What's your security like? [Legal and Compliance]
What's your security like? [Legal and Compliance]
Summary
Lumiant will implement reasonable and appropriate measures designed to help secure Adviser Data against accidental or unlawful loss, access or disclosure. This includes:
- Network and Infrastructure Security
- Host and Endpoint Security
- Data Protection and Encryption (in transit and at rest)
- Logging, Monitoring, Threat Detection and Analytics
- Identity and Access Control; and
- Application Security
- Our Cloud platform provider complies with a number of IT security assurance programs including:
- SOC 1/ISAE 3402, SOC 2, SOC 3
- PCI DSS Level 1
- ISO 9001, ISO 27001, ISO 27017, ISO 27018
Data Privacy
Lumiant will ensure that Adviser Data is only stored within Australian and US based data stores. We will not access or use Adviser Data except as necessary to maintain or provide the Service Offerings, or as necessary to comply with the law or a binding order of a governmental body.
Adviser Data means all data, content, and information (including any Personal Information) owned, held, used or created by or on behalf of the Adviser that is inputted into, or stored using, the Services.
Want to know all the details?
We know you'll want to give your clients all the assurance you can that their data is secure so we've gone into a little more detail of the different steps we've taken to ensure the platform is secure.
Data Sovereignty
Lumiant has been architected to ensure that all information sourced, created and accessed is at all times stored within the sovereign borders of the region in which it is operating. We currently service both the AU and US regions and architecturally those are two entirely separate installations, one is not aware of the other, and all data sourced, created and accessed in one is inaccessible from the other.
Data Security
The entire Lumiant platform makes use of:
Encryption at rest – the data, as stored, is encrypted with a key that only Lumiant has access to, and
Encryption in transit – the data, as it is sent across the internet, is encrypted from point to point. (SSL, TLS v1.2)
Data Security – Logging / Monitoring
All data that is sent for logging / monitoring / audit purposes is masked by default to ensure that nothing sensitive is included. Part of the reason for this is that our Cloud platform provider (AWS), within their terms and conditions, can send log files outside the main region for support purposes (to ensure they meet their service level agreements) and we have made the call that should that occur, that no sensitive information would be sent offshore.
Network Security
Lumiant utilises a mixture of private and public subnets, security groups and Web Application Firewalls all underpinned by our Least Privilege Principle (i.e. every action that is performed is done so with the absolute minimal set of access rights to perform that action – if all it needs to do is access but not modify something, then it will not be able to modify it).
Data Retention
We follow the Australian regulatory standard of keeping data that was created within the Lumiant platform for a minimum of 7 years.
In the US we will comply with local regulations, meaning if asked, we will purge the requested Advisor Data.
Data Segregation
Practice, household and client data is logically segregated, i.e. Practice A can never access Practice B’s data, Household A can never access Household B’s data, Client A can never access Client B’s data unless Client A and Client B reside in the same household.
Personally Identifiable Information (PII)
We do collect a number of PII data items (name, email address, address (optional), mobile number (optional), date of birth.
We also collect a number of additional data items for analytical purposes (much the same as most web applications) – i.e. IP address, geolocation (opt-in).
All data collected is for the purpose of providing that information back to the Client and Adviser and as such we don’t collect information that will not be presented back or utilised within the platform for the benefit of the Client and/or Adviser.
Security Penetration Testing
Lumiant completed a 3rd party independent security penetration test in June 2024 where our platform security was thoroughly tested. We aim to have this completed annually.
The Patriot Act (USA)
The Patriot Act enables access to a narrowly defined set of data around terrorist related activities. It has been assessed and comfortably settled on risk wise by most financial institutions that utilise US-based cloud services (CBA, NAB, Westpac, ANZ, Macquarie, TAL Life etc.). That also includes Office Suites (e.g. MS Office 365, Google), CRM’s (e.g. Salesforce, MS Dynamics 365 etc), Accounting software (e.g. Xero), Financial Planning (e.g. Iress) etc. so it is highly likely that you already have personal client information stored within your existing software stack that is accessible by The Patriot Act. Lumiant is no different other than, as mentioned above, the fact that we ensure data is kept onshore.
If US intelligence agencies want to get access to Australian consumer data, they don’t need to use the Patriot Act, they can lean on the bilateral treaty (i.e. Mutual Legal Assistance Treaty (MLAT) as well as the more recent Australia-US CLOUD Act Agreement) that Australia has signed with the United States and they will be able to get access to it.
As always, if you have any questions regarding the security of Lumiant please don't hesitate to reach out to your Customer Success Manager or submit a support request here.