Security

Security is foundational to everything we build at LOQATE. Fleet data is sensitive by nature - it includes real-time vehicle positions, trip history, and operational patterns. We treat this data with the care it deserves.

This page outlines the measures we take to protect your data and the platform itself. If you have specific security questions or need to report a vulnerability, please contact security@loqate.zone.

Our platform runs on hardened infrastructure with network-level isolation between services. All inter-service communication uses encrypted channels.

Databases are encrypted at rest and access is restricted to authorised services only. Backups are encrypted and stored in geographically separate locations.

We use Cloudflare for edge security, DDoS protection, and CDN services across all public-facing endpoints.

All data in transit is encrypted using TLS 1.2 or higher. This includes telemetry data from GPS devices, API communications, and dashboard access.

Data at rest is encrypted using AES-256 across all storage systems, including PostgreSQL databases, Redis instances, and object storage.

User authentication supports passwordless OTP login and WebAuthn passkeys, eliminating the risks associated with password-based authentication.

All API access is authenticated via signed JWT tokens with short expiry windows. Session management uses secure, HTTP-only cookies.

Access to production systems is restricted to authorised personnel and requires multi-factor authentication. All access is logged and auditable.

LOQATE is a multi-tenant platform with strict data isolation between organisations. Each team's data is scoped at the database level, ensuring that one customer's data is never accessible to another.

Role-based access control (Owner, Admin, Member) allows you to manage who in your organisation can access and modify fleet data.

GPS devices communicate with our platform over authenticated TCP connections. Each device is identified by its IMEI and must be whitelisted before telemetry is accepted.

Telemetry packets are validated against the expected protocol format with CRC verification to detect tampering or corruption in transit.

We monitor our systems around the clock for anomalies, performance degradation, and security events. Alerting is configured across all critical services.

We have documented incident response procedures and aim to notify affected customers within 72 hours of confirming a data breach, in line with GDPR requirements.

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to security@loqate.zone.

We ask that you give us reasonable time to investigate and address the issue before making any public disclosure. We will not take legal action against researchers who follow responsible disclosure practices.

We are committed to complying with applicable data protection regulations, including the UK GDPR and the Data Protection Act 2018.

We regularly review our security practices and are working towards formal certifications. If you require specific compliance documentation, please contact us.