Security Policy

Last updated: February 23, 2026

Overview

At Lumiotech (“we,” “us,” or “our”), security is fundamental to everything we do. Our Sentry platform is built with advanced security measures to protect sensitive information and ensure the highest levels of data protection for our clients. This Security Policy outlines our holistic approach to safeguarding data, infrastructure, and operational processes in alignment with global and national cybersecurity regulations, including the mandates of the Indian Computer Emergency Response Team (CERT-In).

Infrastructure Security

We maintain a secure, resilient infrastructure designed to support the stringent security requirements of government and defense agencies:

  • End-to-End Encryption: All data transmissions between client devices and our servers are encrypted to protect against unauthorized interception.
  • Multi-Layer DDoS Protection: Our infrastructure includes robust DDoS mitigation technologies and traffic filtering to ensure uninterrupted service.
  • 24/7 Infrastructure Monitoring: We employ real-time monitoring tools and security sensors to quickly detect and respond to potential threats.
  • Regular Security Audits and Penetration Testing: Internal and external testing is conducted to identify and address any vulnerabilities promptly.
  • Secure, Redundant Data Centers: Our hosting facilities incorporate physical security measures such as biometrics, surveillance, and secured access points.
  • Time Synchronization (NTP): As mandated by CERT-In Directions 2022, all Information and Communication Technology (ICT) systems, network devices, and infrastructure strictly synchronize their system clocks to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL).

Data Protection

Protecting our clients’ data is our top priority. We employ industry-leading data security measures, including:

  • AES-256 Encryption at Rest: Sensitive data is encrypted on our servers and in databases to prevent unauthorized access.
  • TLS 1.3 for Data in Transit: Our servers use the latest Transport Layer Security protocol to protect data traveling between user devices and our systems.
  • Secure Key Management Systems: Encryption keys are managed using Hardware Security Modules (HSMs) or equivalent secure key management solutions.
  • Regular Data Backups: We perform automated, secure backups stored in geographically separate locations for redundancy.
  • Strict Data Access Controls: Only authorized personnel can access sensitive information, and all access is logged and monitored.
  • Secure Data Disposal Protocols: When data is no longer needed, it is securely destroyed in compliance with industry and regulatory standards.

Access Control & Log Maintenance

Access control and verifiable auditable trails are central to our security strategy:

  • Multi-Factor Authentication (MFA): All administrative and privileged accounts require MFA to enhance login security.
  • Role-Based Access Control (RBAC): Permissions are granted based on job role and operational necessity, reducing the risk of excessive access privileges.
  • Mandatory Log Maintenance: In strict compliance with CERT-In directions, we enable and securely maintain comprehensive ICT system logs. These logs are retained securely within Indian jurisdiction (or backed up locally) bridging a rolling period of 180 days to assist in cybersecurity investigations.

Compliance & Certifications

We adhere to recognized global security and privacy standards to ensure ongoing compliance and uphold customer trust:

  • ISO 27001 certified for our Information Security Management System
  • SOC 2 Type II compliant, demonstrating our commitment to security, availability, and confidentiality
  • Full adherence to the Digital Personal Data Protection Act, 2023 (DPDPA)
  • Full compliance with CERT-In Directions under Section 70B of the IT Act, 2000
  • Alignment with industry-standard security frameworks such as NIST and CIS

Incident Response & Reporting Mandates

Our incident response program is designed to detect, contain, and remediate security incidents swiftly, recognizing critical regulatory obligations:

  • Mandatory 6-Hour Reporting Window: Should a designated cyber security incident occur affecting the Sentry platform or associated infrastructure, Lumiotech is legally bound and operationally prepared to report the incident to CERT-In within six (6) hours of noticing or being brought to notice about such incidents.
  • 24/7 Security Incident Response: Our dedicated team is on standby to investigate alerts, coordinate response measures, and fulfill reporting obligations at any hour.
  • Automated Threat Detection: We use advanced SIEM tools to correlate events and flag anomalies, aiding rapid triage.
  • Client Notification Protocols: If an incident affects client operational data, we promptly notify affected clients parallel to or immediately following the statutory regulatory notifications.

Contact Our Security Team & Point of Contact

In accordance with CERT-In directions, Lumiotech maintains a designated Point of Contact (PoC) to interface with regulatory bodies regarding cybersecurity matters.

If you have questions regarding our security measures or would like to report a potential security vulnerability, please contact our security operations center:
[email protected]