Information Security and Privacy Statement
At Lumafield, we take information security and privacy seriously by ensuring industry best practices. Trust is woven into every aspect of our business.
To keep data safe, we deploy industry-leading solutions and continuously monitor our cloud-based infrastructure so that our customers can rest easy knowing that their information is protected 24/7.
Our approach includes the utilization of information security frameworks such as NIST ISO 27000 series.
Physical Security Standards
Our systems are hosted on Amazon Web Services (AWS) who provide robust physical data security and environmental controls.
Employee computers come pre-installed with enterprise-level security and device management software. Computer hard drives are encrypted, and all recycled/decommissioned hardware and media are sanitized.
We actively monitor our employee computers to ensure they meet with our compliance and security best practice guidelines.
All customer data is encrypted at rest and in transit. Our databases and servers use AES 128, AES 256, or CHACHA20 cyphers and the highest encryption standards for encryption at rest. All customer access over the public internet is encrypted with HTTPS and TLS 1.2+. Customer data behind our firewall is encrypted in transit.
We only collect and process information that our customers provide us. Our customers own their own data. As part of our commitment to our customers, we maintain a Data Privacy Officer and methods for contact for any questions or concerns.
We utilize Standard Contractual Clauses (SCC), per GDPR.
Customer data is hosted in secure databases properly hardened and separated from non-production environments. All access to our databases is tightly controlled and locked down by ensuring least privilege, quarterly access reviews, and ensuring that only individuals that maintain access are properly authorized.
Our application servers are secured behind industry-standard firewalls with port whitelisting. Passwords are encrypted in transit and stored salted and hashed. We utilize high-level encypted VPN for site-to-site client connections.
Access privileges are audited on a quarterly basis.
We ensure that our internal network is properly maintained with vulnerability and patch management. We use enterprise standard key management policies with regular key rotation where appropriate.
Our Development Team is assigned on-going secure coding training and they utilize tools to ensure that code is properly scanned for vulnerabilities prior to publication into production.
Incident Response and Disaster Recovery
We have well-defined incident response and disaster recovery policies and plans which are tested at least annually.
We perform daily backups, and they are tested on a frequent basis.
If any unauthorized access is discovered, Lumafield staff will:
- Activate our Incident Response Team
- Notify our CISO and Information Security Team
- Immediately reset all relevant passwords and revoke relevant keys
- Notify Development, Engineering, Product, and Customer Success teams
- Notify affected customers (if any) of the intrusion and if/how their data was compromised within 24-48 hours of a confirmed incident
- Conduct a systemwide audit to identify the source of the breach
- Define system or process improvement tasks to avoid incidents in the future
- Communicate affected customers (if any) of the improvement plan, and update customers as improvements are deployed
- Hire a third-party data forensics firm to assist with our investigation, if needed, based on the severity
Security, Privacy Training, and Compliance
During their tenure, all staff attend annual security and privacy training. All staff sign confidentiality agreements and receive training on proper data handling policies and practices. We maintain an open channel with our teams for reporting and discussing information security knowledge for on-going training purposes.
All staff of Lumafield are required to complete a background check prior to access to any client data.
Information Security, Risk Management, Compliance, Privacy Management Oversight
Lumafield has selected James D Grisham as their Chief Information Security Officer and Data Privacy Officer. The CISO/DPO at Lumafield provides internal consulting, oversight, and governance throughout the company and is actively involved in mapping the security program to business strategy. The CISO/DPO reports directly to the CEO.