Security is what we build. Transparency is how we build trust. This page documents our security practices, data protection policies, and compliance commitments — honestly.
Three pillars that guide every decision we make.
Secure architecture from day one. HMAC-SHA256 authenticated payloads, encrypted data at rest and in transit, automated CI/CD security pipeline with SAST, dependency scanning, container scanning, and secret detection.
EU data residency (Germany). GDPR-aligned practices. We do not sell data to third parties. Data deletion on request. Minimal data collection — only what is needed for security posture assessment.
18 compliance frameworks mapped and continuously tested. We test our own platform against the same standards we help you meet. Working toward formal certification.
How we protect the platform and your data.
All servers hosted on Contabo in Dusseldorf, Germany. No code or data stored outside the EU.
All traffic proxied through Cloudflare for DDoS protection, Web Application Firewall, and bot mitigation. Server IP never exposed.
TLS 1.3 for all data in transit. AES-256 encryption for data at rest in PostgreSQL. No unencrypted connections accepted.
Sign in with Google, Microsoft, GitHub, X (Twitter), or Apple. No passwords stored. Token rotation on every refresh.
Every scan payload is HMAC-SHA256 signed with the device token. Device tokens are stored as SHA-256 hashes in the database — never in plaintext.
JWT access + refresh tokens. 30-minute idle auto-logout. Token version tracking — logout invalidates all sessions instantly. Rate limiting and CORS protection on all endpoints.
Bandit (Python SAST) runs on every pull request. Static analysis catches security anti-patterns before code reaches production.
pip-audit (Python), npm audit (JavaScript), govulncheck (Go) scan every dependency for known vulnerabilities on every build.
Trivy scans Docker images for CVEs. Gitleaks detects secrets and credentials in the codebase. OWASP ZAP runs DAST against staging.
Comprehensive test suite across all components: API integration tests, frontend E2E tests across 6 browsers (Playwright), Go agent unit tests.
Regular internal security assessments and self-penetration testing. External third-party penetration testing is on our roadmap.
Sentry error monitoring with real-time alerting. CSP headers, rate limiting, and strict input validation across all API endpoints.
Every installed package on monitored devices is matched against OSV.dev CVE databases. Severity breakdown, fix availability tracking, and per-device CVE timeline.
Exploit Prediction Scoring System (EPSS) enrichment for probability-based prioritisation. CISA Known Exploited Vulnerabilities catalog tracking for urgent remediation.
The Lorika agent source code is available on GitHub (Go, MIT-friendly license). Open architecture — inspect, audit, and verify what runs on your devices.
Where your data lives, how it is protected, and who has access.
All data is processed and stored in Germany (Dusseldorf). No data leaves the European Union. No US data transfers.
EU data residency, purpose limitation, data minimisation. We collect only what is necessary for security posture assessment. Data deletion on request.
TLS 1.3 for data in transit. AES-256 for data at rest. Device tokens hashed with SHA-256 before storage. Enrolment tokens are single-use and expire in 24 hours.
We do not sell, rent, or share your data with third parties for advertising or marketing purposes. Your security data is yours.
Scan data retained per plan tier (90 days to 2 years). Full account and data deletion available on request. Inactive accounts are cleaned up with advance email warnings.
Cloudflare (CDN, DNS, WAF), Contabo (hosting, Germany), Sentry (error monitoring), Google (OAuth), Microsoft (OAuth), GitHub (OAuth, code hosting).
Where we stand today and where we are heading.
We believe in honesty: we list what we actually do, not what we aspire to. Certifications will be listed here only after they are formally achieved.
How we keep the platform running and deploy safely.
Every change goes through automated tests, security scans, and code review before reaching production. GitHub Actions orchestrates build, test, and deploy.
Agent binaries are verified with SHA-256 checksums and Sigstore cosign (Fulcio CA, Rekor transparency logs). SLSA Level 3 supply chain security.
The agent checks for updates on startup and every 6 hours. SHA-256 verified downloads. Zero downtime, zero user interaction required.
We take every report seriously.
If you discover a security vulnerability, please report it responsibly. We will investigate promptly and keep you informed.
[email protected]We ask that you give us reasonable time to investigate and address reported vulnerabilities before public disclosure. We commit to acknowledging your report within 48 hours and providing a timeline for resolution.
We are happy to discuss our security posture in detail. Reach out to our team.
Contact security team