Security & Compliance

Your people data is sensitive. We protect it with enterprise-grade security, SOC 2 Type II controls, and a zero-compromise approach to privacy.

SOC 2 Type II
256-bit AES Encryption
Microsoft Azure Hosted
Tenant Isolation
INDEPENDENTLY AUDITED

SOC 2 Type II Aligned

Lookio has completed SOC 2 Type II certification, the gold standard for SaaS security. Our controls are independently audited to verify we meet rigorous standards for protecting your data — not just at a point in time, but continuously.

Security
Availability
Processing Integrity
Confidentiality
Privacy

How we protect your data

Multiple layers of security from infrastructure to application.

Encryption Everywhere

All data is encrypted both in transit and at rest.

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest via Azure SQL TDE
  • Application-layer encryption for sensitive fields (SSNs)
  • Azure Key Vault for secret management

Tenant Isolation

Your data is logically separated from every other customer.

  • Row-level security via Entity Framework global query filters
  • Tenant-scoped authorization on every API request
  • Isolated storage and connection boundaries
  • No cross-tenant data leakage by design

Authentication & Access

Enterprise-grade identity management with flexible sign-in options.

  • OpenID Connect / OAuth 2.0 with Entra ID SSO
  • Passwordless OTP email login with SHA-256 hashed codes
  • 38 granular permissions across 4 role levels
  • Admin-enforced SSO-only mode per tenant

Regional Access Control

Division-based employee visibility so regional teams only see their people.

  • Opt-in regional scoping by Division (US West, Canada, etc.)
  • Managers see direct reports, HR sees their division, admins see all
  • Field-level masking: SSN, salary, and personal data hidden by role
  • 4 data classification levels: Public, Internal, Confidential, Restricted

Audit Logging & Monitoring

Complete audit trail of every action in the system.

  • Immutable audit logs for all data changes
  • User activity tracking with timestamps
  • Optimistic concurrency control (ETag-based)
  • Exportable logs for your compliance team

Infrastructure Security

Built on Microsoft Azure with enterprise protections.

  • Azure App Service with managed TLS certificates
  • Azure Front Door for DDoS protection & WAF
  • Azure SQL Database with automated backups
  • GitHub Actions CI/CD with protected deployments

Business Central Integration Security

Secure OAuth 2.0 delegated access to Dynamics 365.

  • User-delegated OAuth via MSAL (no stored passwords)
  • Encrypted refresh token storage
  • Least-privilege API scopes
  • No middleware — direct native API connection

Compliance at a glance

Key details about our security and compliance posture.

SOC 2 Type II
Independently audited. Report available to customers and prospective customers under NDA. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria.
Data Residency
All customer data is hosted in Microsoft Azure data centers in the United States. Enterprise customers may request specific Azure regions upon request.
Data Encryption
TLS 1.3 in transit, AES-256 at rest. Sensitive PII fields (Social Security numbers, banking details) receive an additional layer of application-level encryption.
Backup & Recovery
Automated daily backups with 30-day retention. Point-in-time restore capability. Geo-redundant storage for disaster recovery with less than 1-hour RPO.
Uptime SLA
99.9% uptime guarantee on Enterprise plans. Real-time status monitoring. Planned maintenance windows communicated 72 hours in advance.
Data Retention & Deletion
Customer data is retained for the duration of the subscription. Upon cancellation, data is available for export for 30 days, then permanently deleted. Deletion requests are processed within 72 hours.
Incident Response
Documented incident response plan with defined severity levels. Security incidents are communicated to affected customers within 24 hours. Post-incident reviews are conducted for all Severity 1 events.
Vulnerability Management
Regular dependency scanning and patching. Automated security testing in CI/CD pipeline. Third-party penetration testing conducted annually.
Access Control
Division-based regional scoping restricts employee visibility by location. Field-level data classification (Public, Internal, Confidential, Restricted) masks sensitive fields like SSN and salary from unauthorized roles. 33 default rules per tenant, configurable by admins.
Employee Security
Background checks for all employees with access to production systems. Security awareness training conducted quarterly. Principle of least privilege enforced across all internal systems.

Request Security Documentation

We're happy to share our Security Overview, SOC 2 readiness report, and additional documentation with prospective and current customers.

Request Documentation

Trusted by HR teams with sensitive data

Start your free 14-day trial. Your data is secure from day one.

Get Started Free