SOC 2 Type 2, GDPR compliant, and trusted by companies like Replicant and Wagestream.
Summary
- Encryption & Infrastructure: Encryption of all data in transit (using TLS 1.2 or higher) and at rest (through AES-256). Loxo uses Google Cloud Platform with servers in the US or the EU and operates in multiple zones to create robustness against outages.
- Certifications: Loxo is SOC 1, Type II, and SOC 2, Type II certified.
- Data retention: Loxo's physical and electronic records data retention policies ensure that records that are no longer needed by Loxo or are of no value are discarded at the proper time.
- GDPR compliance: Loxo has implemented a GDPR compliance program and currently uses Standard Contractual Causes in conjunction with its Data Processing Addendum.
- User permission management: Loxo operates according to the principle of least privilege and conducts regular checks to ensure that Loxo personnel are only granted the permissions they need to conduct their job functions.
- Annual security training: Loxo provides annual compliance training to employees that cover, among other topics, Loxo's Cybersecurity Policy and updates to security policies and procedures.
- Penetration testing: Loxo conducts annual penetration testing and quarterly vulnerability testing to proactively identify and remediate any security vulnerabilities in the Loxo system.
- Operational security: Loxo operational security policies include policies governing IT assets, access controls, internet access policies, antivirus policies, remote access policies, and other risk mitigation measures. These may be provided upon request.
Core Info-sec documentation
data-management-policy-bsi.pdf
incident-response-plan-bsi.pdf
code-of-conduct-bsi.pdf
asset-management-policy-bsi.pdf
business-continuity-and-disaster-recovery-plan-bsi.pdf