Skip to main content

Information Security

Last Updated:
January 17, 2024

Information Security and Privacy Statement

At Lumafield, we prioritize the security and privacy of our customers' data above all else. We are proud to announce our recent achievement of SOC2 Type I Compliance and are actively working towards attaining SOC2 Type II Compliance in 2024.

This progression demonstrates our ongoing commitment to upholding and enhancing industry-leading security practices, thereby reinforcing the trust our customers place in us.

Data Security and Privacy Commitment

We are steadfastly committed to safeguarding the security and confidentiality of our customers' data at all times. Our cloud-based infrastructure is not only equipped with state-of-the-art security solutions but is also under constant vigilance through round-the-clock monitoring. This unwavering dedication ensures that our customers' data is always enveloped in a comprehensive shield of protection, giving them peace of mind and reinforcing their trust in our commitment to their data's safety.

Advanced Security Frameworks

Lumafield employs sophisticated security frameworks, including NIST and ISO 27001:2022, to reinforce our multi-layered security strategy.

Physical Security Measures

Our infrastructure is securely hosted on Amazon Web Services (AWS), offering robust physical and environmental safeguards. Employee devices are equipped with top-tier security software, full encryption, and undergo rigorous sanitization processes upon decommissioning. We consistently monitor compliance with our stringent security protocols and centralized platform.

Data Encryption Practices

We ensure the highest level of data protection with AES-256 encryption for data at rest and secure HTTPS and TLS 1.2+ protocols for data in transit, utilizing AES-128, AES-256, or CHACHA20 ciphers.

Data Privacy Assurance

Our approach to data privacy is transparent and customer-centric. We process only the information provided by our customers, who retain full ownership of their data. Queries and concerns are addressed by our dedicated Data Privacy Officer, in compliance with GDPR's Standard Contractual Clauses (SCC).

Robust Application Security and Development Framework

Our approach to application security is deeply integrated into our Agile-based software development lifecycle (SDLC). This methodology ensures that security is a priority at every stage of development, facilitating the rapid detection and rectification of any security-related issues.

We encrypt our databases to safeguard data integrity and confidentiality. Customer data is stored in secure, isolated databases, with access governed by strict controls, regular reviews, and authorization protocols. To further enhance security, we maintain a Web Application Firewall (WAF), which acts as a shield against various online threats. Prior to production deployment, our code is meticulously scanned to identify and remediate vulnerabilities, ensuring the robustness of our applications.

Our vigilant approach extends to monitoring network traffic for anomalies, allowing us to proactively address potential security threats. System updates and patches are regularly implemented, keeping our defenses strong against new vulnerabilities.

In addition to these technical measures, we place a significant emphasis on the security training of our team. Regular educational sessions are conducted to maintain high levels of security awareness and vigilance among our staff.

Every change in our system is subjected to rigorous reviews and testing. We maintain transparency with our customers by notifying them of any significant security patches that might impact their service. This comprehensive strategy in application security and development reflects our commitment to maintaining the highest standards of data protection and security for our clients.

Network and Access Security

We maintain a fortified internal network, complete with industry-standard firewalls, encrypted passwords, and secure VPNs for customer connections. Access privileges are audited quarterly, ensuring adherence to our vulnerability and patch management policies.

Access Control and Identity Management

To ensure secure and efficient access to our systems, Lumafield implements advanced access control and identity management practices. A cornerstone of this approach is our use of Single Sign-On (SSO) technology. SSO simplifies the user experience by reducing the need for multiple passwords while enhancing security. It minimizes the risk of password fatigue and the potential for security breaches due to weak or reused passwords. By integrating SSO with our robust authentication protocols, we ensure that access to our systems is both user-friendly and secured against unauthorized use. This approach is part of our ongoing commitment to provide secure, efficient, and reliable access to our services.

Proactive Incident Response and Disaster Recovery

Our comprehensive incident response and disaster recovery plans are regularly tested and updated. In the event of unauthorized access, our Incident Response Team takes immediate action, including customer notification and system audits, to mitigate and prevent future incidents.

Information Security & Privacy Training

At Lumafield, we have elevated our commitment to security and privacy training, ensuring our team is not only well-informed but also consistently vigilant. Our comprehensive training program includes annual sessions focused on data handling best practices and confidentiality, supplemented by quarterly refresher courses. This regular cadence of training ensures that our staff remains up-to-date with the latest security protocols and practices.

To further reinforce our security posture, we conduct phishing exercises throughout the year. These exercises are crucial in maintaining awareness and preparedness against common cyber threats, helping our team to identify and respond to phishing attempts effectively.

All training activities are meticulously tracked and managed centrally. This centralized tracking system is key to our compliance strategy, ensuring that every team member completes the necessary training modules.

For new hires, completing our rigorous training program is a prerequisite before they are granted access to any customer data, if their role necessitates such access. This policy ensures that every member of our team, regardless of their tenure, is equally equipped to uphold our high standards of data security and privacy.

Executive Leadership in Information Security and Privacy

James D Grisham, our Chief Information Security Officer and Data Privacy Officer, oversees and aligns our security program with our business strategy, reporting directly to the CEO. He has an extensive background in Information Security, Risk Management, Compliance, and Privacy spanning at least thirty years. He maintains an MA degree, ISC2 CISSP Certification with ISSMP Concentration, CISM, and several other designations.

For inquiries or further information, please reach out to