At Luminate we understand how important the security and the confidentiality of information are to our customers.
Our solution, built by a team of security veterans stemming from both enterprise IT security market leaders, Check Point Software Technologies, and world-renowned technological military units, goes above and beyond to support and protect our customers, their applications and their data.
In addition to implementing meticulous internal processes for ensuring that our operations, software and infrastructure are built according to the industry's strictest best practices in the field, we are submitting out platform to external audits, evaluations and certifications. Our platform today is certified to comply with SOC 2 Type II standard, ISO 27001 standard and complies with PCI DSS (Payment Cards Industry Data Security Standards), as well as with HIPAA (Health Insurance Portability and Accountability Act) Security Standards (via SOC 2 Type II + HIPAA report) . As a part of our extensive partnership with Amazon Web Services, we have subjected our solution to reviews of AWS Architects in order to conform with Amazon Well Architected Framework approach.
Additionally, we have made a very significant effort to comply with the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act. The information below outlines the efforts that have been taken and the control mechanisms that have been introduced. Please refer to the relevant sections below for a list of specific steps taken to comply with the regulatory frameworks.
This document describes the steps that we are taking in order to deliver an outstanding service security to our customers, starting with the meticulous selection and training of our personnel, usage of cutting-edge technologies, security-oriented organizational processes and various external audits and certifications.
Personnel Selection and Training
Security-oriented software products and services start with the proper state of mind of the engineering team. All of our engineers, team leaders and software architects have a rich background of training and implementation of secure coding practices.
Every engineer hired by the organization undergoes a number of professional interviews and tests, including a hands-on software development assignment. Each assignment gets analyzed by our software architects, leading to a debriefing with the candidate, involving discussion of the security aspects of the delivered code.
In our R&D organization, each development platform or programming language has a dedicated "security owner" that, as a part of his/her daily duties, stays up-to-date with the latest security best practices in that platform, actively participating in development forums and collecting relevant materials. That owner is responsible for educating the development teams with the latest updates in the field and for reviewing every change in the product modules from the security aspect.
Research and Development Processes
We employ the strictest development processes and coding standards to ensure that both adhere to the best security practices. In addition, our testing platform performs a set of various black box and white box tests for quality assurance (including ongoing penetration tests).
R&D processes are implemented and supported with security as a first priority across all system layers, from the physical layers up to the application layer.
Technology and Software Architecture
Our software components are built as isolated micro-services and use various industry-leading commercial or open-source software libraries.
Every micro-service runs inside a well-defined Docker container that allows specific levels of access to select controllers. We use Docker to avoid erroneous instance-configuration changes, upgrades, and corruption that are common sources of security breaches. Additionally, we harden operating systems within containers to enable various network access controls.
We take the necessary precautions to ensure that every layer involved in data transfer is secured by best-of-breed technologies. Our network is segmented using various technologies provided by the cloud infrastructure vendors, as well as using additional custom measures. In addition, our threat-control center is kept up to date with security alerts that are analyzed and addressed in real-time. Through in-depth network monitoring, we are able to detect anomalies and take a proactive approach to eliminating potential breaches.
Physical Data Centers Security
Our solution relies on Amazon Web Services and Microsoft Azure cloud architectures. Both vendors are known for their exceptionally flexible and secure architectures, and comply with the strictest international standards in physical security, reliability and software security of their offerings.
The reliability of the customers' data is guaranteed by our deployment, that spans across various availability zones in a number of regions of both cloud infrastructure providers.
All data centers that run our solution are secured and monitored 24/7, with physical access to facilities being strictly limited to selected cloud vendor staff.
Well-defined organizational processes ensure security of our operations throughout various stages of interaction with our service. Below table summarizes the key processes and their frequency:
|Code security test for engineering candidates||Hiring / Training|
|Code security presentations and trainings||R&D|
|Security Updates to 3rd-party libraries and components||R&D|
|Security Review for new features||R&D|
|Security Review for Infrastructure||Operations|
|External Security Review for the solution and the infrastructure||Operations|
|Internal Penetration Testing||Operations|
|External Penetration Testing||Operations|
|Service Organization Controls certification||Operations|
|Response to questions and issues raised by customers||Operations|
External Audits and Certifications
As mentioned above, our solution is periodically subjected to external audits and certifications, carried out by accredited vendors. All reports are available upon request to our customers, including internal response plans and commitments.
Compliance with GDPR and additional Privacy Frameworks
We are constantly revisiting our privacy practices in order to make sure that our service is always compliant with the strictest industry and regulatory practices related to data privacy. In particular, we have taken explicit steps to update our policies, internal processes and legal practices in order to comply with General Data Protection Regulation (GRPR). Following list outlines some of the steps we have taken:
- We have revisited all the information we collect and reduced it to include the absolute minimum required to provide our service to our customers. We explicitly state which information we are collecting and under what circumstances.
- Being a Data Processor under the definitions of the framework, we performed rigorous due diligence of all sub-processors that are used by us and have negotiated and signed particular Data Processing Addendum documents with each and every one of them, ensuring that all the responsibilities we took upon ourselves will be delivered by our sub-processors as well.
- To all our customers and partners we are offering our own Data Processing Addendum that outlines our responsibilities and the way we deliver upon them.
- We have completed implementation and certification of privacy checks in our internal processes, as validated by the AT-C 205 (formerly, under AT 101) audit process and appears in the Privacy chapter of our SOC 2 Type II reports.
Please feel free to contact us with any questions, suggestions or concerns about any of the points outlined above at: [email protected]