Security Overview
Compliance Standards
Lume is SOC 2 Type 1 and SOC 2 Type 2 Compliant.
Lume’s Security Principles
Lume is built on top of 5 principles, led by the SOC2 framework.
Security
The Security principle mandates comprehensive safeguards against unauthorized data access. It encompasses over 30 essential criteria, including stringent access control, robust physical security, and advanced encryption, ensuring data protection at all levels.
Availability
The Availability principle ensures reliable data access for intended use by customers and staff, incorporating resilience and recovery capabilities for system disruptions.
Confidentiality
Enhancing data protection, the Confidentiality principle focuses on safeguarding sensitive information, including trade secrets and personal data, from unauthorized exposure.
Processing integrity
The Processing Integrity principle ensures the accuracy and reliability of customer data processing, crucial for entities managing data analytics or manipulation on behalf of clients.
Privacy
Focusing on consumer data rights, the Privacy principle outlines criteria for protecting privacy and controlling data collection and usage.
Security Highlights
Below is a preview of the controls and policies Lume has in place to ensure security.
Infrastructure Security
Least-Privilege Access
Restricts privileged access to infrastructure systems, such as databases, firewall, operating sytem, and production network only to authorized users with a business need.
Multi-Factor Authentication
The company’s production systems can only be remotely accessed by authorized employees that
- possess a valid multi-factor authentication (MFA) method.
- have an approved encrypted connection
Firewall
The company uses firewalls and configures them to prevent unauthorized access.
Organizational Security
Employee Security Training
All employees at Lume are required to complete security awareness training within thirty days of hire and at least annually thereafter.
Product Security
Data Encryption
The company’s datastores housing sensitive customer data are encrypted at rest.
Penetration Testing
The company’s penetration testing is performed at least annually.
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Internal Security Procedures
Vulnerabilities scanned and remediated
Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
Continuity and Disaster Recovery plans established
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
Data and Privacy
Data retention procedures established
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.