Core Trust Principles

At Lucernes, LLC, we recognize that endpoint configuration management requires absolute operational integrity. We ground our engineering and deployment models in four unyielding principles modeled after world-class cloud infrastructure frameworks:

Absolute Customer Data Ownership: Any technical configuration telemetry or device metadata processed by our platform belongs exclusively to the managing organization. We maintain zero rights of commercialization over customer workloads.
Privacy by Explicit Design: Our system architectures isolate corporate governance loops from individual end-user content, embedding strict technical minimization rules directly into our API design handlers.
Operational Transparency: We publish exactly what properties our platform tracks, eliminating ambiguity surrounding background device query loops and enrollment authorities.
Defensive Engineering: We protect customer commands and endpoint responses through strict certificate-based isolation and cryptographic handshakes at every routing tier.

Document Control Identity: Ref LCRN-TRST-2026-V1 — Effective May 29, 2026.

Data Privacy Standard

Granular OS-Level Data Mapping

To establish absolute technical transparency, the following matrix identifies the precise native device attributes queried by the Lucernes MDM server engine based on administrative configurations:

Native Attribute / Field

Operational Purpose & Ingestion Rationale

Unique Device Identifier (UDID) / Serial Number

Primary cryptographic indexing keys. Required to identify physical hardware objects and accurately direct target configuration payloads within database schemas across all service tiers.

Operating System Version & Build Profile

Compliance auditing. Required to identify patch lifecycle states and prevent non-updated or highly vulnerable endpoints from routing into secure environments.

Application Inventory Payload (Bundle IDs)

Software validation. Required to run delta verifications against organization allowlists, ensuring core system applications (such as com.apple.Preferences) are intact and non-compliant software is restricted.

Geographic Coordinates / Location Telemetry
(Tier-Dependent Module)

Inactive by default. For accounts utilizing our advanced family-safety or high-governance tiers, location queries are explicitly enabled to provide parents or organization administrators with localized hardware asset recovery and real-time safety telemetry. This module requires explicit profile-level execution parameters and is entirely omitted in baseline service levels.

SCEP Transaction Metadata

Identity attestation. Used during initial onboarding to issue unique, device-bound mTLS client certificates from our private Root Certificate Authority.

Explicit Processing Exclusions

Because our platform operates strictly within the infrastructure configuration and safety plane, our backend handlers maintain absolute engineering restrictions preventing any access to, or collection of: personal messages, communication logs, camera feeds, photos, browser caches, or personal authentication passwords.

Inquiries and Data Subject Rights

Organization tenants, administrators, and individual end-users seeking to exercise rights of access, correction, or programmatic data erasure consistent with regional privacy frameworks may direct formal inquiries directly to our security management point of contact at [email protected].

Document Control Identity: Ref LCRN-TRST-2026-V1 — Effective May 29, 2026.

Security Architecture & Controls

Lucernes enforces physical, administrative, and technical safeguards engineered to mitigate transport interception, payload manipulation, and unauthorized administrator behavior.

1. Cryptographic Transport Layer (mTLS & SCEP)

Data moving between managed endpoints and our application routers mandates forced TLS 1.2 or TLS 1.3 protocol suites. Device enrollment routines enforce a strict Simple Certificate Enrollment Protocol (SCEP) handshake. This constructs a permanent Mutual TLS (mTLS) posture, verifying endpoint cryptographic identity on every server-side transaction check-in.

2. Configuration Payload Integrity

All configuration profiles (.mobileconfig) compiled and served by our environment are programmatically signed using designated cryptographic keys prior to delivery. This blocks downstream execution anomalies and protects devices against unauthorized local profile manipulation.

3. Infrastructure Hardening & Tenant Isolation

Collected database records are encrypted at rest using Advanced Encryption Standard (AES-256). Active service architecture and application clusters are deployed within isolated, restricted Virtual Private Clouds (VPCs) hosted in secure, enterprise-grade US-based cloud data facilities. API routers and microservice nodes are strictly shielded from public data tier ingress through tight network access control tables and stateful firewall appliances.

Document Control Identity: Ref LCRN-TRST-2026-V1 — Effective May 29, 2026.

Data Taxonomy & Retention Lifecycle

To preserve historical system integrity while strictly adhering to global privacy compliance frameworks, Lucernes applies a tiered data governance strategy that distinguishes live asset inventories from administrative audit records.

1. Data Taxonomy Classification

Customer Workload Data: Active device hardware profiles, assigned operating system versions, and software allowlist catalogs. This data is active only while an asset is enrolled.
System Audit & Security Logs: Immutable transaction ledgers detailing platform events, administrator command executions (such as remote wipes or profile changes), SCEP authentication lookups, and API access routing requests.
Account Administrative Data: Core tenant registration, IAM access tokens, credential footprints, and billing records required to manage platform access.

2. Tiered Retention Horizons

Lucernes maintains distinct, automated data retention lifecycles based on data classification parameters to satisfy both data minimization requirements and enterprise corporate auditing standards:

Data Category

Retention Horizon & Destruction Mechanics

Active Device Metadata
(De-enrollment Event)

30 Days. Upon formal device unenrollment or profile retirement, the asset's active configuration state and software inventory tables are programmatically decoupled from the production database within thirty (30) days to fulfill global data erasure mandates.

System Security & Audit Logs
(Compliance Ledger)

2 Years (730 Days). To comply with enterprise corporate governance frameworks (including SOC 2 and ISO 27001), all historical infrastructure event trails, administrative actions, and authorization changes are written to an immutable, non-deletable log pipeline and retained for a two-year operational window.

Tenant Account Closure
(Contract Termination)

180 Days. Upon formal termination of an organization's service agreement, tenant records enter a restricted 180-day decommissioning phase to allow for secure data extraction before the entire environment is purged from the host cluster.

Database Disaster Recovery
(Backup Snapshots)

7 Days. Encrypted system infrastructure cold backups run on a rolling daily execution chain. Each cryptographic snapshot is permanently overwritten and invalidated on a strict seven-day loop to limit long-term residual exposure.

Document Control Identity: Ref LCRN-TRST-2026-V1 — Effective May 29, 2026.