in line with internationally recognized frameworks and applicable legal requirements. Our security program is structured around the CIS Controls v8 and is aligned with data protection and student privacy laws in the U.S., UK, Canada, and EU, including, where applicable, FERPA, COPPA, PIPEDA, GDPR and UK GDPR.

We regularly review and update our security policies, technical safeguards, and operational procedures to reflect evolving threats, emerging technologies, and new regulatory obligations. Internal reviews, lessons learned from incidents, and customer feedback all contribute to our continuous improvement process.

By maintaining this commitment, LuxAI ensures that security remains a foundational element of our mission to deliver safe, effective, and trusted solutions to educational communities we serve.

As part of our ongoing commitment to security assurance, LuxAI is currently pursuing SOC 2 certification, with expected audit by the end of 2025.

9. Business Continuity and Operational Resilience

LuxAI maintains business continuity capabilities aligned with CIS Controls and industry best practices. Our services are hosted in Microsoft Azure with regional redundancy and high availability configurations to reduce service disruption risks.

We use a backup strategy that includes geographically isolated backups and annual recovery testing to ensure rapid restoration of critical data and systems.

Our internal Business Continuity and Disaster Recovery plans include defined roles, escalation procedures, and recovery time objectives (RTOs) to support continued service delivery in case of disruption.

10. Contact and Additional Information

We welcome inquiries from customers, partners, and institutions regarding our security practices. For questions, support, or to request additional documentation, please contact us at [email protected].

LuxAI is committed to transparency, collaboration, and continuous improvement in how we protect the individuals and organizations we serve.