Security Overview
MeetLoyd is built with enterprise security at every layer. Whether you are on Starter or Enterprise, your data is isolated, encrypted, and auditable from day one.
Growth and Enterprise users can access all security features from the Security Center in the top navigation bar -- a single hub for approvals, audit logs, SSO, SCIM, incidents, and more. Learn more about Security Center.
Security Architecture
Every request to MeetLoyd passes through three layers before it reaches your agents or data:
- Authentication -- Who are you? JWT sessions, API keys, SSO/SAML, or MFA verify identity at the door.
- Authorization -- What can you do? Role-based access control (RBAC), granular permissions, and strict tenant isolation ensure you only touch what you own.
- Audit -- What happened? Every action is logged, exportable to SIEM tools, and available for compliance review. The Audit Cockpit provides a unified investigation interface with real-time event timelines, agent interaction graphs, anomaly detection, and tamper-proof PDF export.
These layers are always active. There is no way to bypass them -- even internal platform operations go through the same pipeline.
Key Security Features
Security by Plan
| Feature | Starter | Growth | Enterprise |
|---|---|---|---|
| JWT Auth | Yes | Yes | Yes |
| API Keys | 5 | 50 | Unlimited |
| MFA/2FA | Yes | Yes | Yes |
| SSO/SAML | -- | -- | Yes |
| SCIM | -- | -- | Yes |
| Audit Logs | 30 days visible (90 days stored) | 90 days visible (180 days stored) | Unlimited |
| SIEM Export | -- | -- | Yes |
| Custom Retention | -- | -- | Yes |
| IP Allowlisting | -- | -- | Yes |
| Granular Permissions | 112 | 112 | 112 + Custom Roles |
| Custom SLAs | -- | -- | Yes |
Data Protection
Encryption
| State | Method |
|---|---|
| In Transit | TLS 1.3 |
| At Rest | AES-256-GCM (envelope encryption) |
| Secrets | AES-256 with key rotation |
| Backups | Encrypted with separate keys |
| Memory content | AES-256-GCM (embeddings stay cleartext for search) |
| Reports | AES-256-GCM with workspace Drive sync |
Envelope Encryption (Growth+)
Content encryption at rest uses a three-level envelope encryption hierarchy:
- Platform Master Key protects all tenant keys
- Tenant KEK (Key Encryption Key) wraps the data keys for each tenant
- Team/Agent DEK (Data Encryption Key) encrypts actual content
Envelope encryption is auto-triggered when you enable HIPAA or GDPR governance packs. Key rotation is instant for DEK re-wrapping, and content is re-encrypted lazily on next read. Embeddings stay cleartext because they are lossy projections that cannot reconstruct the original content -- this preserves semantic search.
KMS providers (Enterprise): AWS KMS, GCP Cloud KMS, Azure Key Vault, Local (air-gapped).
Bring Your Own Storage (Enterprise)
Enterprise customers can store business data in their own infrastructure:
| Provider | Description |
|---|---|
| AWS S3 | Primary cloud storage |
| Google Cloud Storage | GCP customers |
| Azure Blob Storage | Azure customers |
| MeetLoyd R2 | Default (Cloudflare R2) |
BYOS includes connectivity testing, resumable data migration, and circuit breaker health monitoring with automatic fallback to R2.
Data Residency
Enterprise customers can choose data location:
- US: Virginia, Oregon
- EU: Frankfurt, Ireland
- APAC: Singapore, Sydney
Data Retention
Default retention periods (all configurable on Enterprise):
| Data Type | Default |
|---|---|
| Conversations | 90 days |
| Audit Logs | 30 days |
| Agent Memory | 90 days |
| Task History | 30 days |
Compliance Standards
MeetLoyd maintains compliance with:
- SOC 2 Type II -- Security, availability, confidentiality
- GDPR -- EU data protection
- CCPA -- California privacy
- HIPAA -- Healthcare (Enterprise)
- ISO 27001 -- Information security (in progress)
For a detailed look at how MeetLoyd aligns with the OWASP Agentic Top 10 and the Agent Trust Framework, see Zero Trust for Agents.
Security Best Practices
Security Contact
For security issues or vulnerability reports, please email security@meetloyd.com.
Next: Learn about Authentication in detail.