Security Policy

Last Updated: January 1, 2025

Lumify's infrastructure is hosted on Google Cloud Platform (GCP), and all public-facing traffic is routed through Cloudflare, our global edge security provider.

1. Security Program Overview

Lumify's security program is designed to:

• Protect the confidentiality, integrity, and availability of customer data
• Prevent, detect, and respond to security threats
• Reduce operational risk
• Support customer trust as Lumify scales

We employ administrative, technical, and physical controls aligned with industry-leading standards, even though Lumify has not yet completed SOC 2 certification.

2. Roles & Responsibilities

• Leadership oversees security strategy, governance, and resource allocation.
• Engineering & DevOps implement secure coding, infrastructure hardening, and system monitoring.
• All personnel follow Lumify's security and confidentiality requirements and undergo training.
• Access to systems and data is strictly limited to those with a legitimate business purpose.

3. Infrastructure Security (GCP)

Lumify's core infrastructure is hosted on Google Cloud Platform (GCP), leveraging:

• Hardened physical security at Google data centers
• Strong IAM controls
• Network isolation via VPCs
• Redundant compute, storage, and networking
• GCP-managed encryption (AES-256)
• Continuous patching and vulnerability management

Lumify configures all cloud services using secure defaults and applies least-privilege access.

4. Edge Security & DDoS Protection (Cloudflare)

Lumify uses Cloudflare as its primary edge security and traffic protection layer. Cloudflare provides:

• Global Anycast DDoS mitigation
• Web Application Firewall (WAF)
• Bot management and filtering
• Rate limiting and abuse detection
• TLS termination and certificate management
• Edge caching and performance optimization

This layered approach—Cloudflare (edge) → GCP (compute)—provides defense-in-depth against both volumetric and application-level attacks.

5. Data Security & Privacy

5.1 Data We Collect

Lumify does not collect or store personally identifiable information (PII). If personal information is ever provided during troubleshooting or customer support, it is used solely to resolve technical issues and never for analytics, marketing, or resale.

5.2 Data Handling

• Customer data is processed only to deliver the Service.
• Access is limited to authorized personnel with a legitimate business need.
• Customer data is not used for advertising, profiling, or unrelated purposes.

5.3 Encryption

• In Transit: TLS 1.2+
• At Rest: GCP-managed encryption keys (AES-256)

6. Application Security

Lumify's secure software development lifecycle includes:

• Mandatory code review
• Automated dependency and vulnerability scanning
• Use of modern frameworks resistant to common attack vectors
• Secrets stored in GCP Secret Manager
• CI/CD pipelines with controlled access and limited blast radius

OWASP Top 10 risks are actively mitigated through ongoing engineering practices.

7. Access Control & Authentication

• Role-based access control (RBAC) using GCP IAM
• Administrative access requires multi-factor authentication (MFA)
• Production access is restricted to essential engineering personnel
• Endpoint security required for all employee devices (OS updates, disk encryption, strong passwords, etc.)

8. Network Security

Lumify maintains a layered network security model:

Cloudflare (Primary Security Layer)

• DDoS protection
• WAF
• Bot mitigation
• IP reputation filtering
• Threat intelligence feeds
• Rate limiting

GCP Network Controls

• VPC isolation
• Firewall rules
• Private service networking
• Internal-only communication for sensitive components

Logs and metrics are continuously monitored for suspicious activity.

9. Logging, Monitoring & Alerting

Lumify uses GCP-native and third-party tools to:

• Log authentication events, system changes, and API traffic
• Alert on anomalies, suspicious behavior, or attempted intrusions
• Maintain audit trails for admin access
• Monitor performance, availability, and error rates

Logs are stored securely with limited access.

10. Vulnerability & Patch Management

Lumify's process includes:

• Continuous vulnerability scanning
• Regular dependency and library updates
• Prioritized remediation based on severity and risk
• Automated patching for OS and cloud components where possible

11. Incident Response

Lumify maintains an Incident Response Plan (IRP) covering:

• Incident classification
• Containment and remediation
• Customer notification (when applicable)
• Root cause analysis
• Continuous improvement

All incidents impacting customer data or platform integrity are handled with urgency.

12. Business Continuity & Disaster Recovery

Lumify leverages GCP's resilient infrastructure to maintain continuity:

• Multi-zone deployment
• Automated failover
• Frequent system backups
• Documented disaster recovery plans

Procedures are reviewed regularly.

13. Third-Party Vendors & Subprocessors

Lumify reviews third-party providers for:

• Security posture
• Compliance certifications
• Data handling practices
• Minimal access principles

Only vendors essential for operating the Service are used. A subprocessors list will be published as Lumify grows.

14. Employee Security Practices

• Background checks where permitted
• Annual security awareness training
• Confidentiality and acceptable use requirements
• Device-level security controls (patching, encryption, MFA)
• Restriction of access based on role and need

15. Customer Responsibilities

Customers are responsible for:

• Securing their Lumify access credentials
• Setting and managing their internal access controls
• Ensuring no regulated or sensitive data (PHI, financial data, government IDs, etc.) is transmitted into Lumify
• Maintaining compliance with their own industry regulations

16. Contact Information

Questions regarding this Security Policy may be directed to:
📩 security@lumify.ai