Compliance Standards

Lume is SOC 2 Type 1 and SOC 2 Type 2 Compliant.

Lume’s Security Principles

Lume is built on top of 5 principles, led by the SOC2 framework.

Security

The Security principle mandates comprehensive safeguards against unauthorized data access. It encompasses over 30 essential criteria, including stringent access control, robust physical security, and advanced encryption, ensuring data protection at all levels.

Availability

The Availability principle ensures reliable data access for intended use by customers and staff, incorporating resilience and recovery capabilities for system disruptions.

Confidentiality

Enhancing data protection, the Confidentiality principle focuses on safeguarding sensitive information, including trade secrets and personal data, from unauthorized exposure.

Processing integrity

The Processing Integrity principle ensures the accuracy and reliability of customer data processing, crucial for entities managing data analytics or manipulation on behalf of clients.

Privacy

Focusing on consumer data rights, the Privacy principle outlines criteria for protecting privacy and controlling data collection and usage.

Security Highlights

Below is a preview of the controls and policies Lume has in place to ensure security.

Infrastructure Security

Least-Privilege Access

Restricts privileged access to infrastructure systems, such as databases, firewall, operating sytem, and production network only to authorized users with a business need.

Multi-Factor Authentication

The company’s production systems can only be remotely accessed by authorized employees that

  • possess a valid multi-factor authentication (MFA) method.
  • have an approved encrypted connection

Firewall

The company uses firewalls and configures them to prevent unauthorized access.

Organizational Security

Employee Security Training

All employees at Lume are required to complete security awareness training within thirty days of hire and at least annually thereafter.

Product Security

Data Encryption

The company’s datastores housing sensitive customer data are encrypted at rest.

Penetration Testing

The company’s penetration testing is performed at least annually.

Data transmission encrypted

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Internal Security Procedures

Vulnerabilities scanned and remediated

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

Continuity and Disaster Recovery plans established

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Data and Privacy

Data retention procedures established

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Customer data deleted upon leaving

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.