LoomAPIBETA

Security Overview

Last updated: 22 November 2025

Security Commitment

LoomAPI is committed to maintaining the highest standards of security to protect our customers' data and ensure the integrity of our verification services. Security is fundamental to our service and is integrated into every aspect of our operations.

This document provides an overview of our security practices, controls, and compliance measures.

Data Protection

Zero-Retention Policy

LoomAPI operates with a zero-retention policy for sensitive personal data:

  • Raw verification evidence is not stored
  • ID document images are not retained
  • Biometric templates and face data are not stored
  • PII is processed only as necessary for verification

Encryption

  • In Transit: All data is encrypted using TLS 1.2 or higher
  • At Rest: Sensitive data is encrypted using industry-standard encryption
  • Database: Database connections use SSL/TLS encryption
  • Backups: All backups are encrypted

Access Controls

We implement strict access controls to protect our systems and data:

  • Authentication: Multi-factor authentication (MFA) required for all administrative access
  • Authorization: Role-based access control (RBAC) with principle of least privilege
  • API Keys: Secure API key generation and rotation policies
  • Session Management: Secure session handling with appropriate timeouts
  • Audit Logging: All access to sensitive systems is logged and monitored

Infrastructure Security

Network Security

  • Firewall rules and network segmentation
  • DDoS protection and mitigation
  • Intrusion detection and prevention systems
  • Regular security scanning and vulnerability assessments

Hosting and Infrastructure

  • Cloud infrastructure with industry-leading security
  • Regular security updates and patches
  • Disaster recovery and backup procedures
  • High availability and redundancy

Application Security

Our application security practices include:

  • Secure coding practices and code reviews
  • Regular dependency updates and vulnerability scanning
  • Input validation and sanitization
  • Rate limiting and abuse prevention
  • Security testing and penetration testing
  • Error handling that does not expose sensitive information

Monitoring and Incident Response

Monitoring

  • 24/7 system monitoring and alerting
  • Log aggregation and analysis
  • Anomaly detection
  • Performance monitoring

Incident Response

  • Documented incident response procedures
  • Rapid detection and response capabilities
  • Customer notification procedures
  • Post-incident review and improvement

Compliance and Certifications

LoomAPI is designed to comply with:

  • GDPR: General Data Protection Regulation compliance
  • CCPA: California Consumer Privacy Act compliance
  • SOC 2: Working towards SOC 2 Type II certification
  • ISO 27001: Working towards ISO 27001 certification

We regularly review and update our security practices to maintain compliance with evolving regulations and standards.

Third-Party Security

We work with trusted third-party service providers and ensure they meet our security standards:

  • Stripe: PCI DSS Level 1 compliant payment processor
  • Verification Providers: Industry-leading identity verification services
  • Hosting Providers: Enterprise-grade cloud infrastructure

All third-party integrations are reviewed for security and compliance before implementation.

Security Best Practices for Customers

To maintain security when using LoomAPI:

  • Keep API keys secure and rotate them regularly
  • Use HTTPS for all API requests
  • Implement proper error handling
  • Monitor your usage and set up alerts for anomalies
  • Follow security best practices for your application
  • Report security issues to security@loomapi.com

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please:

  • Email security@loomapi.com with details
  • Provide a detailed description of the vulnerability
  • Allow us reasonable time to address the issue before public disclosure
  • Follow responsible disclosure practices

We appreciate security researchers who help us improve our security and will acknowledge responsible disclosures.

Security Updates

We regularly update our security practices and will notify customers of significant security changes. This document is reviewed and updated periodically to reflect our current security posture.

Contact

For security-related questions or to report security issues: