LumpSum+

Security & Compliance

Your relocation data, budget allocations, and transaction records are protected by enterprise-grade security measures aligned with industry standards.

Effective Date: February 2026

Data Encryption

All sensitive data is encrypted in transit (TLS 1.3) and at rest (AES-256) to protect relocation profiles, budget allocations, and transaction records.

Audit Logging

Every transaction, approval, and exception is logged for compliance and dispute resolution. Complete audit trails for employer program activity.

Role-Based Access Control

Fine-grained permissions ensure employees see only their data, while B2B admins see what they approve. Vendor marketplace access is restricted by role.

SOC 2 Type II Certification

We are working toward SOC 2 Type II certification and undergo regular security assessments.

Our Security Framework

LumpSum+ implements comprehensive security controls across six key areas to protect your relocation profiles, budget allocations, employer program data, and AI planning information.

Infrastructure Security

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • AWS cloud infrastructure with enterprise-grade data centers
  • Multi-region redundancy and automated backups
  • DDoS protection and Web Application Firewall (WAF)

Application Security

  • Multi-factor authentication (MFA) for all user accounts
  • Session management with automatic timeout
  • Input validation and output encoding to prevent injection attacks
  • API rate limiting to prevent abuse
  • HTTPS-only communication with secure headers

Data Protection

  • Encryption key management with key rotation
  • Immutable audit logs for transaction history
  • Role-based access controls (RBAC) for relocation data and employer policies
  • Data classification and handling procedures
  • Secure data deletion protocols compliant with standards

Vulnerability Management

  • Regular penetration testing and security assessments
  • Responsible disclosure program for security researchers
  • Automated dependency scanning and patch management
  • Security incident response playbooks
  • Third-party security assessment of vendors

Employee Security

  • Background checks for all team members with access to data
  • Mandatory security training and awareness programs
  • Regular access reviews and least-privilege principles
  • Signed non-disclosure agreements (NDAs)
  • Device security policies for company-issued equipment

Third-Party Security

  • Vendor security assessments before engagement
  • Contractual data protection requirements
  • Stripe PCI DSS compliance for payment processing
  • Regular vendor compliance audits
  • Sub-processor agreements and DPA clauses

Data Protection Standards

Encryption & Storage

  • 1In Transit: All communication uses TLS 1.3 encryption to protect data as it moves between your device and our servers.
  • 2At Rest: Sensitive data (relocation profiles, budget allocations, transaction records) is encrypted using AES-256, the same standard used by government agencies.
  • 3Key Management: Encryption keys are rotated regularly and stored separately from encrypted data.
  • 4Backups: Regular automated backups are encrypted and stored in geographically separate locations for disaster recovery.

Access Controls & Authentication

  • 1Multi-Factor Authentication: All accounts require MFA (authenticator app, SMS, or email) to prevent unauthorized access.
  • 2Role-Based Access: Employees see only their relocation data and budget allocations. B2B admins have view/approval access based on their role. Vendor marketplace access is restricted by permissions.
  • 3Session Management: Sessions automatically expire after 30 minutes of inactivity. Logout on all devices is available for enhanced security.
  • 4Least Privilege: Employees have access only to data and features needed for their role. Access is reviewed quarterly and revoked immediately upon role change.

Audit & Monitoring

  • 1Immutable Audit Logs: Every action (login, data view, transaction, approval) is logged with timestamp and user identity. Logs cannot be modified or deleted.
  • 2Real-Time Monitoring: Our security team monitors for suspicious activity including unusual login patterns, bulk data access, and failed authentication attempts.
  • 3Compliance Reporting: Audit logs are retained for 7 years and available for regulatory compliance and dispute resolution.

Payment Security

  • 1PCI DSS Compliance: All payment processing is handled by Stripe, a PCI DSS Level 1 compliant processor. LumpSum+ does not store full credit card details.
  • 2Tokenization: Stripe issues secure tokens for transactions so we never handle raw payment data.
  • 3Fraud Detection: Stripe's machine learning models detect fraudulent transactions in real-time.

Compliance Standards

SOC 2 Type II Certification

We are pursuing SOC 2 Type II certification. We undergo regular security audits covering access controls, data protection, availability, and incident response.

GDPR Compliant

For users in the European Union, we comply with the General Data Protection Regulation including data subject rights, privacy impact assessments, and data protection officer availability.

CCPA Compliant

For California residents, we respect all rights under the California Consumer Privacy Act including the right to know, delete, correct, and opt-out of data sales.

PCI DSS Compliance

Payment processing is handled by Stripe, a PCI DSS Level 1 compliant service provider, ensuring the highest standards for payment card security.

AWS Infrastructure

LumpSum+ is hosted on Amazon Web Services, ensuring enterprise-grade infrastructure security and reliability.

Vulnerability Management & Testing

Regular Security Assessments

  • Quarterly penetration testing by third-party security firms
  • Annual comprehensive security audits
  • Automated vulnerability scanning with SAST and DAST tools
  • Dependency scanning to identify vulnerable libraries

Responsible Disclosure Program

We welcome responsible security research from the security community. If you discover a security vulnerability:

  • Email security@lumpsumplus.com with vulnerability details
  • Do not publicly disclose the vulnerability until we've had 90 days to patch
  • We will acknowledge receipt within 24 hours and provide updates every 2 weeks
  • Responsible researchers may be acknowledged in our security advisory (with permission)

Patch Management

  • Critical security updates deployed within 24 hours of release
  • High-priority updates deployed within 7 days
  • Medium-priority updates deployed within 30 days
  • Zero-downtime deployment practices to maintain service availability

Incident Response & Breach Notification

Our Commitment

LumpSum+ maintains a comprehensive incident response plan to minimize the impact of any security incident. In the unlikely event of a data breach:

1

Immediate Investigation

Our security team will immediately investigate the incident, determine the scope, and contain the breach.

2

Notification Timeline

We will notify affected users within 72 hours of confirming a breach, as required by GDPR and CCPA. Notification will include details of the breach, data affected, steps we took, and recommended user actions.

3

Regulatory Reporting

We will notify relevant data protection authorities as required by applicable laws (GDPR, CCPA, and state breach notification laws).

4

Post-Incident Review

After the incident is contained, we will conduct a post-incident review to identify root causes and implement corrective measures to prevent recurrence.

Employee & Vendor Security

Employee Security

  • Background checks for all employees with data access
  • Mandatory security awareness training (annual)
  • Quarterly access reviews and privilege audits
  • Signed confidentiality and non-disclosure agreements
  • Secure device policies for company equipment (encryption, MFA)
  • Immediate access revocation upon termination

Third-Party Vendor Security

  • Pre-engagement security assessments
  • Contractual data protection requirements (DPA)
  • Annual compliance audits and attestations
  • Stripe: PCI DSS Level 1 compliance for payment processing
  • AWS: Enterprise-grade cloud infrastructure
  • Sub-processor agreements for any further data sharing

Security Inquiries & Concerns

If you have questions about our security practices, discover a vulnerability, or have concerns about your data security:

Email: security@lumpsumplus.com

Our security team will respond to your inquiry within 24 hours for urgent matters and 5 business days for general inquiries.

Additional Security Resources

Best Practices for Your Account

  • 1Enable Multi-Factor Authentication: Use an authenticator app (Google Authenticator, Authy) instead of SMS when possible for stronger security.
  • 2Use Strong Passwords: Create unique passwords at least 12 characters long with a mix of upper/lowercase, numbers, and symbols. Consider using a password manager.
  • 3Monitor Account Activity: Regularly review login history and active sessions. Log out from unrecognized devices.
  • 4Verify Communications: LumpSum+ will never ask for your password or MFA codes via email or phone. Be cautious of phishing attempts.
  • 5Keep Software Updated: Update your operating system, browser, and applications regularly to patch security vulnerabilities.

Need more details about our security measures or have specific compliance requirements?

Contact Our Security Team