Security Overview
The security of our customers' data is our top priority. This document outlines our general security practices and provides information on how your data is protected while using our platform. For any questions not covered here, reach out to our dedicated security team at security@lumonic.com for clarification.
Lumonic's Commitment to Data Security: SOC 2 Type II Certified
In December 2023, Lumonic received the SOC 2 Type II certification by the reputable firm Advantage Partners. This certification is a testament to our adherence to high standards of security, availability, and confidentiality. To request a copy of our SOC 2 Type II report please email security@lumonic.com.
Technical Details
Our infrastructure is hosted on Amazon Web Services (AWS), a secure cloud services platform with a robust suite of compliance certifications, including SSAE 18 (SOC 1, SOC 2, and SOC 3). All server instances are hosted within a Virtual Private Cloud in AWS data centers located exclusively in the United States. Only authorized Lumonic engineers have access to our production environment, secured through mandated two-factor authentication.
We employ logical separation techniques to isolate user data. Your data is safeguarded by stringent authentication and authorization controls, ensuring that only authorized personnel can access it.
Continuous monitoring and alerts are in place across our application servers, infrastructure, and network to identify and mitigate any potential risks or abuses.
Lumonic maintains bank-level digital security with data encrypted at rest and in-transit. This includes OCSP stapling and HTTP strict transport security. The Lumonic platform is only served over TLS 1.2+ to keep website traffic secure, and older protocols are not enabled.
Files generated by or uploaded to Lumonic are securely stored on AWS and encrypted using AES-256. These files are backed up in multiple U.S.-based locations and are accessible only through time-limited, cryptographically signed links. Private keys for encryption are rotated annually and are accessible only to a select group of engineers.
All databases are stored on encrypted-at-rest file systems using AES-256 encryption using private keys that are rotated at least annually. All database traffic is routed through TLS 1.2+ secured connections. Our databases are backed up regularly to multiple areas only located within the United States. For added security, more sensitive data fields are further encrypted using ARGON2.
All changes to any customer data are automatically logged in an audit database. This includes every action and click on the Lumonic platform.
Access to the Lumonic platform requires email verification, rendering brute-force attacks ineffective.
Software Updates
At Lumonic, we adhere to an iterative release strategy, constantly fine-tuning all facets of our software for optimal performance and security. Our change management framework encompasses the entire software development lifecycle—from initial development and source code management to rigorous automated testing and peer review.
Employees
Lumonic employees have decades of work experience in security critical domains like finance and technology. All employees undergo rigorous background checks. Access to production customer data is restricted internally by job function.
Responsible disclosure
If you believe you have discovered a vulnerability within Lumonic, please contact us at security@lumonic.com. Include as many details as possible, including steps to replicate or other proof.