As someone who don't know anything about SOC2, but still aware that if I want to signal 'data privacy' that I need to get it: I don't know what I'm supposed to do on your site.
Some sort of onboarding can help, like what are my steps from knowing nothing to actually getting the SOC2. Maybe some educational contents or resources can also help.
asdxrfx 3 hours ago [-]
You are right. We will spend more time on creating educational content and resources. Thanks for the feedback, it's useful and will help us.
Oras 16 hours ago [-]
> As a startup ourselves, we faced the usual issues: long security questionnaires, confusing audit requirements, and expensive tools that felt overkill.
Is Lumoar SOC2 compliant?
asdxrfx 16 hours ago [-]
Thanks for asking! We’re not SOC 2 compliant yet, but we’re actively preparing for it. We recently launched our MVP, and ensuring strong security and compliance has been a key part of our roadmap from day one. We’re happy to share more about how we handle security today if that’s helpful!
Oras 15 hours ago [-]
My point was that compliance is about trust. If I want to go the SOC2 or ISO27001 route, I want a company that has done it before.
Free in your case is not free, it's pretty expensive. If I can't comply in time, that might mean losing potential business, being late to the market, etc.
Good luck though, you made the first step.
asdxrfx 15 hours ago [-]
We understand your concern, and we will focus more on this step for now. Thanks for the feedback. If you have anything else to say, we are glad to listen.
cadamsdotcom 12 hours ago [-]
The point about trust is important in another way too - it was a pleasant surprise you led with “we’re not compliant (yet), but..”
Tis a great way to engender trust in the team. Bravo for bravely answering honestly. Wishing you folks best of success.
edoceo 17 hours ago [-]
Having the policy doesn't preclude the audit or questionnaire requirement does it? This just puts the answers in one place?
The compliance pros still want all their ceremony - it's most of what they sell.
asdxrfx 17 hours ago [-]
Exactly, staying organized is half the battle. Our goal with Lumoar is to make that organization effortless from day one. We’re also working on future updates with AI agents and automation to make audits and questionnaires even less painful. More coming soon!
abrookewood 12 hours ago [-]
You can usually get out of questionnaires if you have multiple frameworks/certifications/attestations in place ... but even then some customers will insist on them
havefunbesafe 17 hours ago [-]
True, but having this makes the entire process easier. Organization is key to a speedy and clean audit.
kristel100 4 hours ago [-]
That’s a compelling niche. SOC 2 prep is a brutal rabbit hole for small teams. Even just a pre-flight checklist with integrations would be useful—curious how much automation they’re actually packing in.
asdxrfx 3 hours ago [-]
We do not currently have automation and integrations, but we are planning to add them later. Thanks for the feedback!
reconnecting 17 hours ago [-]
Before providing any legal-related services, it's better to ensure that your own affairs are in compliance. At least, have a clear terms of service page [1], which is currently not available.
Good day. We apologize for our mistake. We have now fixed the link on the page so it works correctly. Thanks for pointing out
reconnecting 17 hours ago [-]
IANAL, but it looks like very poor AI generated T&C.
asdxrfx 17 hours ago [-]
Appreciate you flagging this. The current Terms of Use was generated using a standard terms generator we integrated into our site, so it’s not AI-generated, but we agree it still needs improvement. We’re planning to have it reviewed and refined soon to better reflect our product and responsibilities. Thanks again for keeping us sharp.
reconnecting 16 hours ago [-]
Perhaps it's an acceptable approach for a very limited type of non-commercial websites, but your organization pretends to provide a platform for compliance management, and from this perspective, you must first clarify your business responsibilities and your terms of service, as this is actually a part of what your company tries to sale at scale.
davsti4 16 hours ago [-]
Trying to register and I get this in the browser console:
Access to fetch at 'https://api.lumoar.com/v1/auth/register' from origin 'https://www.lumoar.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
asdxrfx 15 hours ago [-]
Hi, thanks for reaching out! The issue you encountered with the CORS policy has been fixed. You should be able to register without encountering the CORS issue anymore. If you run into any other issues, please don't hesitate to let us know!
throw03172019 17 hours ago [-]
Every “free SOC-2” platform I researched and demoed before landing on paid platform always had a catch. What is yours?
asdxrfx 16 hours ago [-]
No catch. It's completely free. We plan to offer paid add-ons (like AI automation and integrations) later, but the basics stay free.
aagha 15 hours ago [-]
Which paid one did you land on?
throw03172019 8 hours ago [-]
Vanta
wnolens 11 hours ago [-]
Genuinely curious and debating the costs of other SOC2 platforms. But your tool doesn't load anything when I go to controls.
> Error: Failed to fetch
Not a good way to debut
GiorgioG 15 hours ago [-]
How isn't this just straight up spam? OP has never posted before today.
dangrossman 15 hours ago [-]
"Show HN" posts announcing a new tech startup/tool are a core part of this site.
I see nothing wrong with this post. They're sharing something they've made and getting valuable, constructive feedback. I appreciate HN being one of few places that still happens at.
asdxrfx 15 hours ago [-]
Fair to be cautious, I get it. We’re a real startup, just launched our MVP recently, and wanted to share what we’re building with the community. It’s our first time posting here, but we’re genuinely looking to get feedback and connect with others. Happy to answer any questions!
java-man 16 hours ago [-]
Every website that does not explain an abbreviation before the first use is automatically non-compliant.
asdxrfx 16 hours ago [-]
Thanks for pointing out. We fixed our mistake.
rajivm 7 hours ago [-]
Don't follow all the advice blindly. I helped take a company in the compliance space from 0 to 3B exit. You're selling to startups that need SOC 2 so they can sell; they've never heard of "System and Organization Controls" but they have heard of SOC 2 because it's what their customers are asking for. Even compliance professionals wouldn't call it that on the daily. SOC 2 is what everyone knows.
If I was building a HTTP Inspector tool, you wouldn't call it a Hypertext Transfer Protocol (HTTP) Inspector tool.
As someone who don't know anything about SOC2, but still aware that if I want to signal 'data privacy' that I need to get it: I don't know what I'm supposed to do on your site.
Some sort of onboarding can help, like what are my steps from knowing nothing to actually getting the SOC2. Maybe some educational contents or resources can also help.
Is Lumoar SOC2 compliant?
Free in your case is not free, it's pretty expensive. If I can't comply in time, that might mean losing potential business, being late to the market, etc.
Good luck though, you made the first step.
Tis a great way to engender trust in the team. Bravo for bravely answering honestly. Wishing you folks best of success.
The compliance pros still want all their ceremony - it's most of what they sell.
[1] https://www.lumoar.com/terms-of-service.html
Access to fetch at 'https://api.lumoar.com/v1/auth/register' from origin 'https://www.lumoar.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
> Error: Failed to fetch
Not a good way to debut
https://news.ycombinator.com/shownew
I see nothing wrong with this post. They're sharing something they've made and getting valuable, constructive feedback. I appreciate HN being one of few places that still happens at.
If I was building a HTTP Inspector tool, you wouldn't call it a Hypertext Transfer Protocol (HTTP) Inspector tool.