Security & Compliance
1. Product Security
We prioritized and included security into every stage of our Software Development Life Cycle (SDLC), incorporating measures such as security design assessments, threat analysis, static and dynamic application security evaluations, and container image scanning throughout all release cycles. We also conduct host and network scanning, frequent penetration testing, and hardening of base images. Our vulnerability management program aims to eliminate any vulnerabilities in our code, continuously enhance our product security, and provide our customers with the assurance that their data is protected.
2. Data Security
Access Control & Management
We treat all customer data as confidential, enforcing the strictest controls and safeguards. We use Single Sign-On (SSO) to authenticate customers seamlessly and maintain the security of user accounts. Customers can use Role-Based Access Controls to provide detailed authorizations for their users. Development and production environments are kept separate, and customer data is never used in the development environment or downloaded from the production environment.
Data Safeguarding
We back up encrypted customer data daily to ensure its safety. We adhere to a strict data retention policy and securely erase data at the end of the retention period.
Data Encryption
All communications are encrypted using industry-standard HTTPS/TLS 1.2 (or higher). This guarantees that all transit traffic between the customer and us is encrypted. All data-at-rest is encrypted using AES-256 key encryption (or higher).
3. Physical Security
Our production infrastructure is cloud-hosted within a service provider’s environment. The cloud provider manages physical and environmental security controls for our production servers.
4. Corporate Security
Our management team is tasked with implementing and managing our information security program. We use a third-party security monitoring tool to continuously monitor our controls. We’ve established a security awareness training program that all our staff regularly undergoes, integrating security into both technical and non-technical roles. We have a comprehensive Business Continuity & Disaster Recovery program in place and conduct annual tests of our business and disaster recovery plans.
5. Compliance
We take information security management very seriously and regularly conduct penetration testing and security audits.
SOC2 Type II
Our SOC 2 Type II report, audited annually, covers the trust services categories of security, confidentiality, and availability. The report is available for review by existing customers and potential clients upon request. As the information is confidential, we require a signed NDA to review the report.
ISO/IEC 27001:2022
This certification acknowledge that Lumenova AI operates an Information Security Management System (ISMS) that conforms to the requirements of ISO/IEC 27001:2022. The scope of the Lumenova AI' ISMS includes the assets, technologies, and processes involved in the secure development, operation, and maintenance of the Lumenova Responsible AI Platform.
The certificate is available for review by existing customers and potential clients upon request.