Security at Lumora
Last updated May 1, 2026
Sample document. This is a sample legal page for the Lumora Studio demo and is not real legal or security advice. Replace with real legal and security counsel before production launch.
1. Our security programme
Lumora Studio maintains a written information security programme designed to protect the confidentiality, integrity and availability of customer data. The programme is reviewed at least annually and adapts as our service evolves. Day-to-day responsibility sits with our Head of Engineering, with executive sponsorship from the CEO and CTO.
2. Data encryption
All customer data is encrypted in transit using industry-standard TLS 1.2 or higher. Data at rest is encrypted using AES-256 across our primary databases, backups and object storage. Encryption keys are managed through our cloud provider's key management service with strict access controls.
3. Access controls
Access to production systems is restricted to a small group of engineers under the principle of least privilege. We use single sign-on with hardware-key second factors for all administrative access. Access is reviewed quarterly and revoked promptly when no longer needed.
4. Network and infrastructure
The Service runs on managed infrastructure from a major cloud provider in the Asia-Pacific region. We use private networking, firewalls and security groups to limit exposure of internal services. Edge traffic is protected by a managed DDoS service and a web application firewall.
5. Vulnerability management
We monitor public vulnerability databases and apply critical patches within seven days of disclosure. Our codebase is scanned for known vulnerable dependencies on every change. Annual third-party penetration tests are performed against the production environment, with findings tracked to remediation.
6. Application security
Our engineering team follows a secure development lifecycle that includes peer code review, automated testing, static analysis, and security review of significant changes. We follow OWASP best practices for the most common web application risks and run internal application security training annually.
7. Logging and monitoring
We aggregate application, system and security logs into a centralised monitoring platform. Alerts for suspicious activity, configuration drift and infrastructure anomalies are reviewed by an on-call engineer 24/7. Logs are retained for a minimum of ninety days.
8. Backups and disaster recovery
Customer data is backed up continuously, with point-in-time recovery available for our primary databases. Backups are stored in a separate region from the primary deployment. We test our disaster recovery plan at least annually and document the results.
9. Subprocessors
We use a small set of carefully chosen subprocessors to deliver the Service, including our cloud provider, our payments processors and a handful of communication tools. The current list is available on request. We require subprocessors to meet contractual security commitments comparable to our own.
10. Reporting a vulnerability
We welcome reports from the security research community. To report a vulnerability, please email security@lumora.studio with a description, reproduction steps and any supporting material. We commit to acknowledging reports within two business days and providing a status update within ten.