Enterprise Security

Executive Summary

Luma is committed to maintaining strong security and data protection practices for our enterprise customers. Our security program is designed to protect event data, attendee information, and organizational assets while enabling seamless event management and collaboration.

This document provides an overview of our security practices, infrastructure, and controls for security teams, compliance officers, and decision-makers evaluating Luma for enterprise deployment. For information about Enterprise plan features including SSO and dedicated support, see our Enterprise Overview.

Security Governance & Compliance

Regulatory Compliance

Luma aligns its practices with major data protection regulations:

• GDPR (General Data Protection Regulation): Practices aligned with EU data protection requirements, including support for data subject rights, privacy by design, and cross-border transfer mechanisms
• CCPA (California Consumer Privacy Act): Practices aligned with California privacy requirements, including support for consumer rights to access, delete, and opt-out of certain data uses
• Data Processing Agreements: Available for enterprise customers at luma.com/dpa

Security Policies

Our security program includes:

• Security policies and procedures covering data protection
• Incident response procedures with defined roles
• Regular policy reviews to address emerging threats
• Security training for all team members

Infrastructure & Network Security

Cloud Infrastructure

Luma leverages Amazon Web Services (AWS) for reliable and secure infrastructure:

• Enterprise-grade cloud hosting with global availability
• AWS security best practices and shared responsibility model
• Regular infrastructure updates and patches
• Automated scaling to handle traffic spikes during large events

Network Security

• Network segmentation to isolate application tiers
• Private subnets for database and application servers
• Secure VPC configurations with controlled access
• CloudFlare integration for DDoS mitigation and Web Application Firewall (WAF)
• Rate limiting to prevent abuse

Physical Security

AWS data centers provide physical security monitoring, biometric access controls, environmental controls, and maintain SOC 2/ISO 27001 certifications.

Data Protection & Encryption

Encryption Standards

All sensitive data is protected using industry-standard encryption:

• At Rest: AES-256 encryption for all stored data, including databases, file storage, and backups
• In Transit: TLS 1.2+ for all data transmission, with TLS 1.3 support
• Key Management: Secure key storage and rotation using AWS KMS
• Database Encryption: Transparent data encryption for all database instances

Data Backup and Recovery

• Automated daily backups with point-in-time recovery
• Geographically distributed backup storage
• Documented recovery procedures

Data Retention and Deletion

• Data retention policies aligned with legal requirements
• Automated data purging based on retention schedules
• Secure data deletion procedures
• Customer-initiated data deletion capabilities
• Right to erasure support for GDPR compliance

Application Security

Secure Development

Our development process incorporates security best practices:

• Mandatory code reviews for all changes
• Automated security testing and dependency scanning
• Timely application of security patches
• Responsible disclosure program for security researchers

Security Controls

We implement protections against common vulnerabilities including:

• Input validation and parameterized queries to prevent injection
• Secure authentication and session management
• XSS protection through output encoding and CSP headers
• CSRF tokens for state-changing operations

API Security

• OAuth 2.0 and API key authentication
• Rate limiting per endpoint and per user
• Comprehensive API logging

Access Control & Identity Management

Employee Access

• Principle of least privilege for all access grants
• Multi-factor authentication (MFA) required for all employee accounts
• Separation of development and production environments
• Privileged actions logged and monitored

Customer Identity Management

• Support for enterprise SSO via SAML 2.0 and OAuth 2.0
• Integration with major identity providers (Okta, Google Workspace, etc.)
• Flexible role-based access control (RBAC) for team management
• Granular permissions for calendar and event management
• Audit logging of authentication and authorization events

User Data Security

Payment Security

• Payments handled by Stripe (PCI DSS Level 1)
• No credit card data stored in Luma systems
• Tokenization for all payment processing
• Secure checkout process with fraud detection
• Support for 3D Secure authentication
• Encrypted payment receipts and invoices

File Upload Security

• File type validation and restrictions
• Size limits to prevent resource exhaustion
• Secure CDN delivery with signed URLs
• Image processing in isolated environments

Registration and Check-in Security

• Unique ticket codes with cryptographic validation
• Mobile app security for check-in operations
• Duplicate registration prevention
• Waitlist management with secure approval workflows

Monitoring & Incident Response

Security Monitoring

• Automated monitoring and alerting for security events
• Centralized logging of system activities
• Performance and availability monitoring

Incident Response

• Documented incident response plan with defined roles
• Incident classification and severity levels
• Timely customer notification consistent with legal obligations
• Coordination with law enforcement when required
• Post-incident reviews and lessons learned

Vendor & Third-Party Security

We partner with industry-leading providers:

• AWS: Cloud infrastructure and hosting
• Stripe: Payment processing (PCI DSS Level 1)
• Twilio: SMS and communication services
• CloudFlare: CDN and DDoS protection

All vendors are evaluated for security practices, and we maintain:

• Contractual security requirements for key vendors
• Data processing agreements with subprocessors
• List of subprocessors at luma.com/subprocessors
• Automated dependency scanning for software vulnerabilities

Business Continuity & Availability

High Availability

Our infrastructure is designed for reliability:

• High availability architecture with uptime SLAs available for enterprise plans
• Load-balanced application servers
• Database replication with automatic failover
• Multiple availability zones for redundancy
• Auto-scaling for traffic spikes
• Planned maintenance windows with advance notice

Disaster Recovery

• Documented disaster recovery procedures
• Automated failover capabilities
• Regular backups with geographic distribution

Privacy & Data Rights

Privacy by Design

• Privacy considerations in all new features
• Data minimization - collect only what's necessary
• Purpose limitation - use data only for stated purposes
• Privacy impact assessments for new processing
• Default privacy settings favor user protection

Data Processing Agreements

• Standard DPA available at luma.com/dpa
• GDPR-compliant processing terms
• Clear roles and responsibilities
• Standard contractual clauses for international transfers
• Customizable DPAs for enterprise requirements

User Rights Management

We support all data subject rights:

• Access: Users can request their personal data
• Rectification: Ability to correct inaccurate data
• Deletion: Right to erasure ("right to be forgotten")
• Portability: Export data in machine-readable format
• Objection: Opt-out of certain processing activities
• Restriction: Limit processing in certain circumstances

International Data Transfers

• Monitoring evolving EU–US transfer frameworks
• Standard contractual clauses for transfers
• Adequate safeguards for all international transfers
• Data localization options for enterprise customers

Data Minimization and Purpose Limitation

• Clear purposes for all data collection
• Regular review of data collection practices
• Automatic data purging based on retention policies
• Anonymous analytics where possible

Customer Security Features

Event Security Controls

• Private events with password protection
• Approval-required registration workflows
• Guest list management and access controls
• IP-based restrictions for sensitive events
• Custom registration questions with data validation

Data Management Tools

• Full guest data export in CSV/Excel formats
• Bulk operations for guest management
• Data retention controls per event
• Automated data purging options
• GDPR-compliant consent management

Privacy and Visibility Settings

• Flexible event visibility (public, unlisted, private)
• Attendee list visibility controls
• Social sharing restrictions
• Search engine indexing controls
• Custom privacy policies per event

Custom Domain Security

• SSL/TLS certificates for custom domains
• Modern security headers (e.g., HSTS) where supported
• Secure redirect handling
• Domain verification process
• DNS security best practices

API and Integration Security

• Secure webhooks with signature verification
• API rate limiting and quota management
• OAuth 2.0 for third-party integrations
• Zapier integration with secure authentication
• Detailed API access logs

Security Training & Awareness

Employee Security

• Security onboarding for all team members
• Ongoing security awareness and training
• Secure coding practices for developers
• Email security protections including DMARC
• Device encryption requirements
• Remote work security guidelines

Contact & Additional Resources

Getting Started with Enterprise

To learn more about Luma Enterprise and access these security features:

• Visit our pricing page at luma.com/pricing and fill out the Enterprise contact form
• Email our team directly at [email protected]
• Review our Enterprise Overview for feature details

Security Contacts

• Security Team: [email protected]
• Enterprise Support: [email protected]
• Data Protection Officer: [email protected]

Documentation and Policies

• Privacy Policy: luma.com/privacy
• Terms of Service: luma.com/terms
• Data Processing Agreement: luma.com/dpa
• Subprocessor List: luma.com/subprocessors

Security Updates

• Security bulletins via email for enterprise customers
• Security blog posts and best practices

Security Assurance

• Security questionnaire support for enterprise customers
• Custom security assessments available
• Virtual security reviews with our team
• Compliance documentation available to enterprise customers with paid contracts

Responsible Disclosure

• We welcome security research on our platform
• Responsible disclosure guidelines available
• Recognition for valid security findings
• Coordinated disclosure timeline
• Contact: [email protected]