Security Practice
Lumeer is the high quality collaborative work management platform helping organizations around the globe align work with the most important business objectives, create new efficiencies, and drive results.
We are dedicated to making Lumeer the most secure and reliable work management platform on the market. We are committed to protecting your personal and company data, and ensuring secure collaboration within our platform, which is why we continue to invest in the security of our services to not only meet, but exceed industry standards.
Security has always been a top priority and we have relentlessly pursued a robust and mature security strategy since the day the company was founded in 2017. Below is an overview of Lumeer’s security strategy, which includes a comprehensive approach across five key categories: Physical, network, system, application, and people.
Physical security
Global Presence
Lumeer hosts its mission-critical servers in dedicated cages within data centers located in the US and EU:
Our data centers are ISO 27001, SOC1, and SOC2 compliant. The facilities feature 24/7 manned security, fully redundant power backup systems, physical access controls, biometric authentication systems, extensive seismic bracing, the latest in early-detection smoke and fire alarms, and digital surveillance systems. All server and network components are continuously monitored by internal Lumeer staff and by the colocation providers.
Lumeer’s Disaster Recovery infrastructure resides in DigitalOcean’s Cloud Platform, having great scalability and security with ISO 27001, and PCI DSS.
Access to each system, network device, and application is limited to authorized personnel, and login details within the event logs are reviewed on a continual basis..
Uptime Over 99.9%
Over years of continuous service, Lumeer has consistently met or exceeded a 99.9% uptime, ensuring customers can access their data and projects when needed without interruption. If Lumeer is temporarily unavailable due to technical reasons or scheduled maintenance, you are always informed in advance.
Continuous Data Backup
Lumeer’s data backup model provides near real-time database replication to ensure customer data is both backed up and available on redundant and geographically dispersed servers. Full backup is performed on an hourly basis and is stored encrypted in an environment physically separated from the primary servers to ensure fault tolerance.
Network and System Security
Tenable Network Security Infrastructure
Lumeer uses industry-standard network protection procedures, including network segregation using VLAN’s, firewall and router technologies, intrusion detection and prevention systems, centralized log aggregation, and alert mechanisms. These procedures are used in conjunction with secure connectivity, including secure channels and multi-factors for authorized systems operations group personnel. This allows us to prevent, detect, and promptly remediate the impact of malicious traffic and network attacks.
Regular Updates and Patch Management
Ongoing internal network security audits and scanning gives us an overview for quick identification of impacted systems and services. According to our in-house patch management policy, operating systems, software, frameworks, and libraries used in Lumeer infrastructure are updated to the latest versions on a regular basis. Whenever a vulnerability in a product used by Lumeer or a high or critical vulnerability is publicly reported, prompt actions are taken to mitigate any potential risks for our customers — we apply hotfixes and patches promptly when available and/or implement pro-active mechanisms like configuration of firewalls or IDS/IPS.
System Integrity Protection
Lumeer uses operating system-based and custom integrity check services to ensure the integrity of all critical files and system objects. A quick response to any potential unauthorized changes to the system helps ensure our customers are using Lumeer-approved application services.
Application Security
Application Security Process
An in-depth Application Security Lifecycle process is fully integrated into Lumeer’s Software Development Lifecycle (SDLC), including:
- defined in-house security requirements, policies, and industry security best practices applied in every stage of the lifecycle;
- ongoing security review of architectures, design features, and solutions;
- iterative manual and automated (using static code analyzers) source code review for security weaknesses, vulnerabilities, and code quality, plus development team advisory and guidance;
- regular manual assessment and dynamic scanning of pre-production environment;
- security trainings conducted for IT teams according to their respective job roles.
User Authentication
Each user in Lumeer has a unique, password-protected account with a verified email address. The password is validated against password policies and stored securely using a strong hashing algorithm with a unique salt for every password. 2-Factor Authentication is available as an additional security measure to protect Lumeer accounts. Lumeer also supports multiple methods of federated authentication, including Google Open ID, GitHub ID, OAuth, and SAML2 to conveniently and securely gain access to a Lumeer account leveraging corporate credentials. Lumeer also offers advanced security settings that allow customers to manage Network Access Policy and Password Policy.
The Lumeer Support Team is always happy to assist you with any Lumeer-related issues. If troubleshooting or verifying an issue requires support to access your account, that access can be granted only by you. This is enabled by a system-generated security token that you provide to our support team, allowing support to delve deeper into solving your problem for a limited amount of time. This systemic approach ensures additional confidentiality for your data stored in Lumeer. This feature is enabled only for enterprise level accounts.
Data Sharing and Role-Based Access Control
A Lumeer account administrator manages and controls individual user rights by granting specific types of user licenses. Details about various user licenses, roles, and authorization controls in Lumeer are documented in Terms of Service.
Customer data, including tables and records, can only be accessed by other users within your Lumeer account if those items were specifically shared with them, or if the items were placed in shared folders.
Lumeer offers flexible data access control setup by allowing admins to configure Customized Access Roles, and can be used to specify user or group access levels to certain tables, records, and views. Selective sharing can be enabled to not follow the default of inheriting sharing settings, giving greater access control over specific subset of records in a single table. Lumeer’s Access Reports allow administrators to holistically review user access to sensitive data.
Monitoring User Activities
Lumeer enables customers to get a report with up-to-date account activity information, including authentication events, changes in authorization and access controls, shared folders and tasks, and other security activities. However, this feature is enabled only for enterprise level accounts.
Data Encryption
Lumeer uses Transport Layer Security (TLS) 1.2 with a preferred AES 256 bit algorithm in CBC mode and 2048-bit server key length with industry-leading modern browsers. When you access Lumeer via web browser, mobile applications, email add-in, or browser extension, TLS technology protects your information using both server authentication and data encryption. This is equivalent to network security methods used in banking and leading e-commerce sites.
All users’ passwords, cookies, and sensitive information are reliably protected from eavesdropping. User files uploaded to Lumeer servers via both web application and API are automatically encrypted with AES 256 using per-file keys. All user data is encrypted at several layers – at the database level, at the level of the virtual machine file system, and at the level of the physical file system.
If someone were to gain physical access to the file storage, this data would be encrypted and impossible to read directly. These encryption keys are stored in a secure key vault, which is a separate database decoupled from the file storage layer. In addition, all Lumeer workstations and servers are encrypted at rest using file system encryption where AES 256-bit is used.
People
Processes
Designing and running datacenter infrastructure requires not only technology, but also a disciplined approach to processes. This includes policies about escalation, management, knowledge sharing, risk management, and day-to-day operations. Lumeer’s security and operations teams have years of experience designing and operating data centers, and we continually improve our processes over time. Lumeer has also developed best-in-class practices for managing security and data protection risk. All of these elements are essential parts of Lumeer’s security culture.
Need-to-Know and Least Privilege
Only a limited set of employees have access to our datacenter and the data stored in our databases. There are strict security policies for employee access, all security events are logged and monitored, and our authentication methods and data are strictly regulated. Access to production requires establishing a VPN channel, multi-factor authentication, a one-time password, and a personal certificate.
We limit access to customer data to employees with a job-related need, and require all these staff members to sign a confidentiality agreement. Accessing customer data is only done on an as-needed basis, and only when approved by the customer (i.e. as part of a support incident) via a support token, or under authorization from senior management and security for the purposes of providing support, maintenance, or improving service quality.
Enterprise Grade Security
If you have any security questions and concerns, please contact our security team, and they will provide you with additional security artefacts confirming our security maturity.