Security

Security

Security at Lorrano is infrastructure-first, not checkbox-first. We do not have a security team with a branded landing page and a trust center PDF. We have engineers who build the platform securely from the ground up and treat every component as potentially hostile.

This page describes what we do, how we do it, and how to report issues.

Infrastructure

Network

  • Cloudflaresits in front of every public endpoint. All traffic flows through Cloudflare's global network before reaching our servers. This provides DDoS protection, Web Application Firewall (WAF), bot management, and TLS termination at the edge.
  • Firewall rulesrestrict origin server access to Cloudflare's IP ranges only. Direct access to our servers by IP address is blocked. There is no way to bypass Cloudflare and reach our infrastructure directly.
  • Internal services communicate over a private VPC (Virtual Private Cloud) network. The API server, database, cache, and video generation workers are not exposed to the public internet.
  • DNS is managed through Cloudflare with DNSSEC enabled.

Hosting

  • DigitalOcean provides our compute, storage, and managed database infrastructure. All resources are deployed in a single region with private networking.
  • No shared hosting. Every Lorrano service runs on dedicated compute instances, not shared tenants.
  • Containers are the deployment unit. All services run in Docker containers with read-only filesystems, dropped capabilities, and no-new-privileges security options.

Encryption

LayerStandard
Data in transitTLS 1.3 (HTTPS everywhere, no exceptions)
Data at restAES-256 (database, object storage, backups)
Feed credentialsEnvelope encryption with dedicated key management
OAuth tokensEncrypted at rest, stored separately from account data
BackupsEncrypted with separate keys from production data

We enforce HSTS (HTTP Strict Transport Security) with a max-age of 2 years, includeSubDomains, and preload. Downgrade attacks from HTTPS to HTTP are not possible.

Authentication and Access Control

Customer-facing

  • Password hashing uses bcrypt with a work factor that makes brute-force attacks computationally infeasible.
  • Session management uses secure, HTTP-only, SameSite cookies with a 7-day expiration. Sessions are invalidated on password change.
  • OAuth integrations(Meta, TikTok, Google) use the platform's standard OAuth 2.0 flow with scoped permissions. We request only the minimum permissions needed to post videos. We do not request access to private messages, personal profiles, or analytics data beyond what's needed for posting confirmation.

Internal

  • SSH key authentication only. Password-based SSH is disabled on all servers.
  • VPN required for administrative access. No production system is accessible without VPN.
  • Role-based access control. Engineers have access only to the systems they work on. Database access requires explicit approval and is logged.
  • No shared credentials. Every team member has individual credentials. Service accounts use scoped, rotatable tokens.

Application Security

Code

  • Dependency scanning runs on every pull request. Known vulnerabilities in dependencies are flagged before merge.
  • Static analysis checks for common vulnerability patterns (injection, XSS, CSRF, insecure deserialization).
  • Code review is required for every change. No code reaches production without at least one review from another engineer.
  • No secrets in code. All credentials, API keys, and tokens are stored in environment variables or encrypted secret stores. Secrets are never committed to version control.

API

  • Input validation on all API endpoints. All user input is validated, sanitized, and type-checked before processing.
  • Rate limiting prevents abuse. Excessive requests return 429 (Too Many Requests) with a Retry-After header.
  • CSRF protection on all state-changing endpoints using anti-CSRF tokens.
  • CORS is configured to allow only lorrano.com origins. Cross-origin requests from other domains are rejected.

Video Generation

  • Inventory photos are accessed from your existing feed URLs, the same URLs used by AutoTrader and Cars.com. We process them in memory during video generation. Original photos are not permanently stored on our servers.
  • Generated videos are stored in encrypted object storage (DigitalOcean Spaces) with access controls. Videos are accessible only through authenticated dashboard sessions or via direct download links that require a valid session.
  • AI-generated music is composed per-video and does not contain or derive from copyrighted material.

Data Protection

What we store

DataEncryptionRetentionAccess
Account info (name, email)AES-256 at restDuration of account + 30 daysAccount holder, support (with auth)
Payment infoHandled by Stripe (PCI DSS Level 1)Managed by StripeStripe only
Inventory feed credentialsEnvelope encryptionDuration of accountService only (automated sync)
OAuth tokens (social platforms)AES-256 at rest, separate storageDuration of connectionService only (automated posting)
Generated videosAES-256 at rest90 days, then deletedAccount holder
Usage analyticsAggregated after 12 months12 months individual, then anonymizedInternal analytics

What we do not store

  • Credit card numbers (Stripe handles this)
  • Personal data of car buyers or dealership customers
  • CRM or DMS financial data
  • Browsing history or cross-site tracking data
  • Biometric data

Data deletion

When you delete your account, all associated data is permanently deleted within 30 days, including:

  • Account information
  • Feed credentials
  • OAuth tokens
  • Generated videos
  • Usage data

Exceptions: payment records are retained for 7 years as required by tax law. These records contain only transaction amounts, dates, and the last four digits of the payment card.

Incident Response

Process

  1. Detection - Automated monitoring and alerting covers all critical systems 24/7. We monitor for unauthorized access attempts, unusual traffic patterns, API errors, and infrastructure anomalies.
  2. Containment - Upon detecting a security incident, the first priority is containment. Affected systems are isolated and access is restricted.
  3. Notification - If a data breach affects your information, we will notify you within 72 hours via email. The notification will include what happened, what data was affected, and what we are doing about it.
  4. Investigation - Every security incident is investigated to determine root cause, scope, and impact.
  5. Remediation - Vulnerabilities are patched. Process improvements are implemented. A post-mortem is written and shared with affected parties.
  6. Disclosure - Material security incidents are documented publicly on our status page after investigation is complete.

Track record

As of the date of this page, Lorrano has not experienced a data breach or security incident resulting in unauthorized access to customer data.

Responsible Disclosure

We welcome security researchers who find vulnerabilities in our systems. If you discover a security issue, please report it responsibly.

How to report

Email: [email protected]

Include:

  • A description of the vulnerability
  • Steps to reproduce
  • The potential impact
  • Your contact information (optional, but helpful if we need clarification)

What to expect

  • Acknowledgment within 24 hours
  • Initial assessment within 72 hours
  • Resolution timeline communicated once we understand the scope
  • Credit in our security acknowledgments (if you want it)

Rules of engagement

  • Do not access, modify, or delete data that does not belong to you
  • Do not perform denial-of-service attacks
  • Do not social engineer our employees
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it (we ask for 90 days)
  • Do not use automated scanning tools against production systems without prior written approval

What is in scope

  • lorrano.com and all subdomains
  • The Lorrano dashboard and API
  • Authentication and session management
  • Data access controls

What is out of scope

  • Third-party services we integrate with (Meta, TikTok, Google, Stripe) - report those to the respective providers
  • Denial of service attacks
  • Social engineering
  • Physical security
  • Findings from automated scanners without demonstrated impact

Safe harbor

We will not pursue legal action against security researchers who:

  • Act in good faith
  • Follow the rules above
  • Report findings privately and responsibly

Compliance

Standards we follow

  • SOC 2 Type II - in progress. Expected completion Q3 2026.
  • PCI DSS - payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Lorrano does not store, process, or transmit cardholder data.
  • GDPR - we process data under Standard Contractual Clauses (SCCs) for international transfers. See our Data Processing Agreement.
  • CCPA/CPRA - we do not sell personal information. See our Privacy Policy.

What we do not claim

We are not ISO 27001 certified. We are not HIPAA compliant (we do not handle health data). We are not FedRAMP authorized (we do not serve government agencies). We do not list certifications we do not have.

Vendor Security

Key vendors

VendorSecurity posture
DigitalOceanSOC 2 Type II, ISO 27001, PCI DSS
CloudflareSOC 2 Type II, ISO 27001, PCI DSS, FedRAMP
StripePCI DSS Level 1, SOC 2 Type II
MetaISO 27001, SOC 2
GoogleSOC 2 Type II, ISO 27001, FedRAMP

We evaluate vendor security posture annually and when making changes to our infrastructure.

Questions

If you have security questions, need documentation for your vendor assessment, or want to discuss Lorrano's security posture:

Email: [email protected]

We are happy to answer questionnaires, join calls with your IT team, or provide documentation for your procurement process.

Last reviewed: April 2026

Lorrano, Inc. (c) 2026. All rights reserved.