Security

Enterprise-grade protection from day one. Loupe Factory safeguards your data with strong authentication, granular role-based access, and a hardened, modern cloud stack.

Contact Sales View plans
Loupe Factory Security Features (Light Mode) Loupe Factory Security Features (Dark Mode)
Last updated:

Security at Loupe Factory is built in, not bolted on. We follow a defense-in-depth approach across identity, data, application, and infrastructure layers. This page explains what we do by default, the options you can enable, and how your team can operate securely day-to-day.

For any security-related questions, feel free to contact us at security@loupefactory.com.

Please note that we are still in the journey of growing our product and improving our security posture. If you're working in a highly sensitive environment, you should be careful when using Loupe Factory (or any other AI tool). We hope this page gives insight into our progress and helps you make a proper risk assessment.

SECURITY FEATURES

Built-in controls that you can trust.

Your data is always yours.

Hardened by Default

Secure configurations and sensible defaults out of the box.

No AI training

Your data is never used for AI training or shared with third parties.

Access Controls

Strong authentication and least-privilege access.

Defense in Depth

Multiple layers spanning app, data, and infra.

Identity & Access Management

SSO, MFA (via your IdP), and provisioning

  • SAML SSO / OIDC via WorkOS: Connect Okta, Microsoft Entra ID, or Google Workspace for centralized sign-in. Passwords are never stored in Loupe Factory.
  • MFA through your IdP: Loupe Factory honors MFA challenges enforced by your IdP. For a seamless sign-in experience, Loupe Factory cannot require MFA itself—configure MFA and conditional access in your IdP to protect all logins.
  • Just-in-Time (JIT) provisioning: New users can be created automatically on their first successful SSO. You can define default roles and restrict sign-ups to pre-approved domains or IdP assignments.
  • De-provisioning: Removing a user's access to the Loupe app in your IdP immediately prevents sign-in. For active sessions, admins can revoke tokens from Loupe's admin panel.
  • Directory Sync (SCIM): If SCIM isn't enabled on your plan, use IdP app assignment or bulk invites for adds/changes. We also support manual role updates via the admin UI.

RBAC & least privilege

  • Granular roles: Admin, Manager, Member, and custom roles (Enterprise plan only) mapped to least-privilege permissions.
  • Org-scoped access: Users are automatically scoped to their organization; cross-tenant access is blocked by design.
  • Scoped credentials: Create read-only or read-write API keys per integration; rotate/revoke instantly.
  • Session controls: Configurable idle timeouts, device/browser sign-out, and optional re-auth prompts for sensitive actions like exporting data or changing accounting connectors.
  • Admin safeguards: Role changes and user locks are logged in the audit trail for traceability.

Data Protection

Encryption in transit & at rest

  • TLS 1.2+ everywhere: All traffic to/from the app and APIs is encrypted.
  • At rest: Application and backups are encrypted at rest (AES-256 or provider equivalent).
  • Secrets management: Application secrets and signing keys are stored in managed secret stores; never checked into code.

Tenant isolation

  • Logical separation: Each customer runs in a logically isolated tenant with separate data boundaries.
  • Query guards: All data access paths include enforced tenant scoping and authorization checks.

Backups & recovery

  • Automated backups: Regular snapshots with point-in-time recovery (PITR) where supported by the database provider.
  • Restore drills: Periodic restore tests to validate RPO/RTO assumptions.

Application Security

Secure development lifecycle

  • Code review & CI checks: Mandatory peer review, dependency scanning, and SAST on every change.
  • Dependency hygiene: Pinned versions, automated alerts for CVEs, and regular patch cadence.
  • Secrets hygiene: No secrets in code; environment-scoped configs with least privilege.

Runtime controls

  • WAF & rate limiting: Mitigations for common web threats (e.g., injection, brute force, scraping).
  • Audit trails: Administrative and sensitive actions are recorded with actor, object, and timestamp.
  • File safety: Uploaded files are validated, type-checked, and stored with restricted execution.

Infrastructure & Operations

Isolation & hardening

  • Network segmentation: Private networking where supported; minimal public exposure; strict ingress/egress rules.
  • Principle of least privilege: Narrow IAM roles for services and humans; periodic access reviews.
  • Environment separation: Isolated dev, staging, and prod environments.

Observability & incident response

  • Logging & monitoring: Centralized logs and metrics with anomaly alerts.
  • On-call & runbooks: 24x7 alerting with documented playbooks for triage and escalation.
  • Incident process: Root-cause analysis and post-mortems for customer-impacting events.

Customer Controls & Best Practices

  • Use SSO everywhere: Enforce MFA and conditional access in your IdP.
  • Harden roles: Grant the narrowest role required; rotate API keys regularly.
  • Data hygiene: Configure retention policies and export logs to your SIEM if needed.
  • Least-privilege integrations: Scope connectors (e.g., accounting) to the minimal set of ledgers/companies required.

Compliance & Documentation

Loupe Factory's architecture and controls are designed to align with common frameworks (e.g., SOC 2, ISO 27001) and modern cloud security practices. For current audit status, penetration testing summaries, or a security questionnaire (CAIQ, VSA), contact our team.

Wrap up

Security is a shared responsibility: we deliver a hardened platform and clear controls; you enforce strong identity policies and least-privilege access. Ready to review our security package or set up SSO? Get in touch.

Supercharge your business

With Artificial Intelligence ✨

Get started with Loupe Factory

Cookies & Privacy

We use non-essential cookies (like analytics) to improve your experience. In your region, consent is required. You can change your choice anytime in Privacy Choices. Learn more.

You can update your cookie choices. Manage cookies