Luminare Security Standards
Data security is patient safety. We handle both seriously.
Security Overview
At Luminare, we believe that keeping data confidentiality, integrity and availability are part of patient safety. Data security is incorporated into our culture and practices. Our solutions are HIPAA-compliant and meet or exceed National Institute of Standards and Technology (NIST) recommendations.
Security in Our Software
- Edge endpoints encrypts data with TLS v1.2 or stronger
- Data at rest is encrypted with AES-256
- Granular user roles restricting access promoting the least privilege
- Cookies are set with the HttpOnly, Secure, and SameSite = Lax attributes
- SQL injection prevention using prepared statements
- Input validation and output sanitization to prevent XSS
Security in Our Process
- Shift left security implementation with Vanta
- Code runs in tightly restricted domain environments
- Continuous integration via GitHub
- In-depth code reviews
- Secure system engineering principles
Security in Our Platform
- Hosted on Microsoft Azure Cloud
- Data hosted only in US data centers
- Data transmissions secured via TLS 1.2 or higher
- Best-practice security features such as firewalls
- Encrypted databases and drives
- HIPAA-compliant data retention policy
- Snapshots and individual data backups, tested regularly
- Terraform IaC (Infrastructure-as-Code) for provisioning and maintaining baselines and configuration management
- Continuous performance and availability monitoring
- Technical and administrative controls enforcing least-privilege
- IAM security profiles with two-factor authentication for all employees
- Detailed continuous system monitoring
Security in Our Vendors
- Business Associate Agreement (BAA) with all PHI vendors
- Rigorous annual third-party Risk Assessment Process
- Most vendors hold SOC2 certifications
Security in Our Company
- Well-established security policy reviewed annually and after major updates
- Ongoing technical security training for engineers
- Background checks at hire for all employees
- Security awareness training for all employees
- Quarterly access-control review for Privileged Access
- Cybersecurity insurance to address residual risk