Product Security and Privacy
At Lumoa we ensure that customer data is protected at all time.
ISO 27001 Certification
The recognized standard for proactive risk management ensures information security best practices in asset management, access control, cryptography, and network security.
ISO 9001 Certification
The recognized standard for quality management and ensures that customers and users get consistent, good quality products and services.
Processes data within EU/EAA
Lumoa is compliant with the EU-US Privacy Shield Framework.
Customer data access
Access to customer data is restricted on a strict need basis. Only authorized Lumoa administrators can access your data and they do so for support purposes only when you request it.
User created passwords are encrypted through a one-directional BCrypt-encryption utilizing at least 2048 iterations and unique user specific salt. Besides incorporating a salt to protect against rainbow table attacks. It is not possible decrypt the passwords to return them to their original shape.
Service Level Agreement / Uptime
We have uptime of 99.9% or higher.
You can define permissions very granularily in Lumoa, this ensures only those people who should have access to specific data have it. You can restrict access to different data per user using our collection permissions, further you can use roles to limit access to user list within the product. Each data for example feedback that you send to us can have also a tag which can further used to make some user or group of users only able to see that data.
Network and Application Security
Data Hosting and Storage
Our services and data are hosted in Microsoft Azure (europe-west) in EU.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
All of our networks are separated also logically so production, stage and test networks are separate.
Back Ups and Monitoring
On an application level, we produce audit logs for product usage and monitor system resources and application performance using Datadog (in EU). We use monitoring to continuously improve Lumoa performance.
Our server infrastructure is only accessible by named 3rd level personnel with strong authentication: Azure SSO + 2-factor authentication (2FA). We have strong password policies on our infrastructure to ensure access to cloud services is protected.
SSO & 2FA
SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. You can enable SSO with Lumoa and be in full control of your credentials.
All communications to Lumoame web service or between Lumoa web service and external services (such as 3rd party services or public APIs) take place through HTTPS protocol.
API Key and secrets are used for authentication of incoming requests to Lumoa service in order to access Lumoa’s public endpoints per client basis. Each client is provided with a company-specific id and the related client secret.
Penetration tests, Vulnerability Scanning
Lumoa uses security tools to continuously scan for vulnerabilities. Our team responds to any security issues raised immediately and prioritizes work to fix any possible security issues. Minimum once per year we use third-party security experts to perform thorough penetration tests on the Lumoa application and infrastructure.
Lumoa customer success implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.
Additional Security Features
All employees complete Security and Awareness training annually.
Lumoa has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
All employee and sub-contractor contracts include a confidentiality agreement.