Security

We take security and privacy very seriously.  We've designed our systems with security and privacy as bedrock concerns that inform every decision we make, through every level of our enterprise, both human and technical.

Network and Infrastructure

  • Virtual Private Clouds

    • Our application hosting environments (for production, staging, development, etc) are hosted in separate AWS Virtual Private Clouds, and utilize independent resources.

  • Public vs Private

    • Our application and database servers are only hosted in private subnets in our VPCs.

Data Security

  • Encryption

    • In Transit

      • We support TLS 1.3 and require TLS 1.2 or greater and force HTTPS on all browser to server connections.

      • We require encryption between our application servers and database servers.

    • At Rest

      • Database Level

        • Our databases use AWS managed encryption-at-rest

        • Our database backups use AWS managed encryption-at-rest

      • Field Level

        • We utilize AWS managed keys for additional field-level encryption of advisor feedback.

Product Security

  • Role Based Security

    • We utilize a role-based permissions system in our application, for all users (customers, administrators, Loupe Staff, etc)

    • Least Privilege

      • We only grant permissions to perform actions that are required to perform job duties.

  • Passwordless Authentication

    • We use passwordless authentication via email-based magic links that expire in 15 minutes from request.

  • Audit Logging

    • We maintain an audit log of all actions taken in our application, including data-reads, by all users, including looking at the audit log.

Company Operations

  • We require and enforce multi-factor authentication for our data systems (email hosting, third party vendors, etc).

  • We train all of our staff on

    • Anti-phishing 

    • Anti-social-engineering

    • Anti-spoofing

    • Device configuration review

    • Physical security

    • Mandatory reporting

  • Incident Management

    • We have policies and procedures for incident management.

Device Security

  • We audit and patch staff devices quarterly to ensure best practices around device encryption, authentication, password policies, lock-screens, OS and library updates.

Software Development Lifecycle

  • We conduct code-reviews, unit-testing, automated integration testing, and restricted privilege promotion for pushing versions into our production environment.

Physical Security