At Locus, we take pride in our products and we continuously work towards making our products better. The same holds true for the security of our products. We have a team of Information Security professionals working towards making our products more secure. We believe that security should be a part of our culture and not an add-on. So, we have built a security framework with our Employees as the foundation and process and technology on top of it.

We operate under a shared security responsibility model where we are responsible for the security of our product and underlying infrastructure and we will offer security features to customers in a predictable and reliable manner. We expect our customers to configure and maintain security settings in our product according to their security requirements.


Security Controls



  • Right from hiring to off boarding and even after that, we make sure that our employees are aware of their Information Security and Privacy roles and responsibilities.
  • We build the security culture through periodic awareness sessions and phishing simulations which helps employees to quickly recognize and thwart social engineering attacks.
  • Access for employees to our production systems are restricted and limited time access are given only on need to know basis which expires after the requested time and is periodically reviewed.
  • Our hiring process involves a full background check for all employees and contractors. This includes criminal, education and work history verification.
  • We use third party Identity Management Platform to manage access and enable single sign on to cloud applications.

Infrastructure and Physical Security

  • All our information processing systems are hosted with market-leading cloud service providers, which are selected after a thorough evaluation of the security controls offered by the cloud service providers.
  • Implementing complementary controls recommended by our Cloud Service Providers (CSP), like well-defined security and access policies and making use of CSP specific security features which can enhance the security and monitoring capabilities.
  • High availability deployment with regular backups stored with redundancy.
  • Only security hardened images are used for creating instances.
  • Intrusion detection and prevention systems, anti malware, and file integrity monitoring solutions on all systems.
  • Periodic vulnerability assessment and penetration testing on Infrastructure using automated tools.
  • Application layer is configured to auto scale to handle excess traffic due to an attack or even due to a surge in legit traffic.
  • Employees can access company network only via VPN.
  • Controls for protection against DDoS attacks and detecting unusual activities like probing and port scans against any resources in our system.
Infrastructure and Physical Security

Secure Development Lifecycle

  • Strict security checkpoints at every step of our development cycle from coding, testing to deployment.
  • Security and privacy requirements analysis during the design phase and ensuring that the requirements are satisfied at each stage of the lifecycle.
  • Train developers on secure coding and code review techniques including OWASP top 10 vulnerabilities and their prevention.
  • Automated code scanning is performed for identifying security issues.
  • Change management is integrated into the SDLC processes, with various internal and external stakeholders. Customers will be informed well in advance of any major breaking changes.
  • Security of our applications are verified by both internal and independent external audits. Our internal penetration testing team continually audits our applications as per OWASP standards.
Secure Development Lifecycle

Customer Data Protection

  • Locus considers customer’s data as our most important asset and ensure that we follow industry best practices and implement best in class protection mechanisms to protect our customer’s data.
  • Data is encrypted at rest and in transit using industry best encryption methods.
  • Full disk encryption is enabled in the endpoints.
  • Encryption keys are protected using Amazon’s industry-tested key management service.
  • Passwords are hashed with industry standard hashing algorithms.
Customer Data Protection

Privacy by Design and by Default

  • ISO 27701:2019 Certified and have a well established, implemented, monitored and audited Privacy Information Management System.
  • GDPR ready by adhering to GDPR’s principles:

    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimisation
    • Accuracy
    • Storage limitation
    • Integrity and confidentiality
    • Accountability
  • Tracking collection, storage, processing, access, transfer, retention and removal of Personal Information.
  • Defined and declared retention periods towards personal data.
  • Dedicated process and a channel established for deletion of personal data upon request.
  • Identified, assessed and empanelled sub-processors ensuring appropriate fitments. You can read more about our process and List of Sub Processors here.
  • Certain privacy laws provide individuals with the right to request access to and/or deletion of personal information an organization has about them. To submit a data subject rights request in relation to personal information processed by Locus, please fill out the form available here.
Privacy by Design and by Default

Authentication and Authorization

  • Support for SAML based Single Sign On and web authentication. Customers will also have the ability to integrate with their ADFS server.
  • Configurable access levels for users to facilitate appropriate access to data.
  • Password policy is set to OWASP recommended complexity requirements with minimum 8 character length. Password expiry time is configurable.
Authentication and Authorization

Security Testing

  • To ensure our product is secure, we conduct regular vulnerability assessments and penetration testing. Our products are audited by our internal security testing team as well as external auditing firms.
  • We have an efficient vulnerability and patch management process to ensure that the discovered vulnerabilities are patched on time.
  • Currently we do not have a public bug bounty program, but we highly appreciate the efforts of security researchers. Refer to our Responsible Vulnerability Disclosure Policy for more information.
Security Testing

Logging and Monitoring

  • We have a centralized logging infrastructure were logs from all the machines, databases, queues and application instances are aggregated.
  • Our logging infrastructure has the capability to collect various metrics such as CPU usage, memory etc and custom metrics from applications for analyzing API call latency.
  • All actions are logged and denotes who, what and when for all operations.
  • All system activity is monitored, and any violation is immediately investigated by the system support team.
Logging and Monitoring

Business Continuity and Incident Management

  • Based on abnormal business condition scenario, business continuity plans are established by defining RTO and RPO and having recovery plan. BCP tests are conducted at regular intervals.
  • Customers will be informed of any upcoming maintenance activity and the maintenance windows are scheduled to cause minimal/no service interruption.
  • We have a standard incident management procedure to respond to Information Security incidents. Data breaches will be notified to the customer within a defined time.
  • Our business continuity plan and incident management procedure are built around ISO 27001 standard requirements and are frequently subject to internal and external audits.
Business Continuity and Incident Management


To ensure the effectiveness of our controls and to help our customers meet their compliance requirements, we certify against industry-standard Information Security and Privacy certification

ISO 27001:2013

IS 706275

ISO 27001:2013

Locus is ISO 27001:2013 certified and have an effective Information Security Management System in place. The certificate is available on request.

ISO 27701:2019

PM 767891

ISO 27701:2019

Locus is ISO 27701:2019 certified, helping us to demonstrate our capability to protect customer’s Personal Information.

How we help customers to meet their compliance requirement


Compliance with ISO 27701:2019 has provided us with a strong foundation for GDPR compliance. We make sure that the personal information for EU customers do not leave EU region. Reach out to or in case of any queries regarding GDPR or Privacy.

For more information on Locus’s GDPR compliance, you can request for our DPA at DPA can be signed on request.

bg-pattern-image bg-pattern-image

Contact Us: You can reach us at if you have any information security related queries about our products. For any Privacy or GDPR related queries contact us at or .


Schedule a meeting with Locus

How can Locus help manage your logistics?

  • Locus’ proprietary geocoding engine converts the fuzziest of the addresses into precise geographical coordinates thereby helping your on-ground executives locate addresses easily.
  • Digitize all your operational variables such as fleets, delivery persons, etc to come up with the best route plan every day.
  • Track your orders in real-time with the Locus Live Dashboard. Locus’ last-mile delivery app Locus On The Road (LOTR) helps delivery partners process orders.
  • Visualize and tweak your scheduled plans via three key metrics— geography, time, & vehicle(fleet)—with a birds-eye view of your entire operations.
  • Build your own reports and analyze important parameters that you need to make key decisions.

Join Industry Leaders:

$100 M+
Logistics costs reduced
100+ Years
Planning time saved
6300 + Tonnes
GHG emissions reduced

Schedule a demo

By clicking submit, you are providing us with your consent to communicate via email or phone, regarding the demo you have requested.