Security
Last updated: July 18, 2026
Security is not an afterthought at Lumen Innovation — it is part of the build from day one. This page describes how we protect this website, the infrastructure we manage, and the data entrusted to us by clients and visitors.
Transport Security
All traffic to and from this website is encrypted using TLS 1.2 or higher. We enforce HTTPS site-wide — HTTP requests are automatically redirected. SSL certificates are provisioned and renewed automatically.
Our servers are configured with strong cipher suites and have HTTP Strict Transport Security (HSTS) enabled, preventing protocol downgrade attacks.
Server & Infrastructure
- Dedicated servers — we do not use shared hosting. Each server environment is isolated.
- OS-level hardening — unnecessary services and ports are disabled by default. Servers run minimal Ubuntu installs with only the software required for each application.
- SSH-only access — remote administration is restricted to SSH with key-based authentication. Password authentication is disabled.
- Firewall — all servers sit behind a firewall. Only ports 80 and 443 are publicly accessible.
- Automated patching — security updates are applied daily. Critical patches are applied as soon as they are available.
Data Handling
- Passwords — all user passwords are hashed using bcrypt before storage. We never store plaintext passwords.
- Payment data — we do not store credit card numbers. All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider.
- Database access — databases are not publicly accessible. All connections require authentication and are limited to localhost or explicitly whitelisted IPs.
- Backups — automated backups run daily. Backups are encrypted and stored separately from primary servers.
Application Security
- CSRF protection — all forms include CSRF tokens to prevent cross-site request forgery.
- Input validation — all user-supplied input is validated and sanitized server-side before processing or storage.
- SQL injection prevention — we use parameterized queries and an ORM throughout. Raw SQL with user input is never used.
- Dependency management — application dependencies are kept up to date and audited regularly for known vulnerabilities.
- Version control — all code changes are tracked in git. No production deployments happen without a code review.
Monitoring & Incident Response
We actively monitor our servers for anomalous behavior and unauthorized access attempts. In the event of a security incident affecting client data, we will notify affected parties promptly — within 72 hours of discovery where required by applicable law.
Uptime is monitored continuously. We maintain runbooks for common incident scenarios and conduct periodic reviews of our security posture.
Responsible Disclosure
If you discover a security vulnerability in any of our systems or applications, please let us know before disclosing it publicly. We genuinely appreciate responsible disclosure and will work to address confirmed issues promptly.
To report a vulnerability, email us at chris@lumeninnovation.com with a clear description of the issue and steps to reproduce it. We will acknowledge receipt within 2 business days.
Please do not access or modify data that does not belong to you, disrupt services, or perform social engineering against our team or clients as part of any security research.