lock Legal

Security Policy

How we protect your data, our infrastructure, and what to do if you discover a vulnerability.

update Last updated: May 15, 2025
verified_user

TLS 1.3

All traffic encrypted

encrypted

AES-256

Data at rest

shield

99.9% SLA

Uptime guarantee

1. Our Commitment

Security is a core part of how Licentra is built and operated. We are committed to protecting your data, your customers' data, and the integrity of our platform through industry-standard practices and continuous improvement.

This document describes our technical and organizational security measures. We review and update our security practices regularly to address new threats and vulnerabilities.

2. Infrastructure Security

2.1 Cloud Hosting

Licentra runs on enterprise-grade cloud infrastructure with physical security, redundancy, and 24/7 monitoring. Our servers are hosted in ISO 27001-certified data centers.

2.2 Network Security

  • All services sit behind a Web Application Firewall (WAF) that filters malicious traffic
  • DDoS protection is active at the network edge
  • Private internal network — databases are never publicly exposed
  • Firewall rules enforced at both the network and application levels
  • Intrusion Detection System (IDS) monitoring for anomalous activity

2.3 High Availability

  • Multi-region deployment with automatic failover
  • Automated daily backups with 30-day retention
  • Database replicas for read scaling and disaster recovery
  • 99.9% uptime SLA — status available at status.licentra.com

3. Encryption

We apply encryption throughout our stack to ensure your data is protected both in transit and at rest:

LayerMethodDetails
Data in TransitTLS 1.3All HTTP traffic encrypted. TLS 1.0 and 1.1 are disabled.
Data at RestAES-256Database volumes, backups, and uploaded files all encrypted.
PasswordsbcryptCost factor 12. Passwords are never stored in plain text.
License KeysRSA-2048License tokens are cryptographically signed and verified.
API TokensSHA-256API keys are hashed before storage.

4. Access Control

4.1 Internal Access

  • Principle of least privilege — employees only have access to systems they need
  • All internal access to production systems requires Multi-Factor Authentication (MFA)
  • Access reviews are conducted quarterly
  • All access to production data is logged and audited

4.2 User Access

  • Role-based access control (RBAC) for organization members
  • Sessions expire after inactivity and on logout
  • We support and recommend enabling MFA on your account
  • Suspicious login attempts trigger email alerts

5. Application Security

5.1 Secure Development

Our development process incorporates security at every stage:

  • OWASP Top 10 mitigations applied throughout the codebase
  • Parameterized queries to prevent SQL injection
  • Input validation and output encoding to prevent XSS
  • CSRF tokens on all state-changing requests
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Dependency scanning for known vulnerabilities (automated)

5.2 API Security

  • All API endpoints require authentication via API key or OAuth token
  • Rate limiting enforced per plan tier
  • API keys can be rotated or revoked at any time from your dashboard
  • Webhook payloads are signed with HMAC-SHA256 for verification

6. License Validation Security

License keys in Licentra are designed to be tamper-proof and verifiable:

  • License tokens are signed with RSA-2048 private keys — only our servers can generate valid signatures
  • Periodic heartbeat validation prevents offline use beyond the configured grace period
  • Domain and IP locking binds licenses to specific environments
  • Activation limits are enforced at the API level — cannot be bypassed client-side
  • Revoked licenses are invalidated immediately across all active sessions
verified

Enterprise-grade license security

Even if an attacker intercepts a license validation request, they cannot forge a valid response without our RSA private key, which never leaves our secure key management system.

7. Audits & Monitoring

  • 24/7 automated monitoring and alerting on all systems
  • Security logs retained for 12 months
  • Annual third-party penetration testing
  • Automated vulnerability scanning on every code deployment
  • Regular review of dependencies for known CVEs

8. Incident Response

In the event of a security incident affecting your data, we will:

  • Notify affected users by email within 72 hours of discovery
  • Provide a clear description of what happened, what data was affected, and what steps we have taken
  • Work with affected users to mitigate any impact
  • Publish a post-incident report for significant incidents

We maintain a dedicated incident response team that is on-call 24/7.

9. Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability in Licentra, please report it responsibly:

bug_report Email: [email protected]
chat_bubble WhatsApp: +20 102 096 6303

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact you believe it could have
  • Any supporting screenshots, logs, or proof-of-concept code

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days). We will acknowledge your report within 48 hours and keep you informed of our progress. We offer recognition for valid, responsibly disclosed vulnerabilities.

10. Contact

For security-related inquiries or to report a vulnerability:

Chat on WhatsApp
call +20 102 096 6303