DOC memo/evidence/v1.4REVIEWED 2026-04-29JURISDICTION EU · RO · FR IN PRODUCTION

EVIDENCE DOSSIER

For funders,
enterprises, and
regulators.

The full technical, security, and compliance picture for Luminaria Memo. What's true today, what's funded next, where the receipts live. Updated quarterly.

Download PDF dossier ← Back to product

§ 1 · PRODUCTION STATS

TRL 7–8

In production today, real users

1,800+

Backend tests, run on every commit

MCP tools live in Claude

100%

EU-resident infrastructure

§ 2 · TODAY VS. FUNDED

What's shipping today.
What funding builds.

Honest framing. We don't claim what isn't built. Every “funded” item below is in our funding pipeline, with a milestone date in the deck.

AREATODAY · IN PRODUCTIONFUNDED · POST GROWTH ROUND

Tenant isolationEnforced by CI lintHash-chained verification

Activity logAppend-only (CREATE only)Tamper-evident hash chain

Encryption at restAES-256, provider-managedCustomer-managed keys (BYOK)

Encryption in transitTLS 1.2+TLS 1.3 enforced, mTLS for MCP

EU residencyCompute, DB, auth, AI inferencePayment + email migration complete

GDPR Art. 17 (erasure)Honoured, audit-loggedCryptographic deletion proofs

Sub-processor transparencyDocumented internallyPublic register at /sub-processors, SCCs + DPA per processor

AI Act Article 12Append-only logs, EU residencyNotified body engagement, certified conformity

ISO 27001Aligned practicesType I → Type II audit, 12–18 mo

SOC 2—Type I post-funding, Type II year 2

Pen testingSelf-conducted, internalAnnual external, public summary

Bug bounty—Public programme on launch

Disaster recoverySnapshots, dailyCross-region failover, RPO < 15min

Uptime SLABest-effort99.9% Pro / 99.95% Enterprise, contractual

§ 3 · SUB-PROCESSOR REGISTER

Every processor.
Every jurisdiction.

GDPR Art. 28. Updated whenever the stack changes. Subscribe to register changes →

PROCESSORROLECOUNTRYPROCESSING REGIONCONTRACT

Clever CloudComputeFranceParisSCC + DPA

Mistral AIAI inference & embeddingsFranceParisSCC + DPA

Neo4j AuraGraph databaseSweden (HQ) / EU hostingGCP europe-west1, BelgiumSCC + DPA

SupabaseAuthUS (HQ) / EU hostingAWS eu-central-1, FrankfurtSCC + DPA

VercelFrontend (edge)US (HQ) / EU edgeEU edge nodesSCC + DPA

StripePayments (legacy)IrelandEUSCC + DPA · migrating to Mollie

MolliePayments (target)NetherlandsEUSCC + DPA · migration in progress

(Email provider TBD)Transactional emailEU onlyEU-resident provider, post-fundingNot yet integrated

§ 4 · COMPLIANCE ROADMAP

From Q3 2026
to certified.

Q3 2026

Funding secured · scale-up begins

Sub-processor migration to fully-EU stack. EU-resident transactional email provider integrated. ISO 27001 gap analysis kicks off. Public sub-processor register deployed at /sub-processors.

Q4 2026

Hash-chained audit log

Tamper-evident chain over append-only log. Public verification endpoint. AI Act Article 12 mapping document.

Q1 2027

ISO 27001 Type I

External audit. Statement of Applicability published. SOC 2 Type I prep begins.

Q3 2027

SOC 2 Type I

Trust services criteria audit. First enterprise contracts with full DPA + SCC pack.

Q4 2027

AI Act conformity (notified body)

Engagement with notified body for Article 12 conformity assessment. Pen test programme launches publicly.

Q2 2028

ISO 27001 Type II + SOC 2 Type II

Continuous monitoring audit. Bug bounty programme public. 99.95% uptime SLA contractual.

§ 5 · WHY MEMO, FOR FUNDERS

The three pillars,
in funder-speak.

IAudit

Trustworthiness pillar. The AI Act Article 12 obligation is real and dated (02 Aug 2026). Memo is one of the few EU-native solutions in production today addressing it.

IISustainability

Compute-efficiency pillar. Context reuse measurably reduces redundant inference. Reproducible benchmarking methodology in development for the EU sustainable-AI research community.

IIIPersonalisation

Use-case pillar. Graph-based context adapts without ML retraining — every persona gets context shaped by their own work, scaling beyond developers.

§ 6 · CONTACT

Talk to the
founder.

Direct line for funders, evaluators, due-diligence teams, and enterprise security reviewers. No filters, no gatekeepers.

FOUNDER

Doriana

Stellari Studio S.R.L. · Toplița, Romania

doriana@luminaria.so cal.com/luminaria

FOR DUE DILIGENCE

↳ DPA template↳ Sub-processor SCCs (signed)↳ Architecture diagram (PDF)↳ Codebase walkthrough (Loom)

For funders,enterprises, andregulators.

What's shipping today.What funding builds.

Every processor.Every jurisdiction.

From Q3 2026to certified.