Data security standards

Introduction

At Lumiform, we are committed to ensuring the security and privacy of our customers’ data. Our platform is designed to help companies across various industries enhance their quality management, safety, compliance, and operational processes. With over 40,000 companies using Lumiform worldwide, we understand our critical role in our customers’ daily operations. Security is our top priority, and we adhere to stringent European guidelines to protect your data.

This document outlines our company’s approach to (cyber)security. If you have any questions, please don’t hesitate to contact us via privacy@lumiformapp.com.

Overview of our cybersecurity program

Lumiform has implemented a comprehensive cybersecurity program designed to address the current and emerging threats in the digital landscape. Our approach combines technical and operational controls to protect against potential cyber-attacks and secure the data processed by our SaaS application.

Key features of our cybersecurity program:

  1. World-class infrastructure: Our information systems and technical infrastructure are hosted in SOC 2-accredited data centers. These facilities employ physical security measures, including 24/7 surveillance, security cameras, visitor logs, and access restrictions, ensuring a secure environment for data processing.
  2. Compliance with industry standards: The cloud platform we utilize meets trusted security benchmarks, such as ISO 27001 and SOC 2, which are essential for maintaining high information security management standards.
  3. Robust access control: Access to Lumiform systems and customer data is controlled and monitored using multi-factor authentication and strict access management protocols, minimizing the risk of unauthorized access.
  4. Data encryption: We use robust encryption mechanisms to secure customer data in transit and at rest, adhering to industry-leading standards to protect sensitive information.
  5. Proactive patch management: Patches are applied promptly to our IT environment and products to minimize vulnerabilities and reduce the risk of exploitation by cyber attackers.
  6. Vulnerability management: Our team actively monitors and tests for vulnerabilities within our IT environment and products, ensuring swift resolution of identified issues to maintain system integrity.
  7. Incident response preparedness: A defined incident response process, supported by a dedicated team, is in place to provide rapid support and resolution in the event of a security incident, ensuring continuity of operations.
  8. Strategic partnerships: We select partners who meet high-security standards, enhancing the overall security posture of our ecosystem through collaborative efforts.

The remainder of this document provides a detailed overview of the various components of our safety program, underscoring our systematic approach to delivering a secure and reliable platform for our customers.

Organizational security

Our security approach aligns with best practices outlined in recognized standards such as ISO 27001. We are committed to continuously expanding our security program, with formal certification as a future objective.

Security governance

Lumiform maintains a comprehensive set of policies and procedures that define our security approach. These documents are shared with all employees and reviewed and updated annually or more frequently if significant changes are required, ensuring our security practices evolve with emerging threats.

Accountability and transparency are integral to our security governance. Lumiform stakeholders regularly convene to discuss security-related matters and make informed decisions that shape our cybersecurity strategy.

Access to internal systems and cloud platforms

Access to our IT systems and cloud platforms is restricted to employees who require it for their roles. We regularly review access authorizations to ensure compliance with our security policies.

Administrator access requires multi-factor authentication, and employees must use an approved VPN solution for secure connectivity. Our offboarding process ensures that departing employees’ access to systems and services is promptly revoked, maintaining strict control over data access.

Third-party security

We conduct thorough reviews of the security practices of third parties we engage, both at the outset and on an ongoing basis, to ensure alignment with our high standards and compliance with our security policies and Privacy Policy. Access granted to third parties is limited to the specific purposes for which they are engaged.

As a critical vendor, AWS operates under a shared responsibility model for security and compliance, clearly defining roles and responsibilities. AWS complies with numerous industry standards. We partner with Chargebee for financial transactions, adhering to the Payment Card Industry Data Security Standard (PCI-DSS).

Network security

Our cloud-based platforms primarily utilize Amazon Web Services (AWS), which implements a layered security strategy to protect against external attacks. Techniques such as network device access controls and data segregation with firewalls and virtual private clouds are employed to filter out malicious traffic. AWS services, including Web Application Firewall and AWS Shield, safeguard our products against web-based and denial-of-service attacks.

Logging and monitoring

Lumiform employs a centralized logging system for application access logs, which our technicians review for evaluation. Logs are retained for 90 days and include Amazon ELB logs to track service access requests. These records, stored in AWS, are immutable, and access is restricted to necessary personnel. Regular log reviews are conducted to detect malicious activity and identify potential vulnerabilities.

Safety awareness training

All Lumiform employees participate in annual security awareness training tailored to technical and non-technical roles. Training materials are customized for individual employees to address specific security challenges relevant to their positions.

Patching and vulnerability management

Addressing security vulnerabilities is a priority, and patching our IT environment is a fundamental measure. We use AWS System Manager to deploy patches to our cloud infrastructure. We are implementing a device management solution for our internal IT infrastructure to ensure timely and efficient patch installation. Patches for critical vulnerabilities are prioritized and initially tested in our non-production environment.

Protection of customer data

Lumiform prioritizes the security of customer data through comprehensive measures designed to prevent unauthorized access and ensure data integrity.

Restriction of access to data

Customer data is securely stored in our production environment, with access strictly limited to employees whose roles require it. To manage data access, we employ access control and authentication tools, including two-factor authentication provided by Amazon Web Services and other cloud partners.

Employees access data solely for purposes aligned with contracted services, such as resolving technical support requests. For detailed information, please refer to Lumiform’s Privacy Policy. In some instances, support or development staff may need to access a complete client dataset; in such cases, customer permission is obtained before access.

We do not store or cache customer financial data used for billing on the Lumiform platform, and our employees do not have direct access to this data.

Physical access to customer data

Customer data is hosted on Amazon Web Services infrastructure, which adheres to industry best practices for physical security as detailed in AWS’s security whitepaper. No customer data is stored at our physical office locations; all data resides in the AWS Region Europe (Frankfurt).

Encryption of data

Lumiform employs robust encryption strategies to protect customer data at rest and in transit. Data at rest is encrypted using AES-256, with crucial management handled by AWS’s Key Management Service. Data in transit is protected by Transport Layer Security (TLS), with a minimum standard of TLS v1.2 using 128-bit cipher keys, supporting connections with up to 256-bit AES cipher keys.

Backups of data

Data is continuously backed up using Amazon Web Services’ storage solutions, with customer data encrypted. Back-up access is restricted to specific Lumiform employees whose job responsibilities require it.

Deletion and destruction of data

Customer data stored with Amazon Web Services follows AWS’s deletion and disposal procedures, including secure logical deletion of retired media. Deleted media is inspected to confirm successful data destruction. Lumiform hardware containing confidential data undergoes industry-standard logical destruction before recycling. We prefer digital data storage encrypted with AES-256 GCM when feasible over physical media.

Safeguarding our product

Security and transparency are fundamental to developing and operating the Lumiform app, ensuring a reliable and secure user experience.

Practices for secure software development

Our product development process includes rigorous code reviews focusing on security before any changes are integrated into the live environment. We maintain separate test, development, and production environments to enhance security and stability.

Change control

Updates and changes to the Lumiform product undergo thorough testing during development to minimize potential impacts on end-users. We utilize change tracking and version control systems to monitor and manage changes to our codebase effectively.

Identification of vulnerabilities and development of patches

Proactive identification and management of vulnerabilities are crucial to maintaining product security. Lumiform actively monitors and tests applications for security vulnerabilities.

When a vulnerability is identified, it is internally tracked and prioritized based on the potential impact on customer data. The remediation timeline is determined by severity and may require our developers to work intensively until a resolution is achieved.

Patches for identified vulnerabilities are developed and deployed into the production environment through continuous integration. For patches that may affect end users, we provide notifications and establish a service window for deployment to ensure minimal disruption.

Dealing with security incidents

While we strive to prevent security incidents, preparedness is critical to minimizing their impact on our customers and Lumiform. We have implemented several measures to ensure effective incident management:

  • Incident management procedure: We have a defined and documented process for addressing incidents that may affect our IT environment and applications’ confidentiality, integrity, or availability.
  • Dedicated response team: A specialized team of Lumiform employees provides support during security incidents, ensuring a coordinated and effective response.
  • Disaster recovery and contingency planning: We have established disaster recovery plans and additional contingency strategies to maintain business continuity during incidents.

In the event of a material incident affecting the accessibility of Lumiform services or the confidentiality and integrity of user data, we will promptly notify affected customers through Lumiform’s Privacy Policy. For more details, please refer to our Privacy Policy here.

Final considerations

Cybersecurity is integral to Lumiform’s operations and the products we offer globally. The controls and measures outlined in this document provide a general overview of our multi-layered security approach. Our commitment to security extends beyond these measures, ensuring comprehensive protection for our customers.

For questions about this document or further information on our security practices and products, don’t hesitate to get in touch with us:

The data controller
Lumiform GmbH
Torstraße 201
10115 Berlin
Phone: +49 30 3119 7191
Email: privacy@lumiformapp.com

Data protection officer
Sebastian Schenk, working for Simply Legal GmbH
Burkarderstraße 36
97082 Würzburg
Email: info@dieter-datenschutz.de
Phone: +49 931 90 87 95 20