Product Security and Privacy

At Lumoa we ensure that customer data is protected at all time

SCC

Standard Contractual Clause

Secure Data Processing

Feedback processed within EU/EEA

Product Security

Customer data access
Access to customer data is restricted on a strict need basis. Only authorized Lumoa administrators can access your data and they do so for support purposes only when you request it.

Passwords
User created passwords are encrypted through a one-directional BCrypt-encryption utilizing at least 2048 iterations and unique user specific salt. Besides incorporating a salt to protect against rainbow table attacks. It is not possible decrypt the passwords to return them to their original shape.

Service Level Agreement / Uptime
We have uptime of 99.9% or higher.

Permissions
You can define permissions very granularily in Lumoa, this ensures only those people who should have access to specific data have it. You can restrict access to different data per user using our collection permissions, further you can use roles to limit access to user list within the product. Each data for example feedback that you send to us can have also a tag which can further used to make some user or group of users only able to see that data.

Network and Application Security

Data Hosting and Storage
Our services and data are hosted in Microsoft Azure (europe-west) in EU.

Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
All of our networks are separated also logically so production, stage and test networks are separate.

Back Ups and Monitoring
On an application level, we produce audit logs for product usage and monitor system resources and application performance using Datadog (in EU). We use monitoring to continuously improve Lumoa performance.

Hosting Authentication
Our server infrastructure is only accessible by named 3rd level personnel with strong authentication: Azure SSO + 2-factor authentication (2FA). We have strong password policies on our infrastructure to ensure access to cloud services is protected.

SSO & 2FA
SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. You can enable SSO with Lumoa and be in full control of your credentials.

Encryption
All communications to Lumoame web service or between Lumoa web service and external services (such as 3rd party services or public APIs) take place through HTTPS protocol.

API Key and secrets are used for authentication of incoming requests to Lumoa service in order to access Lumoa’s public endpoints per client basis. Each client is provided with a company-specific id and the related client secret.

Penetration tests, Vulnerability Scanning
Lumoa uses security tools to continuously scan for vulnerabilities. Our team responds to any security issues raised immediately and prioritizes work to fix any possible security issues. Minimum once per year we use third-party security experts to perform thorough penetration tests on the Lumoa application and infrastructure.

Incident Response
Lumoa customer success implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Additional Security Features

Training
All employees complete Security and Awareness training annually.

Policies
Lumoa has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Confidentiality
All employee and sub-contractor contracts include a confidentiality agreement.

Lumoa FAQ on Data Transfers