Security & compliance
Built for the most cautious team at your company.
SOC 2 Type II, PCI DSS Level 1, ISO 27001, encryption at rest and in transit, per-tenant isolation, audited every quarter, MENA-resident by default.
Certifications
Audited, not just self-attested.
SOC 2 Type II
Deloitte (auditor)
Annual report, continuous monitoring
PCI DSS Level 1
QSA-attested via Stripe Connected
Annual ROC
ISO 27001
BSI Group
3-year cycle, annual surveillance
ISO 27701 (Privacy)
BSI Group
3-year cycle, annual surveillance
UAE NESA / Dubai DESC
Self-attested + customer audit
Annual
KSA NCA ECC-1
Self-attested + customer audit
Annual
The eight pillars
Defense in depth, by design.
Encryption everywhere
AES-256 at rest (Postgres TDE, S3 SSE-KMS). TLS 1.3 in transit. Field-level encryption for PII (names, emails, phone) with per-tenant keys.
Strong authentication
Mandatory 2FA for staff. Optional SSO (SAML, OIDC) for customers on Enterprise. SCIM provisioning. Hardware-key support.
Per-tenant isolation
Postgres row-level security on every table. No customer query can cross workspace boundaries, even with a leaked token.
Audit everything
Every admin action, every API call, every consent change, immutable log retained 13 months on Growth, 7 years on Enterprise.
Bug bounty
Public programme on HackerOne since 2024. Top-tier triage SLA. Disclosed vulnerabilities live on /security/disclosures.
Annual pentest
External pentest by NCC Group, summary report shared under NDA with Enterprise customers. Findings tracked publicly.
Personnel security
Background checks on all engineers. Just-in-time access to production (4-hour expiry). Mandatory secure-coding training quarterly.
Region pinning
Default UAE region. Enterprise can pin to EU (Frankfurt), KSA (Riyadh), Singapore, US. No cross-region replication without your written consent.
99.97%
90-day uptime
38ms
p50 API latency, MENA
5 min
RPO, all data tiers
5
Pinnable regions
Incident response
What happens within five days of any incident
- T+0
Automated detection or customer report opens an incident in PagerDuty.
- T+10 min
Sev1/Sev2: on-call engineer, security lead, customer success lead paged.
- T+30 min
Containment in progress, incident commander running comms.
- T+1 hr
Customer impact assessment posted to status.{domain}.
- T+24 hr
Affected customers notified by email + in-app banner.
- T+72 hr
Detailed notification to controllers (you), as required by GDPR.
- T+5 days
Public post-mortem with root cause and fix posted at /security/incidents.
Documents available
SOC 2 Type II report
Under NDA, latest period
ISO 27001 certificate
PDF
PCI DSS AOC
Stripe-connected merchant attestation
Pentest summary
Latest, redacted, under NDA
Architecture diagram
Network + data flow, under NDA
Security whitepaper
PDF, ungated
Found a vulnerability?
Email security@loopin.app or submit through HackerOne. We acknowledge within 24 hours and publish disclosure once the fix ships.