Security
Loqa is built for communities that can't afford to compromise on data security. Here's how we protect yours.
Our Compliance Partners
Vanta
Continuous Compliance Automation
Vanta continuously monitors our infrastructure, access controls, and security policies against SOC 2 Trust Services Criteria. Its automated evidence collection ensures we maintain compliance posture in real time — not just at audit time.
- Automated evidence collection across cloud providers
- Continuous monitoring of access controls & configurations
- Policy management and employee security training
- Real-time alerts for compliance drift
Prescient Security
Independent Audit Firm
Prescient Security is our AICPA-accredited independent auditor conducting the formal SOC 1 and SOC 2 examinations. Their auditors evaluate the design and operating effectiveness of our controls for both Type I and Type II reports.
- SOC 1 (Type I & Type II) — financial reporting controls
- SOC 2 (Type I & Type II) — security, availability, & confidentiality
- AICPA-accredited, globally recognized firm
- Multi-month observation window for Type II operational evidence
What Does SOC Compliance Mean?
SOC 1
Evaluates internal controls relevant to financial reporting. This matters for organizations whose communities handle payments, subscriptions, or financial data through Loqa-powered integrations.
SOC 2
Evaluates controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This is the gold standard for SaaS platforms handling user data.
Type I & Type II
A Type I report evaluates control design at a point in time. A Type II report evaluates design and operating effectiveness over a sustained period (3–12 months). We are pursuing both.
Compliance Timeline
Vanta Onboarded
Continuous compliance monitoring deployed. Automated evidence collection active across all production infrastructure.
Prescient Engaged
Audit scope defined with Prescient Security for SOC 1 and SOC 2 examinations (Type I and Type II).
GDPR Compliance
Data Processing Agreement, Records of Processing Activities, breach notification procedure, and data subject rights tooling implemented. View our GDPR compliance documentation →
Observation Period
Controls are being monitored and evidence is being collected for both Type I and Type II certification.
Audit & Certification
Prescient Security will conduct the formal examinations and issue SOC 1 and SOC 2 reports (Type I and Type II).
Security Practices
Beyond compliance certifications, security is embedded in how we build and operate Loqa.
Layered Data Protection
TLS protects supported client connections. The primary account database encrypts emails with AES-256-GCM and uses keyed HMAC-SHA256 indexes. Eligible conversation content uses end-to-end encryption when the app displays that status; coverage varies by conversation and content type.
Argon2id & SHA-256 Hashing
Passwords and OAuth2 client secrets are hashed with Argon2id — the winner of the Password Hashing Competition. API tokens and webhook secrets are stored as one-way hashes and verified with constant-time comparisons.
Rate Limiting
Per-endpoint rate limiting protects against abuse, brute-force attacks, and denial-of-service attempts.
Audit Logging
Administrative and moderation actions are recorded for accountability. Authorized server staff can review the audit records available to their role.
No Advertising Trackers
No third-party advertising or behavioral-analytics SDKs. Loqa does not sell personal information or use it for targeted advertising; limited first-party reliability diagnostics are described in the Privacy Policy.
Infrastructure Isolation
Production workloads run in isolated environments with strict network segmentation and least-privilege access.
Questions About Security?
We're happy to discuss our security posture, share compliance updates, or answer questions from your infosec team.
Contact Us