Security Policy

At Lorika, security is core to everything we build. This policy describes the technical and organisational measures we implement to protect your data, our infrastructure, and communications between our agent and platform.

1. Infrastructure Security

Lorika’s production infrastructure is hosted on hardened virtual servers with the following protections:

• All traffic is proxied through Cloudflare — server IP addresses are never exposed.
• TLS 1.2+ enforced for all connections (HTTPS, API, WebSocket).
• Operating systems are kept up-to-date with automated security patches.
• SSH access is restricted to key-based authentication only; password login is disabled.
• Firewall rules follow a default-deny posture — only required ports are open.

2. Application Security

• Authentication: Google OAuth 2.0 with PKCE. No passwords are stored by Lorika.
• Session management: JWT access tokens (short-lived) + refresh tokens with version tracking. 30-minute idle auto-logout.
• Token rotation: Each token refresh increments a version claim. Logout invalidates all sessions instantly.
• Device tokens: Stored as irreversible SHA-256 hashes. Plaintext token is shown once during enrolment and never persisted server-side.
• Enrolment tokens: Single-use, expire in 24 hours.
• HMAC-SHA256 signed payloads: Every scan result sent by the agent is cryptographically signed. Tampered payloads are rejected.

3. Data Protection

• All data is encrypted in transit (TLS) and at rest (encrypted storage volumes).
• Database credentials, API keys, and secrets are stored exclusively in environment variables — never in source code.
• Personal data processing complies with GDPR. See our Privacy Policy for details.
• Scan data is retained for 90 days (free plan) or as specified by your subscription tier.
• Stale devices are automatically deactivated after 30 days of inactivity.

4. Agent Security

• Binary integrity: SHA-256 checksums verify agent binaries before installation and on every auto-update cycle.
• Auto-update: The agent checks for updates on startup and every 6 hours. Updates are applied silently with zero downtime.
• Minimal permissions: The agent runs with the minimum privileges required for security scanning. It does not modify system settings (unless active remediation is explicitly enabled by the administrator).
• Machine identity: Each device is uniquely identified by an OS-level machine ID (e.g., /etc/machine-id on Linux, IOPlatformUUID on macOS, MachineGuid on Windows) to prevent device duplication.
• Delta scans: Only changed check results are transmitted, reducing data exposure and bandwidth by ~90%.

5. Network Security

• All DNS records are proxied through Cloudflare to prevent direct server exposure.
• Cloudflare DDoS protection is active on all endpoints.
• Real client IP is extracted from trusted CF-Connecting-IP headers only.
• API rate limiting is enforced to prevent abuse.

6. Access Control

• Role-based access control (RBAC): admin and member roles within each organisation.
• Multi-tenant architecture: organisations are strictly isolated. Users can only access data within their organisation.
• Administrative actions (device removal, member management) are restricted to admin role.

7. Incident Response

In the event of a security incident, we will:

• Investigate and contain the incident within 24 hours of detection.
• Notify affected users within 72 hours, in accordance with GDPR requirements.
• Provide a post-incident report detailing root cause, impact, and remediation steps.

8. Responsible Disclosure

If you discover a security vulnerability in Lorika, please report it responsibly. We appreciate the security community’s efforts to keep our users safe.

Report to: [email protected]
We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

9. Updates to This Policy

We may update this Security Policy as our platform evolves. Material changes will be communicated via the dashboard or email. The effective date at the top of this page indicates when the policy was last revised.

Questions? Contact us at [email protected].