This site uses cookies

We use strictly-necessary cookies to keep you signed in and remember your preferences. By continuing to use the site you accept this.

Get Support Sign in

Trust & Security

Version 2026-05-23 · Last updated 2026-05-23 · Contact security@lochstudios.com.au

How we think about security

LochStudios is a single-operator business and we take that seriously: a small team means a small attack surface, but it also means we cannot rely on someone else to notice. Everything below is something we run today — not a roadmap, not aspirational.

Where your data lives

Production services run in Australian data centres. Backups are stored off-site within Australia. We do not process customer data outside Australia except where a sub-processor explicitly requires it (Stripe for card processing, Twilio for SMS, Microsoft for M365 mailboxes — each disclosed in our Privacy Policy data-processor register).

Encryption

All traffic to LochStudios is HTTPS with HSTS preloading and TLS 1.2+. Passwords are stored as Argon2id hashes. Two-factor authentication is TOTP, with optional WebAuthn for the operator account. TOTP secrets are encrypted at rest with the application key. SSL private keys you upload to the Panel are encrypted at rest and never logged in plaintext. Database backups are encrypted off-site with age X25519 public-key encryption; the private key lives in cold storage on hardware that is not internet-connected.

Authentication and access

Two-factor authentication is offered to every customer and is mandatory for any account with admin or staff role. Recovery codes are single-use and revoked the moment they are used. Admin sessions are short-lived; "remember this device" trust expires after 30 days. Every administrative action — by you on your own account, or by an operator on a customer account — is recorded in an immutable audit log with actor, target, before/after snapshots, IP, and user agent.

Operational security

Operator access to production hosts is via key-based SSH only — passwords are disabled. Software dependencies are tracked through Composer and reviewed for advisories on a weekly cadence; security-relevant updates are applied within 7 days of disclosure. Application errors are routed to an internal dashboard with severity-based alerting; critical errors page the operator immediately.

Incident response

If we discover a security incident affecting customer data, we notify affected customers as soon as we have a credible picture of impact — typically within 72 hours, faster where the situation allows. Notifications are sent to the email on file plus posted to the status page. Where the incident triggers Australian notifiable-data-breach requirements, we also notify the Office of the Australian Information Commissioner within the statutory window.

Responsible disclosure

If you find a security issue in a LochStudios service, please report it to security@lochstudios.com.au. We acknowledge reports within one business day, work with researchers acting in good faith without legal threat, and are happy to credit the reporter publicly once the issue is resolved (or remain quiet, your call). We do not currently operate a paid bug-bounty programme.

Compliance

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and with the Spam Act 2003 (Cth) for any electronic messaging we send on a customer's behalf. Card processing is delegated entirely to Stripe; we are out of PCI-DSS scope as a SAQ-A merchant.

Contact

Security questions, vulnerability reports, or compliance enquiries: security@lochstudios.com.au.