Security

Encryption

• Data in transit: Production traffic uses HTTPS with TLS 1.2 or higher. Our host, Render, provides managed TLS certificates and redirects HTTP to HTTPS for web services (Render TLS documentation).
• Data at rest: Render states it applies encryption at rest for databases, backups, and secrets, with a minimum of AES-128 (Render encryption overview). We do not operate separate customer-managed disk encryption beyond this platform layer.

Hosting & Infrastructure

• Hosted on Render in the United States
• Oregon (US West) region

Access & Authentication

• Passwordless sign-in with email one-time codes: you confirm access using a short-lived code we send to your inbox (two-step verification). We do not offer authenticator-app or security-key MFA today.
• Role-based access controls within organizations

Incident Response

In the event of a confirmed data breach affecting customer data, Laos Holdings, LLC will notify affected customers within 72 hours.

Responsible Disclosure

To report a security vulnerability, email security@laosholdings.com. We commit to acknowledging reports within 48 hours.

Certifications & Compliance

• SOC 2 Type II: In progress and not yet certified; contact us for current status.
• GDPR: We work with customers who need GDPR-aligned arrangements, including data subject requests. Contact us for a Data Processing Agreement (DPA) or other documentation.
• CCPA: California residents can exercise rights described in our Privacy Policy; contact us to submit requests.