How we keep your data safe
Last updated: 2026-04-30
NearSmarter inherits Luby Software's two-decade security pedigree, hardened against the bar of Brazil's largest financial institutions. This page summarizes our certifications, controls and engagement model.
Certifications & frameworks
Our delivery centers and processes are aligned to internationally recognized security frameworks.
- ISO/IEC 27001:2022 — Information Security Management System
- PCI DSS — For payment-handling engagements
- HIPAA / HITECH — For healthcare engagements
- LGPD — Brazilian Data Protection Law
- GDPR — EU General Data Protection Regulation
Engineer onboarding & access
Every engineer is background-checked and signs an NDA before joining a client engagement.
Access is provisioned via your IdP wherever possible — Okta, Azure AD, Google Workspace, Auth0. Just-in-time access and least-privilege are the defaults.
Hardware is encrypted at rest, MDM-managed and remotely wipeable.
Network & infrastructure
We operate via Zero Trust principles. There is no implicit trust based on network origin.
All client-facing traffic is encrypted in transit. Secrets are managed via HashiCorp Vault or your existing secrets manager — never committed to repositories.
Vulnerability & incident response
Quarterly internal penetration testing. Continuous dependency scanning via Snyk and SonarQube. Annual external pen-tests against our delivery infrastructure.
Incidents are triaged within 1 hour, with executive escalation paths and post-mortems shared with affected clients.
Subprocessor & vendor management
We maintain a current list of subprocessors used to deliver services. Material changes are communicated 30 days in advance to active clients.
Reporting a vulnerability
Found a security issue? Email security@luby.com.br with a detailed description. We will acknowledge within 1 business day and coordinate disclosure responsibly.