Security Policy
Last updated: January 1, 2025
Overview
At Lumiotech (“we,” “us,” or “our”), security is fundamental to everything we do. Our Sentry platform is built with advanced security measures to protect sensitive information and ensure the highest levels of data protection for our clients. This Security Policy outlines our holistic approach to safeguarding data, infrastructure, and operational processes.
Infrastructure Security
We maintain a secure, resilient infrastructure designed to support the stringent security requirements of government and defense agencies:
- End-to-End Encryption: All data transmissions between client devices and our servers are encrypted to protect against unauthorized interception.
- Multi-Layer DDoS Protection: Our infrastructure includes robust DDoS mitigation technologies and traffic filtering to ensure uninterrupted service.
- 24/7 Infrastructure Monitoring: We employ real-time monitoring tools and security sensors to quickly detect and respond to potential threats.
- Regular Security Audits and Penetration Testing: Internal and external testing is conducted to identify and address any vulnerabilities promptly.
- Secure, Redundant Data Centers: Our hosting facilities incorporate physical security measures such as biometrics, surveillance, and secured access points.
- Real-Time Threat Intelligence and Response: We leverage global threat intelligence feeds to proactively identify and neutralize emerging threats.
Data Protection
Protecting our clients’ data is our top priority. We employ industry-leading data security measures, including:
- AES-256 Encryption at Rest: Sensitive data is encrypted on our servers and in databases to prevent unauthorized access.
- TLS 1.3 for Data in Transit: Our servers use the latest Transport Layer Security protocol to protect data traveling between user devices and our systems.
- Secure Key Management Systems: Encryption keys are managed using Hardware Security Modules (HSMs) or equivalent secure key management solutions.
- Regular Data Backups: We perform automated, secure backups stored in geographically separate locations for redundancy.
- Strict Data Access Controls: Only authorized personnel can access sensitive information, and all access is logged and monitored.
- Secure Data Disposal Protocols: When data is no longer needed, it is securely destroyed in compliance with industry and regulatory standards.
Access Control
Access control is central to our security strategy, preventing unauthorized access to sensitive resources:
- Multi-Factor Authentication (MFA): All administrative and privileged accounts require MFA to enhance login security.
- Role-Based Access Control (RBAC): Permissions are granted based on job role and operational necessity, reducing the risk of excessive access privileges.
- IP Whitelisting: Critical administrative portals can be restricted to specific IP addresses or networks.
- Regular Access Reviews: We periodically review user privileges to ensure compliance with the principle of least privilege.
- Automated Session Management: Sessions automatically expire after a period of inactivity, minimizing the risk of unauthorized access.
- Detailed Access Logging: All login attempts and access events are logged and subject to continuous monitoring.
Compliance & Certifications
We adhere to recognized global security and privacy standards to ensure ongoing compliance and uphold customer trust:
- ISO 27001 certified for our Information Security Management System
- SOC 2 Type II compliant, demonstrating our commitment to security, availability, and confidentiality
- GDPR compliant for handling personal data of EU residents
- Periodic external compliance audits and internal self-assessments
- Alignment with industry-standard security frameworks such as NIST and CIS
Incident Response
Our incident response program is designed to detect, contain, and remediate security incidents swiftly:
- 24/7 Security Incident Response: Our dedicated team is on standby to investigate alerts and coordinate response measures.
- Automated Threat Detection: We use advanced SIEM (Security Information and Event Management) tools to correlate events and flag anomalies in real-time.
- Regular Incident Response Drills: We conduct tabletop exercises and simulations to prepare for a range of potential security events.
- Comprehensive Incident Documentation: All incidents are meticulously documented for post-incident analysis and continuous improvement.
- Client Notification Protocols: If an incident potentially affects client data, we promptly notify affected clients per contractual and legal obligations.
Contact Our Security Team
If you have questions regarding our security measures or would like to report a potential security vulnerability, please contact our security team:
[email protected]