To support the delivery of Lumesse services to customers, our IT Service Delivery team is responsible for all activities relating to the operational availability, performance and quality of Lumesse solutions and services. With engineers and service management specialists based in Poland, Germany and the UK, the IT Service Delivery team provide support to all Lumesse customers worldwide in cooperation with Customer Support and other Lumesse functions. In addition to technical specialists responsible for service operation, the IT Service Delivery team contains dedicated Change, Problem and Project Managers to ensure proper service management controls are in place to support processes that are derived from ITIL best practice and that are regularly tested during ISO27001 and SOC1/2 audits.
Data Centre Services
We host our production services with industry leading providers of colocation and cloud services with the intent to take advantage of the high quality and highly scalable infrastructures these services provide. Among these partners, Amazon Web Services (AWS) has been selected as the first choice hosting location for Lumesse solutions and services due to its leadership position in the Infrastructure as a Service (IaaS) sector, the scale, breadth and quality of services available as well the geographic availability provided. Whether colocation or cloud delivery model, all data centre locations adhere to high standards of physical security:
- Perimeter defences
- 24-hour manned security, including perimeter inspection
- Video surveillance (CCTV) throughout facility and perimeters
- Strong and strictly monitored access controls
- Fire detection and suppression
- Buildings engineered for weather and flood risks
- Redundant power (including batteries, UPS and diesel generators)
- Redundant connection to multi-carrier internet services
To ensure security and continued availability of data, multiple steps are taken to backup and retain copies of databases and data files should complete or partial data sets be required by ourselves or our customers for whatever reason. In addition to ongoing transactional replication between live and standby databases full backups are taken daily of all data and supplemented with transaction log backups throughout the day. This approach allows for restore of databases to a specific point in time should that be needed. Backups are encrypted to AES 256 and stored at the live and recovery sites for each service. Retention policies allow for recovery of data up to 6 months old if required.
As you would expect, Lumesse maintains disaster recovery readiness to cater for scenarios up to and including total data centre loss. Whether in cloud or colocation data centre delivery models, this readiness is based on ongoing database and file system replication of data to recovery sites and the maintenance of sufficient capacity to deliver the recovered services in a replicated production environment. Procedures are maintained, annually tested and, if needed, adjusted as a key security control and invocation is determined based on the estimated recovery time for any unscheduled service outage that might occur as a result of site, infrastructure or application failure.
As regulations change with the introduction of the General Data Protection Regulation (GDPR) and customer requirements around the security of personal data change, we have added further cryptographic controls to the delivery of services. These controls are directly relevant to the requirement for reducing the risk of personal data being made available to anyone without a valid processing need.
Data in transit
To address the risk of vulnerability of data in transit between applications and services all API and interactive traffic is secured by Transport Layer Security (TLS). This measure secures the end to end conversation between requesting user browser or API service and the Lumesse service itself, protecting against eavesdropping and tampering of service messages. Regular specialist third party executed vulnerability assessments are commissioned for all services to ensure continued protection from these measures.
Data at rest
While there are robust physical and logical access controls to prevent unauthorised access to media within data centres used for the delivery of Lumesse services, we apply the additional control of ensuring all storage used for personal data is encrypted within the cloud hosting model. This is achieved through the encryption of storage volumes and snapshots using AES-256 encryption. This encryption occurs on the servers hosting the server instances used for Lumesse services and provides encryption of data as it moves between server instances and storage within the AWS platform. Encryption of data at rest is a key non-functional requirement included in the development of new and existing Lumesse services.
To ensure proper protection of personal data, Lumesse applies additional controls to secure the private keys used for encryption purposes. Private keys used to encrypt TLS end user sessions and to encrypt storage are stored and managed in secure services that provide a central and secure management point for all Lumesse services.