Security Overview

Last updated: 12 February 2026

Security Commitment

LoomAPI is committed to maintaining the highest standards of security to protect our customers' data and ensure the integrity of our verification services. Security is fundamental to our service and is integrated into every aspect of our operations.

This document provides an overview of our security practices, controls, and compliance measures.

Data Protection

Zero ID Storage

LoomAPI does not store ID documents or biometrics. Verification is powered by Veriff; results are returned as signed tokens (JWT) and via webhooks. We retain only verification metadata and short-lived tokens.

  • Raw verification evidence and ID document images are not stored
  • Biometric templates and face data are not stored
  • Signed age tokens (JWT) are issued for access control; no raw PII in tokens
  • Webhooks deliver results with signature verification and automatic retries

Encryption

  • In Transit: All data is encrypted using TLS 1.2 or higher
  • At Rest: Sensitive data is encrypted using industry-standard encryption
  • Database: Database connections use SSL/TLS encryption
  • Backups: All backups are encrypted

Access Controls

We implement strict access controls to protect our systems and data:

  • Authentication: Multi-factor authentication (MFA) required for all administrative access
  • Authorization: Role-based access control (RBAC) with principle of least privilege
  • API Keys: Secure API key generation and rotation policies
  • Session Management: Secure session handling with appropriate timeouts
  • Audit Logging: All access to sensitive systems is logged and monitored

Infrastructure Security

Network Security

  • Firewall rules and network segmentation
  • DDoS protection and mitigation
  • Intrusion detection and prevention systems
  • Regular security scanning and vulnerability assessments

Hosting and Infrastructure

  • Cloud infrastructure with industry-leading security
  • Regular security updates and patches
  • Disaster recovery and backup procedures
  • High availability and redundancy

Application Security

Our application security practices include:

  • Veriff-powered age verification; no direct storage of ID or biometric data
  • Signed age tokens (JWT) and webhook signature verification (HMAC-SHA256)
  • Rate limiting and quotas per API key; 429 responses with retry-after when exceeded
  • Secure coding practices, input validation, and dependency updates
  • Error handling that does not expose sensitive information

Monitoring and Incident Response

Monitoring

  • 24/7 system monitoring and alerting
  • Log aggregation and analysis
  • Anomaly detection
  • Performance monitoring

Incident Response

  • Documented incident response procedures
  • Rapid detection and response capabilities
  • Customer notification procedures
  • Post-incident review and improvement

Compliance

We design our systems with data protection and security in mind and aim to align with applicable regulations such as UK GDPR and other relevant data protection laws. We do not make representations about specific certifications unless we have obtained them and stated so explicitly.

We regularly review and update our security practices to address evolving threats and regulatory expectations.

Third-Party Security

We work with trusted third-party service providers:

  • Veriff: Age verification provider; verification runs through Veriff; we do not store ID or biometric data
  • Stripe: Payment processing and billing
  • Hosting Providers: Enterprise-grade cloud infrastructure; encryption in transit

All third-party integrations are reviewed for security and compliance before implementation.

Security Best Practices for Customers

To maintain security when using LoomAPI:

  • Keep API keys secure and rotate them regularly
  • Use HTTPS for all API requests
  • Implement proper error handling
  • Monitor your usage and set up alerts for anomalies
  • Follow security best practices for your application
  • Report security issues to founder@loomapi.com

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a security issue, please:

  • Email founder@loomapi.com with details
  • Provide a detailed description of the vulnerability
  • Allow us reasonable time to address the issue before public disclosure
  • Follow responsible disclosure practices

We appreciate security researchers who help us improve our security and will acknowledge responsible disclosures.

Security Updates

We regularly update our security practices and will notify customers of significant security changes. This document is reviewed and updated periodically to reflect our current security posture.

Contact

For security-related questions or to report security issues: founder@loomapi.com.