Product security and privacy

At Lumoa we ensure that customer data is protected at all time

SCC 1

Standard Contractual Clause

Secure Data Processing

Feedback processed within EU/EEA

Product Security

Customer data access

Access to customer data is restricted on a strict need basis. Only authorized Lumoa administrators can access your data and they do so for support purposes only when you request it.

Service level agreement / uptime

We have uptime of 99.9% or higher.

Passwords

User created passwords are encrypted through a one-directional BCrypt-encryption utilizing at least 2048 iterations and unique user specific salt. Besides incorporating a salt to protect against rainbow table attacks. It is not possible decrypt the passwords to return them to their original shape.

Permissions

You can define permissions very granularily in Lumoa, this ensures only those people who should have access to specific data have it. You can restrict access to different data per user using our collection permissions, further you can use roles to limit access to user list within the product. Each data for example feedback that you send to us can have also a tag which can further used to make some user or group of users only able to see that data.

Network and application security

Data hosting and storage

Our services and data are hosted in Microsoft Azure (europe-west) in EU.

SSO & 2FA

SAML Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. You can enable SSO with Lumoa and be in full control of your credentials.

Virtual private cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
All of our networks are separated also logically so production, stage and test networks are separate.

Encryption

All communications to Lumoame web service or between Lumoa web service and external services (such as 3rd party services or public APIs) take place through HTTPS protocol.

API Key and secrets are used for authentication of incoming requests to Lumoa service in order to access Lumoa’s public endpoints per client basis. Each client is provided with a company-specific id and the related client secret.

Back ups and monitoring

On an application level, we produce audit logs for product usage and monitor system resources and application performance using Datadog (in EU). We use monitoring to continuously improve Lumoa performance.

Penetration tests, vulnerability scanning

Lumoa uses security tools to continuously scan for vulnerabilities. Our team responds to any security issues raised immediately and prioritizes work to fix any possible security issues. Minimum once per year we use third-party security experts to perform thorough penetration tests on the Lumoa application and infrastructure.

Hosting authentication

Our server infrastructure is only accessible by named 3rd level personnel with strong authentication: Azure SSO + 2-factor authentication (2FA). We have strong password policies on our infrastructure to ensure access to cloud services is protected.

Incident Response

Lumoa customer success implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Additional Security Features

Training

All employees complete Security and Awareness training annually.

Confidentiality

All employee and sub-contractor contracts include a confidentiality agreement.

Lumoa FAQ on Data Transfers

Policies

Lumoa has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.