Last updated June 28, 2026
Lokly is built with security-first principles. This page documents the technical and organizational safeguards we implement to protect your data and account.
Password Hashing: All passwords are hashed using Argon2, a memory-hard cryptographic algorithm resistant to GPU and ASIC attacks. Raw passwords are never stored.
Password History: You cannot reuse your last 5 passwords. This prevents reuse of compromised credentials.
Password Requirements: Minimum 12 characters, enforced at signup and password reset. Passwords containing common patterns are rejected.
Multi-Factor Authentication (MFA): We support:
MFA is recommended for all accounts and required for accounts with admin privileges.
Login Lockout Policy: After 5 failed login attempts, the account is locked for 15 minutes. Subsequent failures extend the lockout period.
Device Remembering:You can mark devices as “trusted” to skip MFA for 30 days. Forgotten devices always require MFA.
Session Timeouts: Sessions expire after 30 days of inactivity (or your configured setting). You are automatically logged out and must re-authenticate.
Session Security: All session tokens are:
When you log in from a new geographic location, we send an email alert to your registered email address. This allows you to detect unauthorized access.
You can review and manage trusted locations in Settings → Security → Login History.
In Transit (TLS 1.3): All communication between your device and our servers is encrypted using TLS 1.3, the latest TLS standard.
At Rest:Personal data stored in our database is encrypted at rest using Supabase’s encryption-at-rest feature (PostgreSQL with pgcrypto).
End-to-End Encryption (Future): We are evaluating end-to-end encryption for sensitive data to limit even our own access.
Backup Frequency: We perform automated, encrypted daily backups of all data.
Backup Storage: Backups are stored in geographically redundant, secure vaults. Backups are encrypted and tested for recoverability weekly.
Retention Policy: Backups are retained for 90 days, allowing recovery of accidentally deleted data.
Disaster Recovery: In case of a major incident, we can restore your data to the latest backup within 4 hours.
Role-Based Access Control (RBAC): Employees and contractors can only access data required for their job. Roles include:
Principle of Least Privilege: No employee has access to production customer data by default. Access is granted on-demand with logging and approval.
VPN Requirement: All remote access to production systems requires a VPN and hardware MFA.
Scanning: We run automated security scans (SAST, DAST, dependency scanning) on every code change.
Penetration Testing: We conduct quarterly penetration tests by third-party security firms.
Dependency Management: We track all software dependencies and apply security patches within 24 hours of release.
DDoS Mitigation:We use Cloudflare’s DDoS protection to filter attacks and maintain service availability.
WAF (Web Application Firewall): Our WAF blocks common attacks (SQL injection, XSS, CSRF).
Rate Limiting: We enforce rate limits on authentication endpoints and APIs to prevent brute-force attacks.
Real-Time Monitoring: We continuously monitor for suspicious activity:
Audit Logging: All administrative actions and data access are logged with timestamps, user IDs, and IP addresses. Logs are retained for 1 year.
All sub-processors are evaluated for security. We require:
Incident Response Plan: We have a documented incident response procedure:
Notification Policy: If a data breach affects you, we notify you by email within 72 hours with details of the breach, data affected, and remediation steps.
We recommend:
Lokly complies with:
Found a security vulnerability? Please do not post it publicly. Instead, email:
Include a description of the vulnerability and steps to reproduce. We will investigate and contact you within 5 business days. We take all security reports seriously and are committed to responsible disclosure.