Data Security.

Data Security

Last updated: October 13, 2022

Your trust in LLUNA allows you to provide answers on your Personal Operating Profile. We know this, and as such, take your trust and confidence very seriously. Below we outline controls, policies and systems we employ to keep your information secure and private.

People Security

Our people and those we work with are the most important part of our company.

We take pride in our ability to have a secure working environment. We manage this through a number of policies and procedures:

LLUNA company executives approve and remove permissions during every onboarding and offboarding event. When permissions are granted, we take the approach of least privilege, assigning the minimum required rights for the individual to complete their work.

All LLUNA employees must pass a background check conducted by an external 3rd party provider, and must sign a non-disclosure agreement prior to starting their role.

All hires receive internal security training and are educated about security concerns and potential risks. This includes a review of LLUNA best practices and an overview of security throughout our SDLC.

During all vendor selection processes, LLUNA reviews their requested level of access before, during and after the engagement in addition to reviewing their internal security policies.

Application Security

The LLUNA development team and development partners follow security best practices. All code is version controlled and goes through peer review and continuous integration tests to screen for potential security issues. Changes to the production environment are logged at the point of each release.

Authentication

LLUNA users are able to login with their Google or Office 365 account using OAuth 2.0, an industry standard for authorizing secure access to external apps, or an independent user-defined email and password. LLUNA does not receive or store user passwords at any time and cannot view any user’s password. Users may revoke LLUNA’s access through their respective Google or Office 365 account.

Vendors

LLUNA uses third-party vendors to provide application services. Vendors are reviewed by the engineering and security team and are engaged under appropriate contractual provisions to maintain data securely and use data only to provide the service for which LLUNA has engaged the vendor.

Data Access

To the extent possible, LLUNA automates access to customer data and strictly limits viewing. Only authorized employees may access customer data for essential job functions and is only permitted in a secure environment. All requests to access customer data must be reviewed and approved by the executive team and must have a clear justification.

Continious Monitoring

LLUNA follows industry standard procedures to handle security incidents, including preparing, reporting, identifying, containing, eradicating, recovering, and reviewing incidents. Should an incident result in a data breach, LLUNA will notify customers without undue delay and work with and continuously update customers to control and remediate the incident. LLUNA security and engineering are available 24/7 to ensure prompt response and all members of our team are highly qualified and know their roles and responsibilities in the event of a security incident.

NETWORK SECURITY
NETWORK SECURITY
Encryption at Rest

LLUNA uses Google Cloud Key Management to manage encryption keys. Keys are never stored on disk and retained only in memory while in use. Encryption keys are rotated regularly.

Network Isolation

LLUNA divides its systems into separate networks using logically isolated environments in Google Cloud Platform. Systems supporting testing and development activities are hosted in a separate network from systems supporting production services. Customer data only exists and is only permitted to exist in LLUNA’s production network. Network access to the production environment is restricted. Only network protocols essential for delivery of LLUNA’s service to its users are open at LLUNA’s perimeter. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.

PHYSICAL SECURITY
Office & Device Security

All LLUNA employees are required to use devices that meet our security standards. These include all computers utilizing strong passwords, operating system-level anti-virus, and automatic user logout and/or lock. LLUNA does not maintain any servers or workstations in its corporate headquarters.

Data Center

LLUNA’s infrastructure is built on the Google Cloud Platform (GCP), including using its data centers. Google has robust policies on physical site security including access restrictions and surveillance. For more details, please visit: https://cloud.google.com/security

Looking Ahead

LLUNA is committed to security and privacy and staying at the forefront of modern security technologies and processes. We plan to pursue obtaining additional certifications to continue demonstrating this commitment and being a trusted partner for all our customers.

Questions

If you have any questions about this Security Policy, please contact us at howdy@hellolluna.com.