The Security principle mandates comprehensive safeguards against unauthorized data access. It encompasses over 30 essential criteria, including stringent access control, robust physical security, and advanced encryption, ensuring data protection at all levels.

The Availability principle ensures reliable data access for intended use by customers and staff, incorporating resilience and recovery capabilities for system disruptions.

Enhancing data protection, the Confidentiality principle focuses on safeguarding sensitive information, including trade secrets and personal data, from unauthorized exposure.

The Processing Integrity principle ensures the accuracy and reliability of customer data processing, crucial for entities managing data analytics or manipulation on behalf of clients.

Focusing on consumer data rights, the Privacy principle outlines criteria for protecting privacy and controlling data collection and usage.

Restricts privileged access to infrastructure systems, such as databases, firewall, operating sytem, and production network only to authorized users with a business need.

The company’s production systems can only be remotely accessed by authorized employees that

• possess a valid multi-factor authentication (MFA) method.
• have an approved encrypted connection

The company uses firewalls and configures them to prevent unauthorized access.

All employees at Lume are required to complete security awareness training within thirty days of hire and at least annually thereafter.

The company’s datastores housing sensitive customer data are encrypted at rest.

The company’s penetration testing is performed at least annually.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.