Security

Loqa is built for communities that can't afford to compromise on data security. Here's how we protect yours.

Our Compliance Partners

⚙️

Vanta

Continuous Compliance Automation

Vanta continuously monitors our infrastructure, access controls, and security policies against SOC 2 Trust Services Criteria. Its automated evidence collection ensures we maintain compliance posture in real time — not just at audit time.

  • Automated evidence collection across cloud providers
  • Continuous monitoring of access controls & configurations
  • Policy management and employee security training
  • Real-time alerts for compliance drift
📋

Prescient Security

Independent Audit Firm

Prescient Security is our AICPA-accredited independent auditor conducting the formal SOC 1 and SOC 2 examinations. Their auditors evaluate the design and operating effectiveness of our controls for both Type I and Type II reports.

  • SOC 1 (Type I & Type II) — financial reporting controls
  • SOC 2 (Type I & Type II) — security, availability, & confidentiality
  • AICPA-accredited, globally recognized firm
  • Multi-month observation window for Type II operational evidence

What Does SOC Compliance Mean?

SOC 1

Evaluates internal controls relevant to financial reporting. This matters for organizations whose communities handle payments, subscriptions, or financial data through Loqa-powered integrations.

SOC 2

Evaluates controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This is the gold standard for SaaS platforms handling user data.

Type I & Type II

A Type I report evaluates control design at a point in time. A Type II report evaluates design and operating effectiveness over a sustained period (3–12 months). We are pursuing both.

Compliance Timeline

Vanta Onboarded

Continuous compliance monitoring deployed. Automated evidence collection active across all production infrastructure.

Prescient Engaged

Audit scope defined with Prescient Security for SOC 1 and SOC 2 examinations (Type I and Type II).

GDPR Compliance

Data Processing Agreement, Records of Processing Activities, breach notification procedure, and data subject rights tooling implemented. View our GDPR compliance documentation →

Observation Period

Controls are being monitored and evidence is being collected for both Type I and Type II certification.

Audit & Certification

Prescient Security will conduct the formal examinations and issue SOC 1 and SOC 2 reports (Type I and Type II).

Security Practices

Beyond compliance certifications, security is embedded in how we build and operate Loqa.

🔐

PII Encrypted at Rest

TLS 1.3 in transit. Emails are encrypted with AES-256-GCM and looked up via HMAC-SHA256 blind indexes — we can authenticate you without ever storing your email in plaintext. DMs and group DMs are end-to-end encrypted using a Signal-style Double Ratchet protocol (X3DH key agreement + per-message key derivation), providing forward secrecy and post-compromise security. Keys never leave your device.

🔑

Argon2id & SHA-256 Hashing

Passwords and OAuth2 client secrets are hashed with Argon2id — the winner of the Password Hashing Competition. API tokens and webhook secrets use SHA-256 with constant-time verification. Nothing is ever stored in plaintext.

🚦

Rate Limiting

Per-endpoint rate limiting protects against abuse, brute-force attacks, and denial-of-service attempts.

📊

Audit Logging

Every administrative action is logged with full traceability. Server owners can review audit logs at any time.

🛑

Zero Third-Party Trackers

No analytics SDKs, no ad trackers, no telemetry. We don't sell or share your data with anyone.

🏗️

Infrastructure Isolation

Production workloads run in isolated environments with strict network segmentation and least-privilege access.

Questions About Security?

We're happy to discuss our security posture, share compliance updates, or answer questions from your infosec team.

Contact Us