Overview

At LoginRadius, protecting our customers' data is not just a technical requirement — it's a core part of our mission. We maintain a robust, organization-wide security and compliance program built on global standards, industry best practices, and continuous improvement.

This document outlines our corporate commitment to security, governance, and regulatory compliance at all organizational levels.

Compliance Strategy and Objectives

LoginRadius adopts a security-first mindset across every team and process. Our compliance program is designed to:

Protect customer and end-user data
Demonstrate trust and accountability
Support customer compliance needs
Adapt to evolving regulatory environments

We implement a formal information security management system (ISMS) to align our efforts to meet regulatory obligations and industry certifications.

Core Pillars of Our Compliance Framework

Security Governance

We maintain a comprehensive set of policies and procedures enforced across the organization:

Information Security Policy
Access Control Policy
Data Retention & Disposal Policy
Encryption Standards
Vulnerability and Patch Management Policy
Incident Response Plan
Business Continuity and Disaster Recovery Plan

These policies are reviewed annually, version-controlled, and enforced through internal training and monitoring.

Risk Management

LoginRadius actively works to identify, assess, and mitigate potential risks to its infrastructure and customer data. The following measures are implemented to ensure a robust risk management framework:

We conduct regular risk assessments to identify, evaluate, and mitigate threats.
Vendor Risk Management is in place to ensure third-party providers meet our security standards.

Changes to services or infrastructure undergo security impact assessments.

Internal Audit and Continuous Monitoring

LoginRadius implements a comprehensive framework to ensure ongoing security and compliance:

We perform scheduled internal audits and management reviews in alignment with ISO standards.
Audit findings are tracked with corrective and preventive actions (CAPA).
Continuous monitoring tools are deployed across production environments to detect anomalies and unauthorized access.

Achieved Certifications and Compliance Standards

LoginRadius has obtained and consistently maintains the following certifications and complies with various regulatory frameworks. A complete list of certifications is available on our Trust Portal.

All certification reports are securely stored on our Trust Center and can be accessed at Trust Vault.

Compliance Standard	Description
SOC 2	LoginRadius is SOC 2 certified by A-LIGN, highlighting our commitment to implementing strong security practices and assuring customers and stakeholders that their data is managed securely and responsibly.
HIPAA	Logiradius is fully committed to safeguarding the privacy and security of sensitive health information. We are HIPAA compliant, ensuring that all healthcare-related data is handled, stored, and transmitted in full accordance with the Health Insurance Portability and Accountability Act (HIPAA). Our policies and practices are designed to maintain the confidentiality, integrity, and availability of protected health information (PHI), demonstrating our dedication to meeting the highest data security and privacy standards.
ISO/IEC 27001:2022	LoginRadius is ISO 27001 certified by the BSI, demonstrating our commitment to implementing and maintaining a robust Information Security Management System (ISMS) that ensures data confidentiality, integrity, and availability. This certification reflects our dedication to upholding the highest standards of information security
ISO/IEC 27018:2019	LoginRadius is ISO 27018 certified by the BSI, demonstrating our commitment to protecting personal data in cloud environments by adhering to the highest standards and best practices for privacy. This ensures that our information security management system aligns with strict requirements for safeguarding personally identifiable information (PII) in cloud serviceshighest standards of information security.

Security Operations and Practices

Security controls are implemented throughout the LoginRadius ecosystem to enforce protection, monitoring, and accountability.

Data Protection and Encryption

Data at Rest: Encrypted using AES-256.
Data in Transit: Secured using TLS 1.2 or higher.
Secrets Management: Managed via secure key vaults with restricted access.

Identity and Access Management

Role-Based Access Control (RBAC)
Least Privilege Enforcement
An MFA is required for internal tools and environments.
Centralized logging of all access events

Physical and Infrastructure Security

LoginRadius operates in ISO and SOC-certified data centers hosted on AWS and other Cloud providers. Our infrastructure spans multiple global regions and includes geo-redundant deployments, auto-scaling, load balancing, and regional failover capabilities. Access to servers is tightly restricted via firewalls and predefined IPs. Upon contract termination, all customer data and backups are permanently deleted.

Disaster Recovery and Failover

The LoginRadius platform uses a fully cloud-hosted, active-active architecture across multiple cloud providers and regions to ensure high availability. Each data center includes failover instances to handle service continuity. The disaster recovery plan consists of three layers of resilience:

Step 1: Intra-Region Redundancy

Each region hosts multiple servers distributed across multiple Availability Zones (AZs). These servers act as failovers for one another, ensuring that if a single server or AZ becomes unavailable, operations within the region continue without downtime.

Step 2: Inter-Region Data Center Redundancy

Our platform is deployed across multiple regions. Each region is configured to serve as a failover for the other, so if one region experiences an outage, traffic is seamlessly rerouted to an operational region, maintaining API and service availability.

Step 3: Cross-Region Failover

In the rare event of a complete regional failure, our platform automatically fails over to another geographic region. This DNS-level switchover is typically completed within 30 seconds, ensuring service continuity. While a full regional outage has never occurred in recent years, we proactively test and monitor our failover systems to ensure readiness.

Recovery time objective (RTO) is under 4 hours, and annual DR drills are conducted for validation.

Data Destruction

Upon contract termination, LoginRadius assists with secure data transfer and ensures the complete deletion of all customer data and backups from its systems. No residual data is retained.

Threat Management

LoginRadius employs a multi-layered threat protection strategy combining secure cloud architecture, controlled network access, and real-time intrusion prevention to defend against external and internal threats.

Key Practices:

Multi-Layer Network Architecture:
- Uses Internet Gateway (IGW) and Virtual Private Gateway (VGW) to enable secure external connectivity.
- Implements Network Address Translation (NAT) for safe routing between public IPs and private instances.
Subnet Design:
- Public Subnets: Allow internet access via IGW for externally facing resources.
- Private Subnets: Use NAT for controlled outbound-only internet access.
- Protected Subnets: Fully isolated for sensitive or regulated data workloads.
Firewall Rules (Security Groups):
- AWS EC2-based firewalls control traffic at the instance level.
- Custom rules define specific allowed inbound and outbound traffic for each group.
Intrusion Detection and Prevention (IDS/IPS):
- An IDS/IPS is deployed online to inspect application traffic in real time.
- Malicious or suspicious traffic is filtered before reaching internal systems.
- Traffic is then routed through load balancers to maintain availability and scalability.

This layered approach ensures both performance and robust protection across the LoginRadius infrastructure.

Incident Handling

LoginRadius's cloud-native incident response strategy is focused on rapid detection, containment, and recovery from security events. Our approach combines automation, continuous monitoring, and pre-planned response tactics to ensure service resilience.

Key Practices:

Cloud-Optimized Strategy: Our incident response approach is tailored for cloud environments, leveraging detailed logs and metrics from AWS and other cloud providers.
Proactive Preparation: We predefine the types of data available for response and use partner tools to analyze threats effectively.
Behavioral Baselines: Normal usage patterns are benchmarked to help detect anomalies quickly through access, API, system, and database logs.
Log Management: Critical logs are collected, offloaded daily, and securely stored to ensure visibility and integrity.
Automation and Recovery: We maintain infrastructure-as-code templates for rapid restoration and use configuration tools like Chef for consistency.
Rehearsed Response: Our team follows tested playbooks and runs regular drills to ensure a swift and structured response during incidents.

Application Security

LoginRadius prioritizes the security of its platform and ensures that customer data and applications are protected against unauthorized access, data breaches, and other potential security threats. The platform follows best practices for secure software development, proactive security measures, and monitoring to safeguard the system and user data.

Secure SDLC practices are embedded in all engineering workflows.
Static and Dynamic Code Analysis (SAST/DAST)
Regular third-party penetration testing
Bug bounty program for responsible disclosure

Logging, Monitoring, and Configuration

LoginRadius ensures robust logging, monitoring, and configuration practices to maintain its platform's security, stability, and performance. All infrastructure and API activities are continuously logged and monitored to detect and respond to real-time anomalies, performance issues, or security threats.

Expiration & Purge:

Audit logs are purged automatically based on the retention period, with no recovery option.
Logs are destroyed when a customer ends their contract with LoginRadius.

Data Compliance & Retention Policy:

Data Storage Location: Audit logs are stored in the same region as the primary data.
Filtering Options:
- Operations and data points can be filtered in the audit log data.
Encryption: Logs are encrypted at rest.
Retention Period: Default retention is 30 days.

Audit logs are not for data restoration and do not contain sensitive information.

Data Backup

LoginRadius implements a robust data backup strategy to ensure high data availability and business continuity. This backup system protects customer data from loss or corruption due to unforeseen events such as system failures, disasters, or accidental deletion. The platform automatically creates frequent backups, minimizing the risk of data loss and enabling efficient recovery in emergencies.

Backup Policy:
- Complies with international standards like ISO 27001 and SOC 2.
- No customer action required to schedule backups; LoginRadius handles this.
Backup Scope & Schedule:
- All customer data is backed up with no exceptions.
- Backup schedules:
  - Incremental Backups: Every 6 hours
  - Daily Full Backups: Every 24 hours
  - Weekly Full Backups: Every 7 days
Backup Methods & Data Formats:
- Both incremental and full backups of the database.
- Backups are protected from unauthorized access, and activity/event logs are maintained.
Backup Location:
- Stored in the same location as the original data to comply with various regulations.
Backup Integrity:
- Automated backup process with integrity checks.
- Alerts are sent if inconsistencies are detected.
- Manual verification ensures that backups are consistent and healthy.
Backup Data Retention:
- The default retention period for backup data is 90 days.
- Customers can extend this period by contacting their account manager if internal policies or regulations require it.
- LoginRadius reserves the right to delete backup copies beyond the retention period without recovery options.
Backup Restore:
- Restoration of data is only possible after the investigation of an incident.
- Customers must contact their account manager to initiate the restore process.
- Upon approval, the restore will be completed within 72 hours.
- Backup copies cannot be restored without explicit customer authorization.

Security Awareness and Training

LoginRadius strongly emphasizes fostering a culture of security awareness across all levels of the organization. Comprehensive security training programs are implemented to ensure that personnel are equipped to recognize and respond to security threats. These programs are designed to raise awareness about security best practices, compliance requirements, and the latest threat landscape.

Semi-Annual Security and Compliance Training
Role-specific Privacy & Security Modules
Phishing Simulations and Awareness Campaigns
Mandatory Compliance Monitoring

Compliance with training is mandatory and monitored by our Security & Compliance Team.

Documentation and Vault Access

Our full compliance documentation — including ISO certificates, SOC 2 reports, and audit summaries — is securely maintained on our Trust Center

To request access:

Contact your LoginRadius Customer Success Manager
Submit a request via our Trust Center.

Continuous Improvement

LoginRadius is committed to continuously enhancing its security and compliance practices to stay ahead of emerging threats and meet our customers' evolving needs. By proactively monitoring regulatory changes, engaging with the security community, and implementing audit findings, we ensure that our platform remains secure, compliant, and reliable.

Monitoring changes in global regulations
Participating in industry forums
Soliciting feedback from security researchers and customers
Implementing findings from internal and external audits