Plans · Billing
Simple plans. Real value.
Start free. Upgrade when your auditor calls. Cancel anytime — your evidence is yours, exportable as JSON or Parquet.
Growth
RecommendedFor scaling teams with multiple frameworks.
$159per workspace / month · billed annually
Start 14-day trialCompare
Every feature, side by side.
Starter$0 | Growth$159 / mo | EnterpriseCustom | |
|---|---|---|---|
| Frameworks | |||
| SOC 2 Type II | ✓ | ✓ | ✓ |
| ISO 27001 | ✓ | ✓ | ✓ |
| HIPAA | — | ✓ | ✓ |
| PCI DSS | — | ✓ | ✓ |
| FedRAMP Moderate | — | — | ✓ |
| Custom frameworks | — | Up to 3 | Unlimited |
| Evidence | |||
| Continuous integrations | 6 sources | 40+ sources | Unlimited |
| Audit log retention | 30 days | 1 year | 7 years |
| Audit log API | — | ✓ | ✓ |
| Webhook delivery | — | ✓ | ✓ |
| Identity | |||
| Single sign-on (SSO) | — | ✓ | ✓ |
| SCIM provisioning | — | ✓ | ✓ |
| Just-in-time access | — | — | ✓ |
| Compliance team | |||
| Auditor access seats | 1 read-only | 3 read-only | Unlimited |
| Dedicated CSM | — | — | ✓ |
| Quarterly business review | — | — | ✓ |
| Support & SLA | |||
| Email support | Community | 8h response | 1h response |
| Uptime SLA | 99.9% | 99.95% | 99.99% |
| DPA + BAA | — | ✓ | ✓ |
| Start free | Start 14-day trial | Contact sales | |
Trust
We hold ourselves to the bar we sell.
Lumora is SOC 2 Type II audited and ISO 27001 certified. The reports are downloadable from your account once you sign. We sign DPAs and BAAs as standard.
SOC 2 Type IIISO 27001HIPAAGDPRDPA + BAA
"We went from spending 3 weeks per quarter on SOC 2 evidence collection to 2 hours. Lumora pays for itself in the first audit."
Sam Chen
VP Engineering, Atlas Finance
FAQ
Common questions
Median time-to-first-evidence is 12 minutes. Connect your IdP and your cloud provider and Lumora maps the rest from your existing access policies. The first audit-ready set of controls populates within 24 hours.
Yes. Every plan includes custom controls. Growth caps at 3, Enterprise is unlimited. Custom controls are written in our typed DSL or in Rego — both are first-class, both run against the same evidence corpus.
BYOC self-hosting is available on Enterprise. We deploy a Lumora cluster into your AWS or GCP account with a one-command Terraform module. The evidence never leaves your tenant; we run a managed control plane.
99.9% on Starter, 99.95% on Growth, 99.99% on Enterprise. Enterprise customers get a named CSM, 1-hour P1 response, and SLA credits. Public status page at status.lumora.cloud.
Both, on Growth and above. Custom MSAs are standard for Enterprise. We're SOC 2 Type II audited (of course) and ISO 27001 certified. The reports are downloadable from your account once you sign.
You can export everything — controls, policies, evidence, audit log — as JSON or Parquet. We retain backups for 30 days post-termination and then permanently delete. We will not hold your data hostage.
Pick a plan. Or pick our brain.
14-day free trial on Growth · custom MSAs for Enterprise · live demo same-day.