Security

Security Review for CISOs, Legal, DPO and procurement.

Lontra protects employee data with encryption at rest and in transit, regional residency by configuration, permissions, audit logs, configurable retention and enterprise documentation available under NDA.

Architecture overview

SaaS platform with logical organization separation, access controls and logging of sensitive operations.

Hosting and data residency

Enterprise cloud hosting with regional residency configurable by contract and customer requirements.

Encryption

AES-256 at rest, TLS 1.3 in transit, with organization-level key management where applicable.

Identity and access

SAML/OIDC SSO and SCIM on Enterprise plans. Permissions aligned with the organization model.

Audit logs

Access, exports, changes and sensitive actions can be logged for compliance review.

Data retention

Retention configurable by data type, campaign and customer requirements.

AI processing

AI models structure the material but do not make HR decisions. Sensitive processing is constrained.

Sub-processors

Maintained list available under NDA, with notification before material changes.

Certifications / roadmap

Security certification and roadmap items are communicated only when validated.

Documents under NDA

Security questionnaires, diagrams, DPA, sub-processors, retention, AI note and DPIA support.

Documents available under NDA

Security questionnaire responses

Architecture diagrams

DPA template

Sub-processor list

Data retention policy

AI processing note

DPIA support pack

FAQ

Is Lontra encrypted end-to-end?

The approved public wording is: encrypted at rest and in transit. AES-256 at rest, TLS 1.3 in transit, with organization-level key management where applicable.

Where is data hosted?

Regional residency is configurable according to contract and customer requirements.

Does Lontra make HR decisions?

No. Signals are intended for qualified human review.

Which documents are available?

Security questionnaire, architecture diagrams, DPA, sub-processors, retention, AI processing note and DPIA support under NDA.

Next step

Start with one loop.

One population. One business question. One measurable output.

30 minutes, on a call, with a human who knows your industry. No waitlist.

A company that teaches itself.