Your Data Matters to Lucro

We know you care about your data, and so do we. Lucro users trust us with thousands of their projects. That trust is based on us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Security Program

Lucro is committed to maintaining a high standard of data privacy, which includes making continuous improvements of security requirements and conducting internal security audits regularly to ensure your data is safe. Our security architecture is designed to meet the highest security standards.

Our engineering team prioritizes protecting the data you store in our service within product development. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, and employee awareness.

Our engineering team has procedures and tools in place to respond to security issues and continues to evaluate new technologies to improve our ability to detect attacks against our infrastructure, service, and employees.

We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could impact the security of customer data. Our engineering team continually evaluates new tools to increase the coverage and depth of these assessments.

PHI and Internal Networks

Lucro is completely isolated from your internal network. Our platform never stores any PHI and never touches patient data.

Network Security

Lucro is hosted in a secure environment. Lucro uses Amazon Web Services (RDS & S3) to manage user data. All interactions with our platform use the Secure Sockets Layer (SSL) protocol. Whenever your data is in transit between you and us, everything is encrypted and sent using HTTPS.

Lucro defines its network boundaries using a combination of load balancers, firewalls, and VPNs, which are used to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Account Security

Our production environment access is restricted to only essential personnel, and all code changes are reviewed before being deployed to production. Our deployment process is automated to ensure consistency and reliability, as well as to allow us to react quickly in case a vulnerability is identified.

Lucro never stores your password in plaintext. When we need to securely store your account password to authenticate you, we hash credentials with the bcrypt hashing algorithm. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

Product Security

Securing our internet-facing web service is critically important to protecting your data. Our engineering team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

Customer Segregation

The Lucro service is multi-tenant and does not segment your data from other users’ data. Your data may live on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.

Activity Logging

Lucro performs server-side logging of client interactions with our services. This includes web server access logging. We also collect event data from our client applications.

Resiliency / Availability

We operate a fault tolerant architecture to ensure that Lucro is there when you need it. AWS provides fault tolerant facility services including: power, HVAC, and fire suppression. We back up all customer content at least once daily. We do not utilize portable or removable media for backups.

Physical Security

We operate the Lucro service using cloud services, specifically the AWS. AWS has undergone multiple certifications that attest to its ability to physically secure Lucro’s data. You can read more about AWS’s security here. All Lucro data resides inside the United States.

Future Encryption Protection

Lucro uses industry-standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (“HSTS”). We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients that support it and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture to support our commitment to protecting your data.

We support STARTTLS for outbound email. If your mail service provider supports TLS, your email will be encrypted in transit.

Customer data that we store in AWS will be protected using AWS’s built-in encryption-at-rest features. More technically, we use AWS’s server-side encryption feature with AWS encryption keys to encrypt all data at rest using AES-256, transparently and automatically. You can find additional information on how encryption at rest protects your data here.

Security is our highest priority

If you have any questions about our data protocols or your security, please reach out to us at teamlucro@lucro.com.