Last updated June 28, 2026

Security

1. Security Overview

Lokly is built with security-first principles. This page documents the technical and organizational safeguards we implement to protect your data and account.

2. Password Security

Password Hashing: All passwords are hashed using Argon2, a memory-hard cryptographic algorithm resistant to GPU and ASIC attacks. Raw passwords are never stored.

Password History: You cannot reuse your last 5 passwords. This prevents reuse of compromised credentials.

Password Requirements: Minimum 12 characters, enforced at signup and password reset. Passwords containing common patterns are rejected.

3. Authentication & Access Control

Multi-Factor Authentication (MFA): We support:

  • WebAuthn / Passkeys: Hardware keys (FIDO2, YubiKey) and platform authenticators (Touch ID, Face ID, Windows Hello)
  • Magic Links: Passwordless authentication via email
  • TOTP (Time-based One-Time Password): Authenticator apps (Google Authenticator, Authy)

MFA is recommended for all accounts and required for accounts with admin privileges.

Login Lockout Policy: After 5 failed login attempts, the account is locked for 15 minutes. Subsequent failures extend the lockout period.

Device Remembering:You can mark devices as “trusted” to skip MFA for 30 days. Forgotten devices always require MFA.

4. Session Management

Session Timeouts: Sessions expire after 30 days of inactivity (or your configured setting). You are automatically logged out and must re-authenticate.

Session Security: All session tokens are:

  • Cryptographically random and non-predictable
  • Transmitted over HTTPS only (TLS 1.3)
  • Set with HttpOnly and Secure flags to prevent XSS and MITM attacks

5. New Location Alerts

When you log in from a new geographic location, we send an email alert to your registered email address. This allows you to detect unauthorized access.

You can review and manage trusted locations in Settings → Security → Login History.

6. Encryption

In Transit (TLS 1.3): All communication between your device and our servers is encrypted using TLS 1.3, the latest TLS standard.

At Rest:Personal data stored in our database is encrypted at rest using Supabase’s encryption-at-rest feature (PostgreSQL with pgcrypto).

End-to-End Encryption (Future): We are evaluating end-to-end encryption for sensitive data to limit even our own access.

7. Data Backups & Recovery

Backup Frequency: We perform automated, encrypted daily backups of all data.

Backup Storage: Backups are stored in geographically redundant, secure vaults. Backups are encrypted and tested for recoverability weekly.

Retention Policy: Backups are retained for 90 days, allowing recovery of accidentally deleted data.

Disaster Recovery: In case of a major incident, we can restore your data to the latest backup within 4 hours.

8. Access Control

Role-Based Access Control (RBAC): Employees and contractors can only access data required for their job. Roles include:

  • Read: View account data
  • Support: Read and respond to support tickets
  • Admin: Full access (limited to senior engineers)

Principle of Least Privilege: No employee has access to production customer data by default. Access is granted on-demand with logging and approval.

VPN Requirement: All remote access to production systems requires a VPN and hardware MFA.

9. Vulnerability Management

Scanning: We run automated security scans (SAST, DAST, dependency scanning) on every code change.

Penetration Testing: We conduct quarterly penetration tests by third-party security firms.

Dependency Management: We track all software dependencies and apply security patches within 24 hours of release.

10. DDoS & Network Security

DDoS Mitigation:We use Cloudflare’s DDoS protection to filter attacks and maintain service availability.

WAF (Web Application Firewall): Our WAF blocks common attacks (SQL injection, XSS, CSRF).

Rate Limiting: We enforce rate limits on authentication endpoints and APIs to prevent brute-force attacks.

11. Security Monitoring & Logging

Real-Time Monitoring: We continuously monitor for suspicious activity:

  • Failed login attempts and brute-force attacks
  • Unusual data access patterns
  • Configuration changes and privilege escalation
  • Database query anomalies

Audit Logging: All administrative actions and data access are logged with timestamps, user IDs, and IP addresses. Logs are retained for 1 year.

12. Third-Party Security

All sub-processors are evaluated for security. We require:

  • ISO 27001 or SOC 2 Type II certification
  • GDPR-compliant data processing agreements
  • Regular security audits (shared on request)

13. Incident Response

Incident Response Plan: We have a documented incident response procedure:

  1. Detection and containment (< 1 hour)
  2. Investigation and root-cause analysis
  3. Notification (within 72 hours if data breach)
  4. Remediation and follow-up

Notification Policy: If a data breach affects you, we notify you by email within 72 hours with details of the breach, data affected, and remediation steps.

14. User Security Best Practices

We recommend:

  • Use a unique password: Don’t reuse passwords from other sites
  • Enable MFA: Use WebAuthn or TOTP for maximum security
  • Keep your OS/browser updated: Install security patches promptly
  • Use a password manager: Tools like 1Password, Bitwarden, or Dashlane
  • Check login history: Review Settings → Security → Login History monthly
  • Logout on shared devices: Never leave sessions active on shared computers

15. Compliance & Certifications

Lokly complies with:

  • GDPR: General Data Protection Regulation (EU/UK)
  • DPDPA 2023: Digital Personal Data Protection Act (India)
  • CCPA/CPRA: California Consumer Privacy Act
  • OWASP Top 10: Web application security standards
  • ISO 27001: Information security management (planned 2026)

16. Report a Security Issue

Found a security vulnerability? Please do not post it publicly. Instead, email:

Include a description of the vulnerability and steps to reproduce. We will investigate and contact you within 5 business days. We take all security reports seriously and are committed to responsible disclosure.