Overview of our Security Controls
All our data is encrypted in transit and at rest; we retain access logs and runtime logs of all our systems and processes; we do not store payment information as this is handled by Stripe; we run our system on AWS and use various AWS services such as Inspector and Guard Duty for scanning; we perform annual pentesting by a third party; we have access control policies that allow access to production data only to employees who required it; our employees undergo periodic security and awareness training.
If you have any questions on our security policies, pentesting reports, or any other security-related questions, please contact firstname.lastname@example.org.
SOC 2 Certification
Lumo has successfully completed its SOC 2 Type 2 audit. SOC 2 engagements are based on the AICPA’s Trust Service Criteria. SOC 2 audit reports focus on a Service Organization’s non-financial reporting controls as they relate to Security of the system. The audit was conducted by Dansa D’Arata Soucia LLP (www.darata.com). In doing so Lumo maintains its adherence to one of the most stringent, industry-accepted auditing standards for service companies and provides additional assurance to its clients, through an independent auditor, that its business process, information technology and risk management controls are properly designed.
The official audit report provides a thorough review of Lumo's internal controls, policies, and processes for our flight information services. It also reviews Lumo's processes relating to risk management and subservice (vendor) due diligence, as well as Lumo's entire IT infrastructure, software development life cycle, change management, logical security, network security, physical & environmental security, and computer operations.
If you would like to obtain a copy of our SOC 2 Type 2 report please contact email@example.com.
Reporting a vulnerability
If you believe you have found a vulnerability in any one of our applications, we would very much appreciate it if you did not disclose it publicly but instead send an email to firstname.lastname@example.org. Please visit our vulnerability disclosure policy page for more info.