Lucidworks Technical & Organizational Security Measures

Lucidworks technical and organizational security measures are detailed below.  Capitalized terms used but not defined herein should have the meaning set forth in the Agreement’s General Terms and Conditions.

Technical and Organizational Security Measure Details
Measures of pseudonymisation and encryption of personal data See Technical and organizational security measures as set forth in the NSF ISO 27001: 2013 Audit Report Relevant to management of information security in development, operation, and administration of cloud based search, software platforms, product documentation, personal data and electronic documents, dated June 3, 2022. Lucidworks uses a strong, current cryptographic protocol to encrypt Customer information at rest consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage and Encryption Technologies for end users devices.

Lucidworks uses TLS 1.2 or higher encryption for data in transit and AES256 encryption for data at rest. Encryption keys are unique to Lucidworks and are not available to be managed by Customers.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services See Technical and organizational security measures as set forth in the NSF ISO 27001: 2013 Audit Report Relevant to management of information security in development, operation, and administration of cloud based search, software platforms, product documentation, personal data and electronic documents.

Lucidworks Fusion product is a data platform service delivered over the public internet. It is intended to store and process information on behalf of Lucidworks’ customers. Lucidworks has designed and operates the service to assure security, confidentiality, and integrity of the data and the underlying system.Software is obtained directly from Lucidworks’ Helm chart and Docker repositories, served via TLS from SSL-cert-validated hosts. Lucidworks Fusion systems are monitored continuously by external and internal automated monitoring systems. Fusion’s software architecture is designed to be tolerant to faults of individual services, servers, or components. In case of failure of any component, the system is programmed to provision and deploy a replacement. Each component is redundant and can tolerate failure until it has been replaced, provided there are no further failures of the redundant components within the replacement timeframe.
Measures for ensuring the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident See Technical and organizational security measures as set forth in the NSF ISO 27001: 2013 Audit Report Relevant to management of information security in development, operation, and administration of cloud based search, software platforms, product documentation, personal data and electronic documents.

Lucidworks will maintain and test a Business Continuity and Disaster Recovery plan so that despite any disruption by physical or technical incident Lucidworks can maintain obligations to customers. Lucidworks systems have daily backups taken at least once every 24 hours. Backups are replicated across regions and thus protected against failure of any one region. Lucidworks updates the Business Continuity plan on an annual basis and tests scenarios twice per year. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for the Service shall be 24 hours. In the event of a disaster Lucidworks shall use its best efforts to restore the Services within 24 hours of the disaster.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Lucidworks has been audited and certified to the ISO 27001 standard. Lucidworks source code is verified by several layers of review, including manual code reviews by the developer and multiple team members, automated tests on every software build and release, as well as automated source code scanning. Each release is scanned for known vulnerabilities against the Common Vulnerabilities and Exposures (CVE) database as well as tested using penetration testing tools including internal automated and manual tests and external tests.
Measures for user identification and authorization See Technical and organizational security measures as set forth in the NSF ISO 27001: 2013 Audit Report Relevant to management of information security in development, operation, and administration of cloud based search, software platforms, product documentation, personal data and electronic documents.

Lucidworks systems related to Customer data are configured to require multi-factor authentication. Lucidworks will prevent unauthorized persons from accessing Customer systems that process any customer personal information. Access to the production systems is restricted, and provided on a need-to-know basis with the principle of least privilege. Access is granted only to the extent necessary to fulfill Lucidworks obligations to customers in accordance with the Service Agreements. Access is reviewed on a quarterly basis.
Measures for the protection of data during transmission Lucidworks systems relevant to personal data use TLS 1.2 or higher encryption for data in transit consistent with the requirements of NIST guidance for the Security Requirements for Cryptographic Modules in the NIST Special Publication 800-52.
Measures for the protection of data during storage Lucidworks will use a strong, current cryptographic protocol to encrypt Customer information at rest consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage and Encryption Technologies for end user devices. Lucidworks systems relevant to personal data use AES256 encryption for data at rest.
Measures for ensuring physical security of locations at which personal data are processed Lucidworks uses third-party cloud services vendors for processing of personal data. Lucidworks third-party vendor management ensures vendors have appropriate physical security controls, including but not limited to, locks for rooms, security card and badge readers controlling access to restricted areas, locked cabinets for storage of paper files containing Customer information, and cable locks for devices. Vendors are reviewed on an annual basis.
Measures for ensuring events logging Lucidworks maintains a centralized logging and alert system. Examples of security events that will trigger an alert include (but are not limited to) unauthorized attempts to access production infrastructure and application vulnerabilities. Events generate alerts and reports for investigation. In the case that there are any security incidents, our security team is alerted, tracks the incident, investigates it, and works with the Cloud Operations team following our internal Incident Management and Corrective Actions procedures.
Measures for ensuring system configuration, including default configuration Lucidworks utilizes a change management framework to ensure proper system configurations. Configuration changes are migrated from development systems upon request after review by the Lucidworks Managed Services and/or Cloud Operations teams. Lucidworks uses an infrastructure as code (IAC) methodology and all configurations are checked in as source code into our source code repository.
Measures for internal IT and IT security governance and management Lucidworks will maintain comprehensive Lucidworks Safeguards that comply with International Standards Organization and the International Electrotechnical Commission 27001/2:2013 (ISO/IEC 27001:2013) standards, for which Lucidworks will obtain third party certification on an annual basis from the applicable independent and accreditation body. Upon request, Lucidworks will provide to Customer any information relating to Lucidworks’s Processing of Personal Information as well as any and all documentation relevant to Lucidworks’s protection of Personal Information including policies and procedures, operations manuals or instructions, confidentiality agreements, and any subcontracts or subcontractor agreements pertaining to Processing of Customer Personal Information. “Process” or “Processing” means the collection, recording, organization, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, destruction, disposal, or other use of Personal Information.
Measures for certification/assurance of processes and products Lucidworks has been audited and certified to the ISO 27001 standard.
Measures for ensuring data minimisation Lucidworks will maintain (for as long as required under Applicable Law) and regularly review detailed log files and audit trails designed to detect and respond to security events. The quantity of data being indexed into the search index, how long it is kept, and how often it is updated is determined by the Customer.
Measures for ensuring data quality Data is provided by Customers to Lucidworks Fusion by the use of Connectors to access external data sources. Lucidworks Fusion connectors support many different data sources, both private and public. Lucidworks Fusion ingests and processes data into a search index and allows customers to securely query their data. Lucidworks provides portals whereby data subjects can review data and ensure data accuracy. To help ensure integrity and completeness, Lucidworks syncs all system clocks against a single reference time source.
Measures for ensuring limited data retention The organization has defined a Data Protection and Retention Policy which establishes the protocol for retaining information for operational or regulatory compliance needs.
Measures for ensuring accountability Lucidworks maintains a dedicated portal for security education for employees. Security training includes training programs appropriate for each role, annual security awareness training, and regular phishing campaigns. Lucidworks has documented requirements for the appropriate use of its systems and data in its Acceptable Use Policy.
Measures for ensuring segmented data Lucidworks physically and logically segments and isolates Customer information from the personal information of other Customer clients at all times. Each customer environment is provisioned within its own Virtual Private Cloud (VPC) within our public cloud provider’s infrastructure. No connectivity is established or configured between different VPCs, ensuring that each customer environment is isolated and its indexed data remains segregated from any other customer environment.
Measures for allowing data portability and ensuring erasure Lucidworks will ensure that any Customer personal information cannot be accessed, read, copied, modified, removed or otherwise processed without authorization of the Customer during electronic transmission or transport. Lucidworks will maintain electronic records of where and to whom personal information is transferred and by whom it has been accessed, through the use of monitoring and appropriate access management tools and systems. In the instances where data destruction is required, a destruction certificate can be provided upon request.
Technical and organizational measures of sub-processors Lucidworks has a defined third-party risk management process. The third-party risk management includes the vendor onboarding process, so that controls can be verified before engagement. The audits include reviewing the critical vendor’s independent audit reports and certifications, when available. The security team evaluates these reports and certifications to determine whether additional measures need to be taken. Vendors are reviewed on an annual basis.
Risk assessments Lucidworks will complete required vendor risk assessments upon execution of the Services Agreement and annually or upon request thereafter.
Background Checks Lucidworks has conducted or will initiate and conduct background and criminal checks on personnel at our own expense, consistent with our hiring criteria and in accordance with the Applicable law of the locations where such personnel work.
Penetration Testing Lucidworks performs third-party application penetration tests annually or after significant changes have been made to the application and can provide the executive summary portion of a report upon request.
Security Incident Response
  1. If Lucidworks reasonably believes there has been a Security Incident, it will without undue delay notify Customer of the Security Incident and provide sufficient information to allow Customer to report the Security Incident or notify individuals and regulators as required under applicable Data Protection Laws, including regarding: (a) the nature of the Security Incident Breach; (b) the categories and approximate numbers of individuals and Customer Personal Information records concerned; (c) any investigations into such Security Incident; (d) the likely consequences of the Security Incident; (e) any measures taken to address the Security Incident, and (f) any other information required by applicable Data Protection Laws, provided that, (without limit to the above obligations) if Lucidworks cannot provide all these details within such timeframes, it shall before the end of this timeframe, provide Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give Customer regular updates on these matters.
  2. “Security Incident” means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Personal Information or any other data received from Customer, or any other unauthorized Processing of Customer Personal Information.
  3. Lucidworks will also:
    1. cooperate with Customer in providing information to governmental or regulatory authorities or notices regarding the Security Incident that Customer deems appropriate; and
    2. take all reasonable actions necessary to remediate and mitigate the effects and to minimize any damage resulting from the Security Incident.
  4. Lucidworks will provide Customer with access to the ticketing system in resolving obligations associated with a Security Incident.