What security and vulnerability management practices does Lumion follow?

In choosing Lumion, you are in good company!
Over a decade since its launch, Lumion has reached the point where it is used every day in many countries on all continents across the world. It has become an essential tool in many kinds of organization, ranging from educational institutions, through government facilities to private architectural firms.
We’d like to reassure you that we take risk management, data security, privacy and software reliability seriously, and we take strong measures to ensure that these principles are embedded in the way we operate and serve our customers.
Our information security practices are aligned with the ISO/IEC 27001 standard, which provides a structured framework for managing security risks across people, processes, and technology. While we do not currently hold formal certification, our policies and controls reflect the requirements of this internationally recognised standard.
We conduct annual penetration testing performed by independent external security specialists. Findings are assessed, prioritised by risk, and remediated according to defined timelines. This process ensures our services are regularly validated against real-world attack scenarios by parties outside our own organisation.
Our headquarters are in the EU and we take our lead from European legislation, which may mean that we do not comply with some specific local requirements, however, please be reassured that we take many measures to ensure that risks are managed and data is handled sensitively and correctly.
Security Practices
For additional information, the following activities are an indication of the kinds of things that we do:
Data Protection and Privacy
- We have a strong commitment to data protection and privacy as laid out in our Privacy Policy and Terms of Service.
- We comply with General Data Protection Regulations (GDPR). These are the European regulations which define strict requirements about data management, consent and privacy.
Licence Management
- Lumion licences are managed and accessed by the customer via the Account Portal.
- As outlined in our EULA, Lumion commercial licences are perpetual and not tied to a subscription service.
Usage & Reliability of Service
- Floating Licences: Lumion Licences can be installed and accessed from any PC or member of your organization, as per our EULA.
- Commercial licence owners also benefit from our friendly, fast and dedicated technical support team.
Information Storage
The License Key system stores the PC name where Lumion is used and machine fingerprint, which are only collected for system identification and License purposes.
There are only three main data types that Lumion stores and has access to:
- License Key startup and release info (this simply registers info regarding if the license has been successfully opened and on what machine). It includes the date, IP address, Country, and Lumion version too.
- Telemetry information (for how the user is interacting with the UI) (optional).
- Hardware information (for the Benchmark).
When Lumion is turned on for the first time, users are asked if they want to participate in our Customer Experience Improvement Program. If the user selects "Yes", then the local Lumion software will send anonymous hardware performance and telemetry info to Act-3D servers for the purposes of improving future versions of Lumion. No personal information is transmitted or stored. Note that users can simply select 'No' to opt-out. Please see our web for more information:
- Web Site: Customer Experience Improvement Program .