21. 3rd Party Policy
Luma makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Luma or Luma Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.
21.1 Applicable Standards
21.1.1 Applicable Standards from the HITRUST Common Security Framework
- 05.i - Identification of Risks Related to External Parties
- 05.k - Addressing Security in Third Party Agreements
- 09.e - Service Delivery
- 09.f - Monitoring and Review of Third Party Services
- 09.g - Managing Changes to Third Party Services
- 10.1 - Outsourced Software Development
21.1.2 Applicable Standards from the HIPAA Security Rule
- 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
21.2 Policies to Assure 3rd Parties Support Luma Compliance
- Luma does not allow 3rd party access to production systems containing ePHI.
- All connections and data in transit between the Luma Platform and 3rd parties are encrypted end to end.
- A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies when deemed necessary. Additionally, responsibility is assigned in these agreements.
- Luma has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
- Subcontractors must coordinate, manage, and communicate any changes to services provided to Luma.
- Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §9; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §4.2.
- Luma utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
- No Luma Customers or Partners have access outside of their account, meaning they cannot access, modify, or delete anything related to other 3rd parties.
- Luma maintains and annually reviews a list of all current Partners and Subcontractors.
- The list of current Partners and Subcontractors is maintained by the Luma Privacy Officer, includes details on all provided services (along with contact information), and is recorded in §1.4.
- The annual review of Partners and Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.
- Luma assesses security, compliance, and SLA requirements and considerations with all Partners and Subcontractors. This includes annual assessment of SOC2 Reports for all Luma infrastructure partners.
-
Luma leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the Luma Security Officer and Privacy Officer. The process for reviewing 3rd party services is outlined below:
- The Security Officer initiates the SLA review by activating a Vendor Annual Review Questionniare in Google Forms.
- The Security Officer, or Privacy Officer, is assigned to review the SLA, BAA, SOC2 reports and performance of 3rd parties. The list of current 3rd parties, including contact information, is also reviewed to assure it is up to date and complete.
- SLA, BAA, security, and compliance performance is documented in the Workflow.
- Once the review is completed and documented, the Security Officer approves or rejects the Workflow completion. If the Workflow completion is rejected, it goes back for further review and documentation.
-
- Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
- Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
- For all partners, Luma reviews activity annually to assure partners are in line with SLAs in contracts with Luma. This is managed through Google Forms.
- SLA review is monitored on a quarterly basis reporting to assess compliance with above policy. The reviews take into account but are not limited to; the third party’s limitations of access, arrangements for compliance auditing, required security controls, and penalties.