Security

Loqa is built for communities that can't afford to compromise on data security. Here's how we protect yours.

Our Compliance Partners

⚙️

Vanta

Continuous Compliance Automation

Vanta continuously monitors our infrastructure, access controls, and security policies against SOC 2 Trust Services Criteria. Its automated evidence collection ensures we maintain compliance posture in real time — not just at audit time.

  • Automated evidence collection across cloud providers
  • Continuous monitoring of access controls & configurations
  • Policy management and employee security training
  • Real-time alerts for compliance drift
📋

Prescient Security

Independent Audit Firm

Prescient Security is our AICPA-accredited independent auditor conducting the formal SOC 1 and SOC 2 examinations. Their auditors evaluate the design and operating effectiveness of our controls for both Type I and Type II reports.

  • SOC 1 (Type I & Type II) — financial reporting controls
  • SOC 2 (Type I & Type II) — security, availability, & confidentiality
  • AICPA-accredited, globally recognized firm
  • Multi-month observation window for Type II operational evidence

What Does SOC Compliance Mean?

SOC 1

Evaluates internal controls relevant to financial reporting. This matters for organizations whose communities handle payments, subscriptions, or financial data through Loqa-powered integrations.

SOC 2

Evaluates controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This is the gold standard for SaaS platforms handling user data.

Type I & Type II

A Type I report evaluates control design at a point in time. A Type II report evaluates design and operating effectiveness over a sustained period (3–12 months). We are pursuing both.

Compliance Timeline

Vanta Onboarded

Continuous compliance monitoring deployed. Automated evidence collection active across all production infrastructure.

Prescient Engaged

Audit scope defined with Prescient Security for SOC 1 and SOC 2 examinations (Type I and Type II).

GDPR Compliance

Data Processing Agreement, Records of Processing Activities, breach notification procedure, and data subject rights tooling implemented. View our GDPR compliance documentation →

Observation Period

Controls are being monitored and evidence is being collected for both Type I and Type II certification.

Audit & Certification

Prescient Security will conduct the formal examinations and issue SOC 1 and SOC 2 reports (Type I and Type II).

Security Practices

Beyond compliance certifications, security is embedded in how we build and operate Loqa.

🔐

Layered Data Protection

TLS protects supported client connections. The primary account database encrypts emails with AES-256-GCM and uses keyed HMAC-SHA256 indexes. Eligible conversation content uses end-to-end encryption when the app displays that status; coverage varies by conversation and content type.

🔑

Argon2id & SHA-256 Hashing

Passwords and OAuth2 client secrets are hashed with Argon2id — the winner of the Password Hashing Competition. API tokens and webhook secrets are stored as one-way hashes and verified with constant-time comparisons.

🚦

Rate Limiting

Per-endpoint rate limiting protects against abuse, brute-force attacks, and denial-of-service attempts.

📊

Audit Logging

Administrative and moderation actions are recorded for accountability. Authorized server staff can review the audit records available to their role.

🛑

No Advertising Trackers

No third-party advertising or behavioral-analytics SDKs. Loqa does not sell personal information or use it for targeted advertising; limited first-party reliability diagnostics are described in the Privacy Policy.

🏗️

Infrastructure Isolation

Production workloads run in isolated environments with strict network segmentation and least-privilege access.

Questions About Security?

We're happy to discuss our security posture, share compliance updates, or answer questions from your infosec team.

Contact Us