Information Security & Privacy

Your data’s security and privacy are Luminovo’s top priorities. If you have any comments, concerns or questions about our data security & privacy at Luminovo, please send your request to security@luminovo.com.

Enterprise-ready security & privacy

Germany based. Our Microsoft Azure hosting servers are located in Frankfurt, Germany.

ISO 27001 certified. All data hosting solutions (provided by Microsoft Azure) are fully compliant with ISO 27001 and SOC 2. Luminovo has also been ISO 27001 certified since June 2023.

Encryption in-transit and at-rest. All data is encrypted at rest using FIPS 140-2 validated cryptographic modules and the AES 256-bit cipher. For transport layer security, we use TLS 1.2+ everywhere.

Multi-tenant security. With a multi-tenant architecture our software ensures data separation of different customers on a database level

Information security officer. Data security is a top-level management priority. Our founder and managing director Timon Ruban is our information security officer.

GDPR-compliant. As an EU-based company, we adhere to GDPR compliance.

Backups and disaster recovery. We do automatic backups ranging from instantly to every four hours and keep the backups in zone-redundant storage for up to 7 days.

Vulnerability protection. We use an automated security scanner on every code change to uncover any known vulnerabilities and misconfigurations in our software.

DDoS protection. Access to our servers is protected from denial-of-service attacks using Cloudflare’s always-on DDoS protection.

Suspicious IP throttling. We automatically protect against suspicious logins targeting too many accounts from a single IP address.

Strong password policies. A strong password policy (disallowing the 10,000 most common passwords; disallowing personal data – like the name – and enforcing minimum length, special characters, lower- and uppercase characters and numbers in any password) make it difficult, if not improbable, for someone to guess a password through either manual or automated means.

Multi-factor authentication. We offer the option to secure your logins with multi-factor authentication.

Single Sign-On (SSO) and SAML. Available on Enterprise plans for secure, streamlined authentication.

Role-based access control. Define user and admin roles for customised access permissions.

Data Security & Privacy Documents

ISO 27001:2022 Certificate

Data Processing Agreement / Auftragsverarbeitungsvertrag

View as .doc file:

Data Privacy Statement of our products

Data Privacy Statement of our website luminovo.com

FAQ

How long does Luminovo store my data?

Luminovo deletes personal data after 30 days unless otherwise defined by law. Exceptions are data such as names and e-mail addresses which will be deleted at the end of the contract period. Deletion happens automatically in the relevant tools of our subprocessors. If no automatic deletion functionality is available, Luminovo’s Product Intelligence unit deletes personal data manually. For more in-depth information, please contact us at security@luminovo.com.


All customer data gets deleted by Luminovo 30 days after the agreement ends, or earlier upon written request by the customer (GTC 11.5).

How long does Luminovo store my data?

Luminovo deletes personal data after 30 days unless otherwise defined by law. Exceptions are data such as names and e-mail addresses which will be deleted at the end of the contract period. Deletion happens automatically in the relevant tools of our subprocessors. If no automatic deletion functionality is available, Luminovo’s Product Intelligence unit deletes personal data manually. For more in-depth information, please contact us at security@luminovo.com.


All customer data gets deleted by Luminovo 30 days after the agreement ends, or earlier upon written request by the customer (GTC 11.5).

How long does Luminovo store my data?

Luminovo deletes personal data after 30 days unless otherwise defined by law. Exceptions are data such as names and e-mail addresses which will be deleted at the end of the contract period. Deletion happens automatically in the relevant tools of our subprocessors. If no automatic deletion functionality is available, Luminovo’s Product Intelligence unit deletes personal data manually. For more in-depth information, please contact us at security@luminovo.com.


All customer data gets deleted by Luminovo 30 days after the agreement ends, or earlier upon written request by the customer (GTC 11.5).

Do you share personal data with subprocessors?

Yes, personal data is shared with subprocessor tools. Among other things, we use these tools to ensure a great user experience and to help continuously improve our products.


Please find a list of the tools and the reason why we use them here

Do you share personal data with subprocessors?

Yes, personal data is shared with subprocessor tools. Among other things, we use these tools to ensure a great user experience and to help continuously improve our products.


Please find a list of the tools and the reason why we use them here

Do you share personal data with subprocessors?

Yes, personal data is shared with subprocessor tools. Among other things, we use these tools to ensure a great user experience and to help continuously improve our products.


Please find a list of the tools and the reason why we use them here

Which cookies does your website luminovo.com collect?

Which cookies does your website luminovo.com collect?

Which cookies does your website luminovo.com collect?

Which cookies does your software Luminovo collect?

Which cookies does your software Luminovo collect?

Which cookies does your software Luminovo collect?

Which are your technical and organisational measures (TOMs)?

You can find a list of our technical and organisational measures (TOMs) in annex 3 of our Data Processing Agreement (DPA). We linked the list for you here.

Which are your technical and organisational measures (TOMs)?

You can find a list of our technical and organisational measures (TOMs) in annex 3 of our Data Processing Agreement (DPA). We linked the list for you here.

Which are your technical and organisational measures (TOMs)?

You can find a list of our technical and organisational measures (TOMs) in annex 3 of our Data Processing Agreement (DPA). We linked the list for you here.

How does Luminovo ensure effective security monitoring and responds to incidents?

For example, we use software such as Honeycomb to monitor our systems. We also have defined change management procedures to control and document changes to the software in order to minimize security risks.


We collect, store and analyze log data in accordance with the requirements of our ISO 27001 certification. Our Incident Response Plan, which is also part of this certification, includes clearly defined steps for detecting, reporting and responding to security incidents.

In addition, we conduct regular vulnerability scans and offer a bug bounty program to identify and remediate potential threats at an early stage.

How does Luminovo ensure effective security monitoring and responds to incidents?

For example, we use software such as Honeycomb to monitor our systems. We also have defined change management procedures to control and document changes to the software in order to minimize security risks.


We collect, store and analyze log data in accordance with the requirements of our ISO 27001 certification. Our Incident Response Plan, which is also part of this certification, includes clearly defined steps for detecting, reporting and responding to security incidents.

In addition, we conduct regular vulnerability scans and offer a bug bounty program to identify and remediate potential threats at an early stage.

How does Luminovo ensure effective security monitoring and responds to incidents?

For example, we use software such as Honeycomb to monitor our systems. We also have defined change management procedures to control and document changes to the software in order to minimize security risks.


We collect, store and analyze log data in accordance with the requirements of our ISO 27001 certification. Our Incident Response Plan, which is also part of this certification, includes clearly defined steps for detecting, reporting and responding to security incidents.

In addition, we conduct regular vulnerability scans and offer a bug bounty program to identify and remediate potential threats at an early stage.

What happens in case of a personal data breach?

In the event of a data breach, we immediately conduct an investigation and notify the relevant stakeholders. This ensures swift, effective, and comprehensive measures are taken to mitigate any potential impact.

What happens in case of a personal data breach?

In the event of a data breach, we immediately conduct an investigation and notify the relevant stakeholders. This ensures swift, effective, and comprehensive measures are taken to mitigate any potential impact.

What happens in case of a personal data breach?

In the event of a data breach, we immediately conduct an investigation and notify the relevant stakeholders. This ensures swift, effective, and comprehensive measures are taken to mitigate any potential impact.

sebastian schaal
sebastian schaal
inga schwarz
inga schwarz
patrick perner
patrick perner

Book a free demo

Let our product specialists guide you through the platform and show you how it can improve your procurement processes and specific needs. Or check out a 5-min video of the most relevant features.