Security at Lumi
Protecting your data is fundamental to everything we do. Lumi is built on a security-first architecture with industry-leading certifications, encryption, and compliance controls — designed to support regulated environments including GxP, FDA 21 CFR Part 11, and audit-ready workflows.
Certifications & Compliance
| Certification | Status |
|---|---|
| ISO 27001:2022 | Certified |
| SOC 2 Type II | Attested |
| GDPR | Compliant (UK & EU); Data Protection Officer appointed |
| HIPAA | Supports HIPAA compliance — BAAs available for healthcare customers |
| ISO 42001:2023 | In progress — Responsible AI governance |
| EU-US Data Privacy Framework | Self-certified via JAMS |
Data Protection
- Encrypted at rest using AES-256 across all storage and backups
- Encrypted in transit using TLS 1.2+ for all platform communications and SRTP for video streaming
- Data hosted in AWS EU-West (Ireland) by default, with regional controls available for enterprise deployments
- High availability across multiple availability zones
- Full audit logging retained for compliance and forensic purposes
Platform Architecture
- Logical tenant isolation across all customer environments — no cross-customer data access
- Video data processed in real-time with long-term storage configurable per customer
- AI outputs stored as structured metadata — raw video access restricted to authorised compliance and audit roles
- Configurable data retention — customers set retention periods to match their regulatory requirements
- On-premises deployment options available for enterprise environments requiring local data residency
Customer Control
Lumi is designed to give customers full control over their deployment:
- You control retention — set data retention periods per your regulatory requirements
- You control AI — choose which AI capabilities are active, configure parameters, and disable any agent at any time
- You control access — manage your own users, roles, and permissions within your workspace
- You control data — request export or deletion at any time per our Data Processing Agreement
AI Transparency
Lumi uses artificial intelligence to observe and analyse laboratory work processes. We are committed to responsible AI:
- No facial recognition — Lumi does not identify individuals
- No emotion recognition — Lumi does not analyse emotional states
- Advisory outputs only — all AI results require human review before action
- User control — customers configure which AI capabilities are active and can disable them at any time
- Transparency — AI is Lumi’s core feature, not a hidden capability. Users interact with AI agents directly.
Access Control
- Role-based access control enforced across the platform, with SSO and SAML-based identity provider integration for enterprise customers
- Multi-factor authentication required for privileged access
- Quarterly access reviews across all systems
- Least-privilege access — granted based on job function only
- Access revoked within 24 hours of employee departure
Security Testing
- Annual penetration testing by a CREST-certified provider. Most recent result: Secure — zero critical, high, or medium findings.
- Continuous automated scanning integrated into every code deployment — builds fail automatically on high-severity vulnerabilities
- Dependency monitoring with automatic alerts and updates for vulnerable packages
Incident Response
- Documented incident response plan with GDPR and HIPAA-specific procedures
- 72-hour regulatory notification for GDPR-reportable breaches
- 24-hour customer notification for HIPAA breach events
- Regular tabletop exercises to validate recovery procedures
- No material security incidents resulting in customer data exposure to date
Sub-processors
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | EU-West (Ireland) |
| Awarri | Data annotation for AI training | UK |
| PostHog | Product analytics (consent-based) | EU |
Customers receive 30 days’ notice before any new sub-processor is authorised, with the right to object. A current list of sub-processors is available upon request.
Vulnerability Disclosure Program
At Lumi Systems, we take security seriously. We welcome reports from security researchers and users who find potential vulnerabilities in our platform. If you believe you’ve discovered a security issue, please report it to us at security@lumi.systems.
We appreciate your help in keeping our platform safe.
Scope: Our platform is closed to public registration. Please coordinate with us before conducting any testing to ensure systems and customers are not impacted.
Rewards: While we do not operate a formal bug bounty program at this time, we may offer recognition or discretionary rewards for high-impact, well-reported findings.
Safe Harbor: We will not pursue legal action against security researchers who report vulnerabilities in good faith and follow this policy. Thank you for helping us keep Lumi Systems secure.
Contact
| Purpose | Contact |
|---|---|
| Security issues | security@lumi.systems |
| Data protection | dpo@reach.industries |
| Report a concern | speakup@reach.industries |
| General enquiries | info@reach.industries |
For detailed security documentation — including our ISO 27001 certificate, SOC 2 report, penetration test summary, and Data Processing Agreement — please contact us or request access via your account manager.
Looking for more detail? Read about our approach to security in our knowledge base.