Trust · Loomo

Security

This page is maintained by the Loomo team to answer common security questions. It describes controls we currently have in place — it is not an independent certification.

Authentication
Email + password with breached-password checks. Optional TOTP two-factor for customers; mandatory for all staff. Sessions are invalidated on password change.
Sensitive-action re-auth
Wallet adjustments, role grants, impersonation, refunds, and feature-flag changes require a fresh TOTP verification within the last 10 minutes.
Data protection
All traffic uses TLS 1.2+. API keys are stored as SHA-256 hashes. Payment gateway secrets are held in a managed vault and never logged.
Payments
No cardholder data touches Loomo. Payments run through PCI-compliant hosted checkout; webhook signatures are verified before any database write.
Audit logging
Every identity, wallet, order, provider, role, and admin action is written to an append-only audit log with actor, timestamp, and detail payload.
Responsible disclosure
We run a private bug-bounty program. Report vulnerabilities via/report-vulnerability or email security@loomo.app. Please give us 90 days before public disclosure.

Shared responsibility

Loomo operates the platform: authentication, backend, database, payments integration, audit logging, and monitoring. Account holders are responsible for keeping their sign-in credentials safe, enrolling 2FA, and revoking API keys that are no longer needed.

Privacy policy →