SOC 2 is a compliance framework used to evaluate and validate an organization’s information security practices.
It’s widely used in North America, particularly in the SaaS industry.
Being SOC 2 Compliant means you have implemented the appropriate security controls and have had those controls investigated by a third-party auditor.
Learn more here.
Lume is built on top of 5 principles, led by the SOC2 framework.
Security
The Security principle mandates comprehensive safeguards against unauthorized data access.
It encompasses over 30 essential criteria, including stringent access control, robust physical security, and advanced encryption, ensuring data protection at all levels.
Availability
The Availability principle ensures reliable data access for intended use by customers and staff, incorporating resilience and recovery capabilities for system disruptions.
Confidentiality
Enhancing data protection, the Confidentiality principle focuses on safeguarding sensitive information, including trade secrets and personal data, from unauthorized exposure.
Processing integrity
The Processing Integrity principle ensures the accuracy and reliability of customer data processing, crucial for entities managing data analytics or manipulation on behalf of clients.
Privacy
Focusing on consumer data rights, the Privacy principle outlines criteria for protecting privacy and controlling data collection and usage.
Restricts privileged access to infrastructure systems, such as databases, firewall, operating sytem, and production network only to authorized users with a business need.
Multi-Factor Authentication
The company’s production systems can only be remotely accessed by authorized employees that
possess a valid multi-factor authentication (MFA) method.
have an approved encrypted connection
Firewall
The company uses firewalls and configures them to prevent unauthorized access.
Host-based vulnerability scans are performed at least quarterly on all external-facing systems.
Critical and high vulnerabilities are tracked to remediation.
Continuity and Disaster Recovery plans established
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.