security

Security & trust

How Looper HQ keeps your data safe, what controls we own, and our compliance roadmap. SOC 2 Type I attestation is in progress (target Q3 2026).

Owned controls

Multi-tenant isolation

Every row in every table is scoped by tenant_id. Row-level security (RLS) on all tenant-facing tables. No cross-tenant data leakage.

BYOK at-rest encryption

API keys (Anthropic, OpenAI, Gemini, Perplexity, fal, Stripe, etc.) encrypted with AES-256-GCM before storage. Decrypted only at call time, in memory.

Role-based access

Owner / admin / member / viewer per tenant. Mutation endpoints check the role. Viewers are read-only platform-wide.

Database hardening

Postgres 17 on Supabase. Daily automated backups (7-day retention). PITR available on paid Supabase tiers.

Spend caps + freeze

Per-tenant monthly spend cap. When hit, all metered actions freeze until the user lifts the cap or the period rolls over.

Audit trail

Every consequential action logged with actor, before/after state, IP, user agent. Owner/admin reviewable at /security/audit-log.

Transport encryption

HTTPS everywhere. HSTS preload eligible. Vercel handles auto-renewing SSL.

Incident response

Critical alerts route to on-call email. Public incident page at status.looperhq.com (when domain is wired).

Roadmap

in progress

SOC 2 Type I

Drata-managed audit; readiness assessment Q2 2026; attestation Q3 2026.

planned

HIPAA tier

Available as a paid add-on once SOC 2 lands. Healthcare BAA on request.

planned

Customer-facing DPA

Standard DPA with sub-processor list. EU-US Data Privacy Framework certified.

planned

Single sign-on (SAML/OIDC)

Enterprise tier. Required for SOC 2 Type II evidence-gathering on access.

planned

Customer-managed keys (CMK)

Bring your KMS for encrypting BYOK creds at-rest.

What you can do today

→Review every consequential action in your workspace at /security/audit-log
→Wire BYOK so your usage never touches our infra: /settings/billing-mode
→Set a monthly spend cap to prevent runaway costs: /settings/credits
→Manage team roles + remove access: /settings/team

Report a vulnerability

Email security@looperhq.comwith your finding. We acknowledge within 48h and aim to resolve confirmed issues within 10 days. We don't currently run a paid bounty but we credit researchers in our security notes.