Governance and Security
At LōD, we are committed to upholding the highest security standards, reflected in our SOC 2 Type II compliance across all five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our Security and Privacy teams ensure that policies and controls are continuously monitored, audited, and improved to maintain the integrity and security of our systems.
Governance Principles
Defense-in-Depth
We implement layered security controls to ensure multiple layers of protection across our infrastructure.
Least Privilege Access
Access is strictly limited to those with a legitimate business need and based on the principle of least privilege.
Continuous Improvement
Our controls are regularly updated to enhance effectiveness, auditability, and reduce operational friction.
Data Protection
Data at Rest
All personally identifiable data stored in our systems is encrypted using industry-standard methods, including AES-256 encryption for sensitive data. We ensure that customer information is protected, even before it reaches our databases, securing it against unauthorized access both physically and logically.
Data in Transit
We use TLS 1.2 or higher to safeguard data transmitted over networks, with additional layers such as HSTS (HTTP Strict Transport Security) to maximize protection.
Product Security
Penetration Testing
At LŌD, we engage with industry-leading security firms to perform penetration testing at least annually. These assessments cover our entire infrastructure, from cloud environments to product interfaces, ensuring all vulnerabilities are identified and mitigated promptly. We ensure that full system access, including source code, is provided to our testers to maximize coverage. Detailed penetration test reports are available for review by our clients upon request.
Vulnerability Scanning
LŌD conducts vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC). This includes:
Static Application Security Testing (SAST) to identify coding flaws during pull requests and in ongoing development.
Software Composition Analysis (SCA) to ensure third-party components in our software are free from known vulnerabilities.
Dynamic Application Security Testing (DAST) to evaluate the behavior of running applications.
Network Vulnerability Scanning to detect vulnerabilities in our network systems regularly.
Enterprise Security
Endpoint Protection
All corporate devices at LŌD are centrally managed and secured through Mobile Device Management (MDM) software. We enforce disk encryption, anti-malware protection, and regular software updates on all devices. Alerts from our endpoint protection systems are monitored 24/7 to ensure any anomalies are addressed immediately.
Vendor Security
LŌD follows a risk-based approach to vendor management. Vendors are evaluated based on their access to our customer and corporate data, the potential risk they pose to our infrastructure, and their overall security posture. Each vendor undergoes continuous monitoring and periodic reviews to ensure compliance with our security standards.
Secure Remote Access
LŌD ensures secure remote access through the use of Virtual Private Networks (VPNs) and encrypted connections. All access to our systems from external networks is tightly controlled and logged, with multi-factor authentication (MFA) enforced on critical systems. Malware-blocking DNS servers are also used to protect our employees while browsing the internet.
Security Training
LŌD provides comprehensive security training to all employees upon onboarding and annually. Employees are educated on secure coding practices, identifying social engineering attacks, and the correct handling of sensitive data. We also conduct regular simulations and provide threat briefings to keep our team updated on emerging security threats.