Security

Enterprise Security

Comprehensive overview of Luma's security practices and infrastructure for enterprise customers

Executive Summary

Luma is committed to maintaining the highest standards of security and data protection for our enterprise customers. Our comprehensive security program is designed to protect event data, attendee information, and organizational assets while enabling seamless event management and collaboration.

This document provides a detailed overview of our security practices, infrastructure, and controls. It is intended for security teams, compliance officers, and decision-makers evaluating Luma for enterprise deployment.

Our security approach is built on industry best practices and continuous improvement, ensuring that your data remains protected as threats evolve.

Security Governance & Compliance

Regulatory Compliance

Luma maintains compliance with major data protection regulations:

  • GDPR (General Data Protection Regulation): Full compliance with EU data protection requirements, including data subject rights, privacy by design, and cross-border data transfer mechanisms
  • CCPA (California Consumer Privacy Act): Compliance with California privacy requirements, including consumer rights to access, delete, and opt-out of data sales
  • Data Processing Agreements: Available for all enterprise customers at lu.ma/dpa

Security Policies and Procedures

Our information security management system includes:

  • Comprehensive security policies covering all aspects of data protection
  • Documented procedures for security operations and incident response
  • Regular policy reviews and updates to address emerging threats
  • Clear data classification and handling guidelines

Security Organization

Our security team maintains:

  • Dedicated security personnel responsible for security operations
  • Clear reporting structure with executive oversight
  • Separation of duties for critical security functions
  • Regular security training for all employees

Infrastructure & Network Security

Cloud Infrastructure

Luma leverages Amazon Web Services (AWS) for reliable and secure infrastructure:

  • Enterprise-grade cloud hosting with global availability
  • AWS security best practices and shared responsibility model
  • Regular infrastructure updates and patches
  • Automated scaling to handle traffic spikes during large events

Network Security

Our network architecture implements multiple layers of protection:

  • Network segmentation to isolate different application tiers
  • Private subnets for database and application servers
  • Secure VPC configurations with controlled ingress/egress
  • Regular network security assessments

DDoS and Web Application Protection

  • CloudFlare integration for DDoS mitigation
  • Web Application Firewall (WAF) to protect against common attacks
  • Rate limiting to prevent abuse
  • Geographic filtering capabilities when needed

Physical Security

AWS data centers provide:

  • 24/7 physical security monitoring
  • Biometric access controls
  • Environmental monitoring and controls
  • SOC 2 Type II certified facilities

Data Protection & Encryption

Encryption Standards

All sensitive data is protected using industry-standard encryption:

  • At Rest: AES-256 encryption for all stored data, including databases, file storage, and backups
  • In Transit: TLS 1.2+ for all data transmission, with TLS 1.3 support
  • Key Management: Secure key storage and rotation using AWS KMS
  • Database Encryption: Transparent data encryption for all database instances

Data Backup and Recovery

  • Automated daily backups with point-in-time recovery capability
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Recovery Time Objective (RTO) of 4 hours
  • Recovery Point Objective (RPO) of 24 hours

Data Retention and Deletion

  • Clear data retention policies aligned with legal requirements
  • Automated data purging based on retention schedules
  • Secure data deletion procedures including cryptographic erasure
  • Customer-initiated data deletion capabilities
  • Right to erasure support for GDPR compliance

Application Security

Secure Development Lifecycle

Our development process incorporates security at every stage:

  • Security requirements defined during design phase
  • Threat modeling for new features
  • Secure coding standards and guidelines
  • Security testing integrated into CI/CD pipeline

Code Security Practices

  • Mandatory code reviews for all changes
  • Static application security testing (SAST)
  • Dynamic application security testing (DAST)
  • Regular penetration testing by third parties
  • Responsible disclosure program for security researchers

Dependency and Vulnerability Management

  • Automated dependency scanning for known vulnerabilities
  • Regular updates of third-party libraries
  • Security patches applied within defined SLAs
  • Container image scanning for production deployments

OWASP Top 10 Protection

We implement controls against all OWASP Top 10 risks:

  • Input validation and parameterized queries to prevent injection
  • Secure authentication and session management
  • XSS protection through output encoding and CSP headers
  • CSRF tokens for state-changing operations
  • Security misconfiguration prevention through automation

API Security

  • OAuth 2.0 and API key authentication
  • Rate limiting per endpoint and per user
  • API versioning for backward compatibility
  • Comprehensive API logging and monitoring

Access Control & Identity Management

Employee Access Management

  • Principle of least privilege for all access grants
  • Automated provisioning and deprovisioning processes
  • Regular access reviews and recertification
  • Background checks for employees with production access
  • Separation of development and production environments

Authentication Security

  • Multi-factor authentication (MFA) required for all employee accounts
  • Strong password policies with complexity requirements
  • Account lockout policies to prevent brute force attacks
  • Session timeout for inactive sessions

Customer Identity Management

  • Support for enterprise SSO via SAML 2.0 and OAuth 2.0
  • Integration with major identity providers (Okta, Azure AD, Google Workspace)
  • Flexible role-based access control (RBAC) for team management
  • Granular permissions for calendar and event management
  • Audit logging of all authentication and authorization events

Privileged Access Management

  • Dedicated privileged access management procedures
  • Just-in-time access for production systems
  • All privileged actions logged and monitored
  • Regular rotation of privileged credentials

Event & Guest Data Security

Event Data Isolation

  • Logical separation of event data between organizations
  • Row-level security in database architecture
  • Secure multi-tenancy with data isolation guarantees
  • Private event URLs with unguessable identifiers

Guest Information Protection

  • Personal data minimization - only collect necessary information
  • Encrypted storage of all guest PII (name, email, phone)
  • Secure guest list management with access controls
  • GDPR-compliant data processing for EU attendees
  • Guest data export capabilities for event organizers

Payment Security

  • PCI DSS compliance through Stripe integration
  • No credit card data stored in Luma systems
  • Tokenization for all payment processing
  • Secure checkout process with fraud detection
  • Support for 3D Secure authentication
  • Encrypted payment receipts and invoices

File Upload Security

  • Virus and malware scanning for all uploads
  • File type validation and restrictions
  • Size limits to prevent resource exhaustion
  • Secure CDN delivery with signed URLs
  • Image processing in isolated environments

Registration and Check-in Security

  • Unique ticket codes with cryptographic validation
  • QR code security with time-based expiration
  • Mobile app security for check-in operations
  • Duplicate registration prevention
  • Waitlist management with secure approval workflows

Monitoring & Incident Response

Security Monitoring

  • 24/7 security operations with automated alerting
  • Real-time threat detection and response
  • Security Information and Event Management (SIEM)
  • Behavioral analytics for anomaly detection
  • Performance and availability monitoring

Intrusion Detection and Prevention

  • Network-based intrusion detection systems (NIDS)
  • Host-based intrusion detection systems (HIDS)
  • File integrity monitoring for critical systems
  • Automated response to detected threats

Incident Response Procedures

  • Documented incident response plan with defined roles
  • Incident classification and severity levels
  • Response time SLAs based on severity:
    • Critical: 1 hour
    • High: 4 hours
    • Medium: 24 hours
    • Low: 72 hours

Incident Communication

  • Clear escalation procedures to leadership
  • Customer notification within 72 hours of confirmed breach
  • Coordination with law enforcement when required
  • Post-incident reviews and lessons learned

Logging and Audit Trails

  • Comprehensive logging of all system activities
  • Centralized log management and analysis
  • Log retention for minimum 90 days
  • Tamper-proof audit trails
  • Regular log reviews and analysis

Vendor & Third-Party Security

Third-Party Risk Management

  • Vendor security assessments before onboarding
  • Regular review of vendor security postures
  • Contractual security requirements for all vendors
  • Ongoing monitoring of vendor compliance
  • Risk-based approach to vendor management

Key Infrastructure Providers

We partner with industry-leading providers:

  • AWS: Cloud infrastructure and hosting
  • Stripe: Payment processing (PCI DSS Level 1)
  • Twilio: SMS and communication services
  • CloudFlare: CDN and DDoS protection

Subprocessor Management

  • Maintained list of subprocessors at lu.ma/subprocessors
  • Data processing agreements with all subprocessors
  • Regular audits of subprocessor compliance

Supply Chain Security

  • Software composition analysis for dependencies
  • Vendor security incident notification requirements
  • Business continuity requirements for critical vendors
  • Alternative vendor strategies for critical services

Business Continuity & Availability

Service Level Agreement

  • 99.9% uptime SLA for enterprise customers
  • Planned maintenance windows with advance notice

Disaster Recovery

  • Comprehensive disaster recovery plan
  • Regular DR testing and simulations
  • Multiple availability zones for redundancy
  • Automated failover capabilities
  • Data replication across regions

High Availability Architecture

  • Load-balanced application servers
  • Database replication with automatic failover
  • Redundant network paths
  • Auto-scaling for traffic spikes
  • Circuit breakers to prevent cascade failures

Business Continuity Planning

  • Documented business continuity procedures
  • Regular BCP testing and updates
  • Emergency response team with defined roles
  • Communication plans for major incidents
  • Alternative processing sites for critical functions

Privacy & Data Rights

Privacy by Design

  • Privacy considerations in all new features
  • Data minimization - collect only what's necessary
  • Purpose limitation - use data only for stated purposes
  • Privacy impact assessments for new processing
  • Default privacy settings favor user protection

Data Processing Agreements

  • Standard DPA available at lu.ma/dpa
  • GDPR-compliant processing terms
  • Clear roles and responsibilities
  • Standard contractual clauses for international transfers
  • Customizable DPAs for enterprise requirements

User Rights Management

We support all data subject rights:

  • Access: Users can request their personal data
  • Rectification: Ability to correct inaccurate data
  • Deletion: Right to erasure ("right to be forgotten")
  • Portability: Export data in machine-readable format
  • Objection: Opt-out of certain processing activities
  • Restriction: Limit processing in certain circumstances

International Data Transfers

  • EU-US Data Privacy Framework participation
  • Standard contractual clauses for transfers
  • Adequate safeguards for all international transfers
  • Data localization options for enterprise customers

Data Minimization and Purpose Limitation

  • Clear purposes for all data collection
  • Regular review of data collection practices
  • Automatic data purging based on retention policies
  • Anonymous analytics where possible

Customer Security Features

Event Security Controls

  • Private events with password protection
  • Approval-required registration workflows
  • Guest list management and access controls
  • IP-based restrictions for sensitive events
  • Custom registration questions with data validation

Data Management Tools

  • Full guest data export in CSV/Excel formats
  • Bulk operations for guest management
  • Data retention controls per event
  • Automated data purging options
  • GDPR-compliant consent management

Privacy and Visibility Settings

  • Flexible event visibility (public, unlisted, private)
  • Attendee list visibility controls
  • Social sharing restrictions
  • Search engine indexing controls
  • Custom privacy policies per event

Custom Domain Security

  • SSL/TLS certificates for custom domains
  • HSTS (HTTP Strict Transport Security) support
  • Secure redirect handling
  • Domain verification process
  • DNS security best practices

API and Integration Security

  • Secure webhooks with signature verification
  • API rate limiting and quota management
  • OAuth 2.0 for third-party integrations
  • Zapier integration with secure authentication
  • Detailed API access logs

Security Training & Awareness

Employee Security Training

  • Mandatory security onboarding for all new employees
  • Annual security awareness training
  • Role-specific security training for developers and ops
  • Regular updates on emerging threats
  • Security best practices documentation

Security Awareness Program

  • Monthly security awareness communications
  • Security champions program across teams
  • Secure coding workshops for developers
  • Incident response drills and tabletop exercises
  • Security metrics and KPI tracking

Phishing and Social Engineering Defense

  • Regular phishing simulation campaigns
  • Immediate training for simulation failures
  • Reporting mechanisms for suspicious emails
  • Email security gateway with anti-phishing
  • Domain-based Message Authentication (DMARC)

Physical Security Policies

  • Clean desk policy for sensitive information
  • Secure disposal of documents and media
  • Visitor access controls and escort requirements
  • Device encryption requirements
  • Remote work security guidelines

Contact & Additional Resources

Security Contacts

Documentation and Policies

Security Updates

  • Security bulletins via email for enterprise customers
  • Security blog posts and best practices

Security Assurance

  • Security questionnaire support for enterprise customers
  • Custom security assessments available
  • Virtual security reviews with our team
  • Evidence packages for compliance teams

Responsible Disclosure

  • We welcome security research on our platform
  • Responsible disclosure guidelines available
  • Recognition for valid security findings
  • Coordinated disclosure timeline
  • Contact: [email protected]
Didn’t find what you are looking for?
Contact Us