Security at Liwoz
Overview
At Liwoz, we take security seriously. Your data is protected by industry-standard encryption, multi-factor authentication, and secure AWS infrastructure.
1. Data Encryption
In Transit (HTTPS)
All communication between your device and Liwoz is encrypted using TLS 1.2+. We enforce HTTPS on all pages — HTTP is disabled.
At Rest (AES-256)
Sensitive data (passwords, API keys, payment information) are encrypted at rest using AES-256. Your workspace data is stored on AWS RDS (MySQL 8.0) with encryption enabled.
BYOK (Bring Your Own Key)
For Pro and Business plans: You can provide your own API keys for third-party AI services (OpenAI, Anthropic). These keys are encrypted and never visible to Liwoz staff.
2. Authentication & Authorization
Password Security
Passwords are hashed using bcrypt (industry standard). We enforce password complexity requirements (min. 8 characters).
Two-Factor Authentication (2FA)
Liwoz supports 2FA via TOTP (time-based one-time password) for all users. Super admins are required to enable 2FA.
OAuth Integration
You can log in via GitHub or GitLab. We use OAuth 2.0 standard for secure authentication. Your password is never shared with these services.
Session Management
Sessions are stored securely with httpOnly and Secure flags. Sessions expire after 30 days of inactivity.
3. Infrastructure Security
AWS Hosting
Liwoz is hosted on Amazon Web Services (AWS) in the eu-west-3 region (Paris, France). AWS provides industry-leading security with SOC 2, ISO 27001, and GDPR compliance.
Network Security
Our infrastructure uses security groups (firewalls) to restrict network access. Database access is limited to application servers only.
Backups & Disaster Recovery
Daily automated backups are taken and stored in a separate AWS region. 30-day backup retention allows recovery from data loss or ransomware.
4. Audit & Monitoring
Audit Trail
All data modifications are logged (soft deletes — data is never permanently deleted). Admin actions are tracked and logged for compliance.
Error Tracking
Errors are monitored via Sentry (with privacy mode enabled). Sensitive data is never logged.
Security Updates
We monitor Laravel, PHP, and dependency security advisories. Critical patches are applied within 24 hours.
5. Access Control
Role-Based Access Control (RBAC)
Different user roles (Super Admin, Owner, Member) have different permissions. Workspaces are isolated — one user cannot access another's workspace data.
Admin Access
Admin access is restricted to 2FA-protected accounts. All admin actions are logged.
6. Compliance
Liwoz complies with:
- GDPR: EU data protection regulation (see Privacy Policy)
- CCPA: California Consumer Privacy Act (see Privacy Policy)
- HTTPS: All traffic encrypted in transit
- AWS Security: SOC 2 Type II, ISO 27001, GDPR
- OWASP Top 10: Protection against common web vulnerabilities
7. Vulnerability Disclosure
Found a security vulnerability? Please email security@liwoz.com with details. We follow responsible disclosure and will respond within 48 hours.
Do not:
- Publicly disclose vulnerabilities before we've had time to fix them
- Attempt to gain unauthorized access to systems
- Modify or delete data (except your own test data)
- Share vulnerability details with third parties
We will acknowledge receipt, work to fix the issue, and credit you in our security advisory (if desired).
8. Security Best Practices for Users
- Enable 2FA: Set up two-factor authentication in your account settings
- Strong Passwords: Use unique, complex passwords
- Browser Security: Keep your browser and OS updated
- Phishing: Be cautious of emails claiming to be from Liwoz — we'll never ask for your password
- API Keys: Rotate API keys regularly and never share them
Questions?
For security questions: security@liwoz.com
For privacy questions: privacy@liwoz.com