Security
Security at Locale
We treat security as a first-class feature. Here's how we protect your data.
Last updated: 12 March 2026
Encryption
In transit
All data between clients and our servers is encrypted using TLS 1.3. We enforce HSTS and reject older protocol versions.
At rest
Databases, file storage, and backups are encrypted with AES-256. Encryption keys are rotated quarterly and stored in a separate key management service.
Secrets management
API keys, credentials, and service tokens are stored in a dedicated secrets vault — never in environment variables or code repositories.
Infrastructure
Compliance posture
Our architecture is built around continuous control monitoring and audit-ready evidence collection. Our own controls are audited annually by an independent assessor.
Network segmentation
Production systems are isolated in private VPCs. No direct public internet access to databases or internal services.
DDoS protection
All endpoints sit behind enterprise-grade DDoS mitigation with automatic traffic scrubbing and rate limiting.
Application security
Dependency scanning
All dependencies are automatically scanned for CVEs on every commit. Critical vulnerabilities trigger immediate patching with SLA < 24 hours.
Code review
Every change requires peer review. Security-sensitive paths (auth, billing, data export) require a second review from the security team.
Penetration testing
We conduct annual penetration tests with a third-party security firm and remediate all critical and high findings before each test closes.
Responsible disclosure
If you discover a security vulnerability, please report it to us privately at security@localeapp.io. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it.
We will acknowledge your report within 24 hours, keep you informed of our progress, and credit you in our security advisories if you wish. We do not pursue legal action against researchers acting in good faith.