Lucidworks Technical & Organizational Security Measures
Last updated April 15, 2025
| Technical and Organizational Control | Security Measure |
|---|---|
| Certification/assurance of processes and products | See technical and organizational security measures as set forth in (i) the Lucidworks ISO 27001:2022 audit report relevant to the management of information security in development, operation, and administration of cloud-based search, software platforms, product documentation, personal data, and electronic documents in accordance with the Statement of Applicability, and (ii) Lucidworks SOC 2 Type II audit report based on the trust service criteria relevant to Security, Availability, and Confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Current and prospective customers can download Lucidworks audit reports, as well as other security documentation, via the Lucidworks Trust Center at https://trust.lucidworks.com/. |
| Security governance and management | Lucidworks maintains comprehensive safeguards that comply with ISO 27001:2022 relevant to the management of information security in development, operation, and administration of cloud-based search, software platforms, product documentation, personal data, and electronic documents, and SOC 2 Type II based on the trust service criteria relevant to Security, Availability, and Confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Upon request, Lucidworks will provide to the customer any information relating to Lucidworks’s processing of personal information, as well as any and all documentation relevant to Lucidworks’s protection of personal information, including policies and procedures, operations manuals or instructions, confidentiality agreements, and any subcontracts or subcontractor agreements. „Processing“ refers to the collection, recording, organization, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, destruction, disposal, or other use of personal information. |
| Confidentiality, integrity, availability, and resiliency of processing systems and services | Lucidworks products, intended to store and process information on behalf of Lucidworks‘ customers, are delivered over the public internet. Lucidworks has designed and operates the service to assure security, confidentiality, and integrity of data and underlying system. „Lucidworks products“ may refer to Lucidworks Search (previously Fusion); Lucidworks AI; Signals Beacon; Data Acquisition & Connectors; and Lucidworks Studios, consisting of Analytics Studio, Commerce Studio, and Knowledge Studio. Please reach out to Lucidworks for a complete list. Software is obtained directly from Lucidworks Helm charts and Docker repositories and served via TLS from SSL-cert-validated hosts. Lucidworks systems are monitored continuously by external and internal automated monitoring systems. Software architecture is designed to be tolerant to faults of individual services, servers, or components. In case of failure of any component, the system is programmed to provision and deploy a replacement. Each component is redundant and can tolerate failure until it has been replaced, provided there are no further failures of the redundant components within the replacement timeframe. |
| Data restoration in the event of a physical or virtual incident | Lucidworks maintains a business continuity and disaster recovery program to maintain obligations to customers despite potential interruptions. Business continuity procedures are reviewed and tested at least annually. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the service are 24 hours. Critical systems with higher contracted SLAs may be backed up more frequently. In the event of a disaster, Lucidworks will use best efforts to restore the services within 24 hours of the disaster. |
| Security incident response | If Lucidworks reasonably believes there has been a security incident, it will without undue delay notify the affected customer of the incident and provide sufficient information to allow the customer to report the incident and/or notify individuals and regulators as required under applicable Data Protection Laws, including regarding: (a) the nature of the security incident breach; (b) the categories and approximate numbers of individuals and customer personal information records concerned; (c) any investigations into such an incident; (d) the likely consequences of the security incident; (e) any measures taken to address the iIncident; and (f) any other information required by applicable Data Protection Laws, provided that, without limit to the above obligations, if Lucidworks cannot provide all these details within such timeframes, it shall before the end of this timeframe, provide the customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give customer regular updates on these matters. „Security Incident“ means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to customer personal information or any other data received from the customer, or any other unauthorized processing of customer personal information. Lucidworks will also (a) cooperate with the customer in providing information to governmental or regulatory authorities or notices regarding the security incident that the customer deems appropriate; (b) take all reasonable actions necessary to remediate and mitigate the effects and minimize any damage resulting from the incident; and (c) provide the customer with access to the ticketing system to resolve obligations associated with a security incident. |
| Code reviews and testing | Lucidworks source code is verified by several layers of review, including manual code reviews by the developer and multiple team members, automated tests on every software build and release, and automated source code scanning. Each release is scanned for known vulnerabilities against the Common Vulnerabilities and Exposures (CVEs) and tested using penetration testing tools, including internal automated and manual tests, as well as external tests. |
| User identification and authentication | Lucidworks systems related to customer data are configured to require multi-factor authentication, thereby preventing unauthorized persons from accessing systems that process personal information. Access to production systems is restricted and provided on a business-need-to-know based on the principle of least privilege. Access is granted only to the extent necessary to fulfill Lucidworks obligations to customers in accordance with Service Agreements and reviewed upon onboarding, job change, and quarterly as per the Lucidworks Access Control Policy. |
| Physical security | Lucidworks uses third-party cloud services vendors for processing of personal data. Lucidworks vendor management procedures ensure vendors have appropriate physical security controls, including, but not limited to, locks for rooms, security card and badge readers controlling access to restricted areas, locked cabinets for storage of paper files containing customer information, and cable locks for devices. Vendors are reviewed regularly based on risk and criticality of services provided. |
| Event logging | Lucidworks utilizes a centralized logging and alert system. Examples of security events that will trigger an alert include, but are not limited to, unauthorized attempts to access production infrastructure and application vulnerabilities. Events generate alerts and reports for investigation. In the case of a security incident, the Lucidworks Security & Compliance team, in conjunction with the Cloud Operations team, investigates, tracks, and documents the incident as per internal incident management and corrective action procedures. Lucidworks maintains, for as long as required under Applicable Law, and regularly reviews detailed log files and audit trails designed to detect and respond to security events. The quantity of data being indexed into the search index, how long it is kept, and how often it is updated is determined by the customer. |
| System configuration | Lucidworks utilizes a change management framework to ensure proper system configurations. Configuration changes are migrated from development systems upon request after review by the Lucidworks Managed Services and/or Cloud Operations teams. Lucidworks uses an infrastructure as code (IAC) methodology. All configurations are checked in as source code into our repository. |
| Data encryption | Lucidworks systems relevant to personal data use strong, current cryptographic protocols to encrypt customer information. As detailed in the NIST Special Publication 800-53 guidance for System and Communications Protection, A. data in transit is encrypted using TLS 1.2 or higher, and B. data at rest is encrypted using AES-256. |
| Data quality | Data is provided by customers to Lucidworks by the use of connectors to access external data sources. The connectors support a myriad of data sources, both private and public. The Lucidworks Platform ingests and processes data into a search index and allows customers to securely query their data. Lucidworks provides portals wherein data subjects can review data elements and accuracy. To ensure integrity and completeness, Lucidworks syncs all system clocks against a single reference time source. |
| Data retention | The organization has defined data retention standards that establish the protocols of retaining information for operational and regulatory compliance needs. |
| Data protection | Controls are in place to protect customer data from improper alteration or destruction. Data is handled according to its classification requirements and is encrypted at rest and in transit using approved cryptographic protocols. Customer data is logically separated at the database level using a unique identifier for each customer. Access to customer data is based on the principle of least privilege and strictly controlled and managed; all access is logged and reviewed on a regular basis. |
| Data portability and erasure | Lucidworks ensures that any customer personal information cannot be accessed, read, copied, modified, removed, or otherwise processed without authorization of the customer during electronic transmission or transport. Lucidworks maintains electronic records of where and to whom personal information is transferred and by whom it has been accessed via monitoring and appropriate access-management tools and systems. In the instances where data destruction is required, a destruction certificate can be provided upon request. |
| Employee security awareness training | Lucidworks maintains a dedicated portal for security education for employees. Security training includes training programs appropriate for each role, annual security awareness and data privacy training, and regular phishing campaigns. Lucidworks has documented requirements for the appropriate use of its systems and data in its Acceptable Use Policy. |
| Vendor management | Lucidworks has a defined third-party risk management process, including a vendor onboarding process so controls can be verified prior to engagement. Vendor assessments include reviewing vendors‘ independent audit reports and certifications upon onboarding and on a regular cadence, based on risk and criticality, thereafter. |
| Risk management | Per the Lucidworks Risk Assessment Policy, Luciworks has a procedure in place for the assessment and treatment of information security risks. Each risk is assigned to an owner and risk scored based on impact and likelihood. Risks are triaged and mitigated or accepted as per the acceptable level of risk defined by Lucidworks leadership. Remediation timelines are based on risk score assigned. All risks are reviewed regularly by the Security & Compliance team. |
| Background checks | Lucidworks conducts background and criminal checks on personnel at our own expense, consistent with our hiring criteria and in accordance with the Applicable Laws of the locations where such personnel work. |