Trust & Security
Security & Compliance
Liceo is built to handle sensitive business data. Here's exactly how we protect it.
Cyber Essentials Certified
CERTIFIEDLiceo has achieved Cyber Essentials certification — the UK Government-backed scheme that demonstrates our commitment to protecting against the most common cyber threats. This certification confirms that our systems and controls meet the baseline required to guard against the vast majority of internet-based attacks.
Assessed and certified in 2026 · Scheme operated by the National Cyber Security Centre (NCSC)
Encryption
All data in transit is protected with TLS 1.2 or higher. All data at rest is encrypted with AES-256. OAuth tokens are individually encrypted using AES-256-GCM before database storage.
Access Control
Role-based access control (RBAC) with three tiers — Admin, Manager, and Viewer — ensures users can only access data relevant to their role. Every permission check is enforced at the API layer.
Audit Logging
Every action taken within Liceo — license assignments, approvals, settings changes, user invitations — is written to an immutable audit log with a timestamp and the acting user. Audit logs are retained for 12 months.
Infrastructure
Liceo is hosted on Vercel (application layer) and Neon (PostgreSQL database), both of which operate enterprise-grade, SOC 2-compliant infrastructure with automatic failover and point-in-time recovery.
Backups & Recovery
Database backups are performed continuously with point-in-time recovery. Backup data is encrypted and retained for 7 days. Backup copies are purged within 90 days of account closure.
Dependency Management
We conduct regular dependency audits using automated tooling to identify and patch known vulnerabilities. Security updates are applied on a rolling basis with zero planned downtime.
Authentication & Identity
Liceo uses secure, industry-standard authentication practices:
- Password hashing: All passwords are hashed using bcrypt with a cost factor of 12. Plain-text passwords are never stored or logged.
- Session management: Sessions are managed via signed, short-lived JWT tokens. Session secrets are rotated periodically.
- OAuth 2.0: Third-party directory integrations (Microsoft Entra ID, Google Workspace) use OAuth 2.0 with read-only scopes. We store only the encrypted refresh token — we never see your identity provider passwords.
- Rate limiting: Login attempts are rate-limited to prevent brute-force attacks. Repeated failures trigger a temporary lockout.
Data Isolation
Liceo is a multi-tenant platform. Customer data is strictly isolated at the application layer — every database query is scoped to the authenticated organization's ID. It is architecturally impossible for one organization to access another organization's data.
Network Security
- All HTTP traffic is redirected to HTTPS at the edge. TLS 1.2 minimum is enforced.
- Security headers (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) are set on all responses.
- Rate limiting is applied at the API layer using Upstash Redis for distributed enforcement.
- CSRF protection is enforced on all state-mutating requests.
Sub-Processors & Infrastructure
The following sub-processors are used to operate Liceo. All are bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting & edge network | USA / EU |
| Neon (PostgreSQL) | Database hosting with automatic backups | EU / USA |
| Upstash (Redis) | Rate limiting & session caching | EU / USA |
| Resend | Transactional email delivery | USA |
Cyber Essentials
Liceo holds active Cyber Essentials certification, assessed against the five core technical controls defined by the UK National Cyber Security Centre (NCSC):
- Firewalls: Boundary firewalls and internet gateways are configured to block unauthorised inbound connections.
- Secure configuration: Systems are hardened with unnecessary software and services removed; default credentials are never used.
- User access control: Accounts are granted least-privilege access; admin privileges are restricted and reviewed regularly.
- Malware protection: Controls are in place to prevent, detect, and contain malicious code across our systems.
- Patch management: Software and firmware are kept up to date; high-severity patches are applied within 14 days of release.
Certification is renewed annually. For a copy of our certificate or to ask questions about our Cyber Essentials controls, contact security@liceo.io.
GDPR & Data Protection
Liceo is designed with GDPR compliance in mind:
- We act as a data processor for your employee directory data and as a data controller for your account data.
- A Data Processing Agreement (DPA) is available upon request.
- Data transfers outside the EEA are covered by Standard Contractual Clauses (SCCs) with all sub-processors.
- You can exercise data subject rights (access, erasure, portability) by contacting privacy@liceo.io.
- Full details are available in our Privacy Policy.
Incident Response
In the event of a security incident affecting Customer Data:
- We will notify affected customers within 72 hours of becoming aware of the incident, in line with GDPR requirements.
- Notification will include the nature of the incident, affected data categories, and steps we are taking.
- A post-incident report will be provided where appropriate.
To report a security vulnerability, please contact security@liceo.io. We take all reports seriously and aim to respond within 24 hours.
Security Questions
If you have security-related questions, require our DPA, or are conducting vendor security due diligence: