“
At Luma, our goal is to put patients at the center of everything we do. Our security, privacy, and compliance programs help us support our customers and achieve this goal.”
Nick Lees
VP, Information Security and Compliance
Luma Health architects our security program around internationally-recognized information security and data privacy frameworks, as well as industry best practices. We undertake accredited third-party audits no less than annually to ensure ongoing compliance.
Luma’s dedicated, in-house Security and Compliance team ensures that Luma follows the latest information security frameworks and data privacy regulations, including staying up-to-date on upcoming changes.
We are HITRUST CSF r2 Certified, a risk-based certification that is the gold standard in healthcare technology.
We are TX-RAMP (Texas Risk and Authorization Management Program) Level 2 certified. Tx-RAMP is a framework designed to ensure the security and compliance of cloud services used by Texas state agencies.
We are ISO 27001:2022 Certified, an internationally-recognized standard for the implementation of an Information Security Management System (ISMS).
We participate in the US-EU Privacy framework, including the UK and Swiss extensions.
We perform a SOC 2 Type II attestation annually, providing assurance that not only do we have appropriate security controls in place, but they are also operating effectively.
All of Luma's software and company processes are fully HIPAA-compliant.
If you have a security concern with the Luma platform, or you have reason to believe you have discovered a security weakness or vulnerability in our platform, let us know at security@lumahealth.io.
View real-time information on Luma’s system status, historical uptime, and incident information at status.lumahealth.io. You can subscribe to alerts on this page to ensure you are proactively notified of any issues affecting Luma Health’s applications or services.
All system access at Luma Health follows the principles of Zero Trust and Least Privilege and is centrally managed,
with Single Sign On (SSO) required wherever possible. Context-aware controls ensure that certain conditions are met,
such as device type encryption and location, before logins are granted.
We enforce Multi-Factor Authentication across the organization. All access is role-based, and requires management
and/or system owner approval. Luma Health’s internal audit team performs access entitlement reviews every 60 days for all accounts.
We operate a modern microservices-based infrastructure that is architected for high-availability with zero single points of failure. All of our infrastructure is managed via code and dynamically scales up and down based on system load and demand.
We have a fully-documented SDLC which follows the OWASP Top Ten. All development is performed in-house, and all
new code as well as changes to existing code are subject to Static and Dynamic Application Security Testing
(SAST and DAST) and peer review before being considered for a production release.
Every change and release follows our change control process, which includes peer review, testing and
validation in lower environments, a backout plan, management approval, and separation of duties between
development and release activities.
We perform automated vulnerability scans of our infrastructure monthly, as well as continuous monitoring and scanning of any emerging threats. New infrastructure targets are automatically added to the scan rotation. We partner with a third party to perform external penetration testing annually. Any discovered vulnerabilities are remediated in line with our defined schedule.
All employees are provided with a Luma Health-owned and controlled device that is centrally managed via an MDM solution. All devices are protected by centrally-managed security controls such as Endpoint Detection and Response (EDR), next Generation Anti-Virus, firewalls, device encryption, activity lock, and data loss prevention.
All employees are subject to a background check before joining Luma Health, and are required to complete information security Training, HIPAA training, and policy attestation as part of the onboarding process. Information security training is performed on an ongoing basis, which includes simulated phishing tests.
We have infrastructure deployed in multiple AWS Availability Zones with real-time replication to meet a 99.9% uptime target. Our code-based microservices architecture allows us to quickly deploy a production instance into any AWS data center should the need arise. We fully test our Business Continuity and Disaster Recovery function annually.
Luma Health’s AI-enabled products are built to be ISO 42001 compliant. These products operate under a zero-retention model and do not store data long-term. Customer and patient data is not shared with or made available to other customers and is not shared with or made available to any of our partners or service providers. Customer data is not used to train, retrain, or improve any models.
We use your data only to provide contracted services. We never share or sell
your data to any third parties, and your data is never used for advertising purposes.
We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF,
and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification,
please visit https://www.dataprivacyframework.gov.