Security and Privacy at Loxo

Security and privacy are core to our mission at Loxo. Empowering our customers to trust us with their critical business operations begins with maintaining the highest standards of security and compliance ourselves.

Governance

At Loxo, our Security and Privacy teams are dedicated to establishing robust policies and controls, monitoring compliance, and demonstrating our security posture to third-party auditors.

Our governance principles are rooted in:

  1. Access Control: Access is granted based on legitimate business needs and the principle of least privilege.
  2. Layered Security: Defense-in-depth guides the design and implementation of all security controls.
  3. Consistent Application: Security controls are applied uniformly across all areas of our infrastructure.
  4. Continuous Improvement: Security measures evolve iteratively to enhance effectiveness, auditability, and usability.

Security and Compliance at Loxo

Loxo maintains compliance with industry-leading security standards:

  • SOC 2 Type II: Demonstrating our commitment to operational security and availability.
  • Compliance Frameworks: Loxo aligns with GDPR, CCPA, and other relevant regulations.

Data Protection

Data at Rest

All customer data, including storage in databases and object storage systems, is encrypted at rest using AES-256.

Data in Transit

Loxo uses TLS 1.2 or higher to protect data during transmission across potentially insecure networks. Additional security features, such as HSTS, ensure the integrity and confidentiality of data in transit.

Secret Management

Encryption keys are managed through AWS Key Management System (KMS) and Ansible Vault, leveraging hardware security modules (HSMs) for enhanced protection. Application secrets are securely stored using AWS Secrets Manager, Ansible Vault, Kubernetes Secrets, and 1Passowrd, ensuring access is strictly limited and logged.

Product Security

Penetration Testing

Loxo partners with leading security firms to conduct both quarterly and annual penetration tests of our applications and infrastructure. These comprehensive assessments include source code reviews and external attack surface analysis.

Vulnerability Scanning

We integrate automated security testing throughout our Secure Development Lifecycle (SDLC):

  • Static Analysis (SAST): Code scans during pull requests and on an ongoing basis.
  • Dynamic Analysis (DAST): Regular testing of running applications.
  • Dependency Scanning: Monitoring for known vulnerabilities in third-party libraries.
  • Network Scanning: Regular checks for vulnerabilities in our infrastructure.

Enterprise Security

Endpoint Protection

All corporate devices are centrally managed with Mobile Device Management (MDM) software, enforcing disk encryption, automatic updates, and malware protection. Endpoint security alerts are monitored 24/7 to ensure rapid response to potential threats.

Vendor Security

We evaluate all vendors using a risk-based approach, considering factors such as access to customer data, integration with production environments, and brand impact. Vendors are only approved after rigorous evaluation.

Secure Remote Access

Loxo ensures secure remote access to internal systems using WireGuard, a cutting-edge VPN technology. Malware-blocking DNS servers protect employee devices during internet use.

Security Education

We provide comprehensive security training for all employees during onboarding and annually thereafter. Engineers receive additional training focused on secure coding practices. Regular threat briefings ensure all employees stay informed about emerging risks and required actions.

Identity and Access Management

Loxo uses SSO for identity and access management, enforcing strong authentication practices. Access to applications is role-based and automatically revoked upon termination of employment. Additional access requires explicit approval in alignment with internal policies.

Data Privacy

Loxo’s commitment to privacy is unwavering. We:

  • Maintain compliance with GDPR, CCPA, and other regulations.
  • Continuously monitor and adapt to regulatory changes.
  • Publish our Privacy Policy, subprocessors list, and Data Processing Agreement (DPA) on our Trust Center.

Get in Touch

For more information about our security practices or compliance certifications, please visit our Trust Center or contact our Security team at support@loxo.co.

Become a hiring machine

Ready to see for yourself how Loxo can transform your recruitment workflow and make you more efficient than ever before? We thought you might be.

Start freeBook a demo