Security

Infrastructure

Lloreno is hosted on industry-standard cloud infrastructure with encryption at rest and in transit (TLS 1.2+). Our databases are deployed in private networks and are not directly accessible from the public internet.

Authentication

Passwords are hashed using bcrypt with appropriate cost factors and are never stored in plaintext. We support OAuth sign-in via Google and Apple for passwordless access. Session tokens are signed JWTs with a 7-day expiration.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Credit card numbers never touch our servers.

Data Protection

• All data in transit is encrypted via HTTPS/TLS
• Database backups are encrypted at rest
• Access to production systems is restricted and logged
• We follow the principle of least privilege for internal access

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing hello@lloreno.com. We take all reports seriously and will respond promptly. Please do not publicly disclose the issue until we have had a chance to address it.

Practices

• Dependencies are regularly audited and updated
• Code changes go through review before deployment
• Admin actions are recorded in an audit log
• We use rate limiting and input validation to prevent abuse