Background

Lumeo is a flexible video analytics platform that lets you create and deploy a wide range video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.

In order to do that, some of Lumeo's software runs on servers/edge appliances or VMs deployed in customer networks or customer cloud, and communicates with Lumeo's Cloud services for command and control.

Lumeo AI Gateway

Lumeo AI Gateway is the software that runs on the on-prem equipment, in your cloud or Lumeo Cloud, and is installed using an installation script. If you use Lumeo-Ready Gateways, it comes pre-installed on the Lumeo-ready devices. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.

Lumeo AI Gateway is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/

Viewing Lumeo Console & Live streams from a Browser

In order to view Live streams in Lumeo console from a browser, your network will need to allow the following ports/connections from the machine you are using to view the streams.

Most networks allow this by default, but if you have a corporate network that restricts connections from user devices you need your network admin to allow the following.

Function	Ports	Direction	Protocol	Destination Domain
Lumeo Console - Manage and configure Lumeo	443	Allow outbound traffic from your viewer device	TCP	`.lumeo.com` `.sfo2.digitaloceanspaces.com` `.storage.googleapis.com` `.s3.us-east-1.wasabisys.com`
WebRTC (stun, turn, turns) - View Lumeo live streams	443, 3478, 5349, 13902	Allow outbound traffic from your viewer device. Also allow responses back to the client on NAT-mapped ports (automatic if firewall is stateful)	TCP/UDP	`traverse.lumeo.com`
WebRTC (streaming) - View Lumeo live streams	49152-65535	Allow outbound traffic from your viewer device. Also allow responses back to the client on NAT-mapped ports (automatic if firewall is stateful)	TCP/UDP	`traverse.lumeo.com` and local network (if the Lumeo Gateway is accessible via a locak network)

Function

Ports

Direction

Protocol

Destination Domain

Lumeo Console - Manage and configure Lumeo

443

Allow outbound traffic from your viewer device

TCP

*.lumeo.com
*.sfo2.digitaloceanspaces.com
*.storage.googleapis.com
*.s3.us-east-1.wasabisys.com

WebRTC (stun, turn, turns) - View Lumeo live streams

443, 3478, 5349, 13902

Allow outbound traffic from your viewer device.

Also allow responses back to the client on NAT-mapped ports (automatic if firewall is stateful)

TCP/UDP

traverse.lumeo.com

WebRTC (streaming) - View Lumeo live streams

49152-65535

Allow outbound traffic from your viewer device.

Also allow responses back to the client on NAT-mapped ports (automatic if firewall is stateful)

TCP/UDP

traverse.lumeo.com and local network (if the Lumeo Gateway is accessible via a locak network)

Network Configuration for Gateways - On-prem / Edge Deployment

In the on-prem / edge deployment mode, Lumeo AI Gateway is deployed within your network, while command-and-control functions are performed via Lumeo Cloud.

This section describes the basic network setup for the Lumeo AI Gateway running locally on customer sites.

Recommended Network Configuration

The recommended simplified network configuration for the Gateway running the Lumeo agent:

We recommend running Lumeo on a Dual-NIC device. Lumeo-Ready Gateways are all mostly equipped with Dual-NICs as well. With a Dual-NIC device, you can connect one NIC to your camera network, and the other to a network with internet access.
Allow outbound connections to the Cloud (UDP, TCP) with return traffic.
Allow 554 (TCP, UDP) inbound connections from your local network / VMS IP Address ranges
Allow ONVIF (80, 443 TCP/UDP), RTSP (554 TCP/UDP) outbound connections to your local cameras & VMS.
- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.

Connections & Ports

The main ports for Lumeo AI Gateway are listed in the table.

outbound direction indicates that the Lumeo agent makes an outbound connection to the specified Domain on those ports. For outbound flows, you must also allow return traffic (in most corporate setups, this is already covered by “allow related/established” on the firewall).
inbound direction indicates that the Lumeo software listens on that port for inbound connections on the local network.
Note that no ports need to be opened in your firewall for inbound connections.

Function	Ports	Direction	Protocol	Domain
DNS	53	outbound	UDP
Installation, Updates, Operations	80 & 443	outbound	TCP	`.lumeo.com`(preferred) or `api.lumeo.com`, `assets.lumeo.com`, `link.lumeo.com`, `mqtt.lumeo.com`, `pkgs.lumeo.com` `.sfo2.digitaloceanspaces.com` `.storage.googleapis.com` `.s3.us-east-1.wasabisys.com`
Live stream viewing - WebRTC (stun, turn, turns)	443, 3478, 5349, 19302	outbound	TCP/UDP	`traverse.lumeo.com`
Live stream viewing - WebRTC (streaming)	49152-65535	outbound	UDP	`traverse.lumeo.com` and local network
Pull video stream from Camera	554 (RTSP cameras), 8000 (Rhombus cameras)	outbound	TCP, UDP	local network
Pull RTSP stream from Lumeo Gateway	554	inbound	TCP, UDP	local / VMS network
Web management interface, ONVIF & Discovery for Lumeo-Ready Gateways	80 (ONVIF) 443 (Web-based Gateway Management interface) Following ports are opened only when Media Server & ONVIF are enabled: 8555 (ONVIF RTSP), 8322 (RTSPS), 8888 (HLS)	inbound	TCP	local network
Camera Discovery	3702, 80, 443 Other ports may be used based on camera vendor.	outbound	TCP/UDP	camera network or streams
Integrations	Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference	outbound	TCP/UDP	Varies based on integrations used.
Support Only for Lumeo-Ready Gateways	If Lumeo support is required, we will ask you to enable Tailscale on your gateway's web interface.	outbound	TCP/UDP	`tailscale.com`

Network Configuration - Your Cloud Deployment

In the "Your Cloud" deployment mode, Lumeo AI Gateway is deployed within your cloud/VPC, while command-and-control functions are performed via Lumeo Cloud. The Lumeo AI Gateway access cameras/streams from your on-prem network via your VPC, and communicates to Lumeo's cloud and external services via secure outbound connections.

This section describes the basic network setup for the Lumeo AI Gateway running in your cloud.

Recommended Network Configuration

The recommended simplified network configuration for the Gateway running the Lumeo agent:

We recommend running Lumeo via Kubernetes for easy scale up. See AWS - ECS or GCP - Kubernetes for details. You can also run a single instance using a VM (see AWS - EC2 Instance, GCP - Compute Instance).
No restrictions on outbound connections to the Internet (UDP, TCP) with return flows allowed.
Allow 554 (TCP, UDP) inbound connections from your local network / VMS IP Address ranges if you wish to access RTSP streams from the Lumeo Gateway.
Allow ONVIF (80, 443 TCP/UDP), RTSP (554 TCP/UDP) connections from your cloud VPC to your local cameras & VMS.
- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.

Connections & Ports

The main ports for Lumeo AI Gateway are listed in the table.

outbound direction indicates that the Lumeo agent makes an outbound connection to the specified Domain on those ports. For outbound flows, you must also allow return traffic (in most corporate setups, this is already covered by “allow related/established” on the firewall).
inbound direction indicates that the Lumeo software listens on that port for inbound connections on the local network.

Function	Ports	Direction	Protocol	Domain
DNS	53	outbound	UDP
Installation, Updates, Operations	80 & 443	outbound	TCP	`.lumeo.com`(preferred) or `api.lumeo.com`, `assets.lumeo.com`, `link.lumeo.com`, `mqtt.lumeo.com`, `pkgs.lumeo.com` `.sfo2.digitaloceanspaces.com` `.storage.googleapis.com` `.s3.us-east-1.wasabisys.com`
Live stream viewing - WebRTC (stun, turn, turns)	443, 3478, 5349, 19302	outbound	TCP/UDP	`traverse.lumeo.com`
Live stream viewing - WebRTC (streaming)	49152-65535	outbound	UDP	`traverse.lumeo.com` and local network
Pull video stream from Camera	554 (RTSP cameras), 8000 (Rhombus cameras)	outbound	TCP, UDP	local/camera network
Pull RTSP stream from Lumeo Gateway Optional.	554	inbound	TCP, UDP	local / VMS network
Web management interface, ONVIF & Discovery for Lumeo-Ready Gateways Optional.	80 (ONVIF) 443 (Web-based Gateway Management interface) Following ports are opened only when Media Server & ONVIF are enabled: 8555 (ONVIF RTSP), 8322 (RTSPS), 8888 (HLS)	inbound	TCP	local network
Camera Discovery	3702, 80, 443 Other ports may be used based on camera vendor.	outbound	TCP/UDP	camera network or streams
Integrations	Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference	outbound	TCP/UDP	Varies based on integrations used.
Support Only for Lumeo-Ready Gateways	If Lumeo support is required, we will ask you to enable Tailscale on your gateway's web interface.	outbound	TCP/UDP	`tailscale.com`

Network Configuration - Lumeo Cloud Deployment

In the Lumeo Cloud deployment mode, Lumeo AI Gateways are deployed and managed by Lumeo in the Lumeo Cloud.

While Lumeo Cloud Gateways do not open any publicly accessible ports, they do make outbound connections to your Cameras from Lumeo's cloud.

If you need Lumeo Cloud Gateways to process video from cameras within your firewall, you will need to forward the following ports in your firewall to the camera or the VMS:

Function	Public Port	Forward to Port	Direction	Protocol	Originating IP
RTSP	any	Camera IP Address, Port 554 (RTSP)	Allow inbound traffic to your network	TCP/UDP	Lumeo Cloud Gateway IP Addresses (found in your Lumeo account)
HTTP Streaming	any	Camera IP Address, Port 443	Allow inbound traffic to your network	TCP	Lumeo Cloud Gateway IP Addresses (found in your Lumeo account)

Privacy and Compliance

Lumeo is undergoing a SOC 2 audit to ensure that we are compliant with the SOC 2 standard. The SOC 2 audit is a comprehensive review of Lumeo's security, availability, processing integrity, confidentiality, and privacy controls. The audit is conducted by a third-party auditor and is based on the SOC 2 standard, which is a set of standards for security and availability of information systems. The audit is expected to be completed by the end of 2025.

Enterprise prospects and customers can request access to the sub-processer list, pen test and other reports from the Lumeo Trust Center at: https://trust.lumeo.com

Data Retention and Access

The following table details the type of user data collected by Lumeo and where it is utilized and persisted.

Lumeo Cloud refers to Lumeo-managed cloud services and 3rd party subprocessors that may be used to store the data.
Lumeo AI Gateway refers to Lumeo AI Gateway software running on the device. Any data stored on device is encrypted on disk.
Utilization refers to where the data is processed, but not stored.
Data Storage refers to where the data is stored.

Data Type	Utilization Location	Data Storage & Retention	Retention Duration
Camera information: IP addresses, credentials, snapshots	Lumeo AI Gateway, Lumeo Cloud	Lumeo AI Gateway, Lumeo Cloud	Until the camera or source is deleted by User
Gateway information: IP addresses, serial number, specifications and utilization	Lumeo AI Gateway, Lumeo Cloud	Lumeo AI Gateway, Lumeo Cloud	Until the gateway is deleted by User
Live video streams	Lumeo AI Gateway (processing), Lumeo Cloud (view only)	Not stored	Not stored
Video stream thumbnails for analytics configuration	Lumeo AI Gateway (processing), Lumeo Cloud (processing & viewing)	Lumeo Cloud	Till video stream / camera is deleted
Analytics configuration data : Regions of interest, AI Models, etc. (varies based on the nature of analytics used)	Lumeo AI Gateway, Lumeo Cloud	Lumeo AI Gateway, Lumeo Cloud	Until a Pipeline or deployment is deleted by User
Integration configuration data : VMS credentails, Webhook URLs, Endpoints, Credentials, etc.	Lumeo AI Gateway, Lumeo Cloud	Lumeo AI Gateway, Lumeo Cloud	Until a Pipeline or deployment is deleted by User
Generated Analytics Media and Metadata ex. Event Recordings/Clips/Snapshots, Event counts, alerts, etc.	Lumeo Cloud	Lumeo AI Gateway (temporary), Lumeo Cloud, 3rd party services (if configured) Stored only if configured by user.	Until deleted by User or configured retention period (30/60 days) for Lumeo Cloud. 3rd party service retention is customer managed.
Email addresses of authorized users	Lumeo Cloud	Lumeo Cloud	Until deleted by User