Version 1.0
Security Statement
Effective date: 1 June 2026
This Security Statement summarises the technical and organisational practices Luuma implements or aims to implement to protect the Luuma platform and customer data.
This page is informational and does not create security guarantees or certify compliance with any standard. Luuma does not currently claim any external security certifications on this page.
Security reports should be sent to data@luuma.cloud.
1. Encryption in transit
Luuma is designed to use HTTPS/TLS for application traffic and API communication where supported by the deployed environment. Integrations and agents should be configured to use encrypted transport wherever possible.
2. Password security
Luuma stores password hashes rather than plain text passwords. Users should use unique passwords and keep credentials confidential. Password reset flows are designed to use time-limited reset tokens.
3. Access controls
Luuma implements account roles, permissions, organisation scoping, reseller scoping, and access checks designed to limit users to the data and features they are authorised to use.
Operational access to production systems is intended to be limited to authorised personnel with a business need.
4. Infrastructure security
Luuma uses managed infrastructure and service providers to host application, database, storage, media, and supporting services. Infrastructure is configured with environment separation and access controls appropriate to the service.
5. Backups and resilience
Luuma aims to maintain backup and recovery practices designed to support service resilience and data restoration where technically and commercially appropriate. Backup retention and restore capabilities may vary by service component.
6. Monitoring and logging
Luuma implements operational logging, telemetry, and monitoring designed to detect service failures, integration issues, player problems, and suspicious activity. Logs are used for diagnostics, support, security investigation, and platform improvement.
7. Incident response
Luuma aims to investigate security incidents promptly, contain affected systems, assess impact, remediate root causes where practical, and notify affected customers where required by contract or law.
8. Responsible disclosure
If you believe you have found a security issue in Luuma, please email data@luuma.cloud with enough detail for us to understand and reproduce the issue. Please do not access, modify, delete, disrupt, or disclose data that does not belong to you.
Luuma aims to review good-faith security reports promptly and may contact you for further details. We ask researchers to give Luuma reasonable time to investigate and remediate before any public disclosure.
9. Vendor management
Luuma uses third-party providers for hosting, storage, email, media processing, payments, monitoring, AI features where enabled, and other operational needs. Luuma aims to select vendors with appropriate security practices and contractual data protection commitments.
10. Customer responsibilities
- Use strong, unique passwords and keep credentials secure.
- Assign roles and permissions carefully.
- Remove users promptly when they no longer require access.
- Configure EPOS and ICRTouch integrations to send only data needed for the Services.
- Notify Luuma promptly of suspected unauthorised access or security issues.