// Security & Privacy
Your clients trust you. We protect that trust.
Enterprise-grade security built for designers who handle sensitive client data. Row-level security, MFA, GDPR compliance, and encrypted storage – all enabled by default.
What you get
- Row-level security (RLS) on every database table
- Multi-factor authentication (TOTP) for designer accounts
- PIN-protected client portals with timing-safe validation
- GDPR-compliant data handling and deletion
- All data encrypted in transit (TLS) and at rest
- EU-based servers (AWS eu-central-1)
- Password policy: 8+ chars, uppercase, digit required
- Rate limiting on all public endpoints
- Regular security audits and penetration testing
How it works
Data isolation
Every designer's data is isolated at the database level. Row-level security ensures no cross-account access is possible – even internally.
Client portal security
PINs are validated with constant-time comparison to prevent timing attacks. Portals can expire and you control exactly what clients can see.
Account protection
Enable MFA in Settings. Every login requires your password plus a TOTP code from your authenticator app. Brute force protection is built in.
Data ownership
Delete your account and everything goes with it – cascade delete across all projects, rooms, products, and client data. No retention, no backups kept.
How to use Security & Privacy
Security in Liru is active from the moment you create your account -- there is no setup wizard or security toggle to enable. Every database table is protected by row-level security (RLS), which means your data is isolated at the database engine level. Even if a bug existed in the application code, the database itself enforces that only you can access your own projects, rooms, products, and client data. No other designer on the platform can see or query your records. To add an extra layer of protection to your account, navigate to Settings in the sidebar, then open the Security section. Click Enable Two-Factor Authentication to begin MFA enrollment. Liru uses the TOTP (Time-based One-Time Password) standard, which works with any authenticator app -- Google Authenticator, Authy, Microsoft Authenticator, or 1Password. Scan the QR code displayed on screen with your authenticator app, then enter the 6-digit verification code to confirm setup. From that point forward, every login requires both your password and a fresh TOTP code. The platform enforces AAL2 (authenticator assurance level 2) in middleware, so there is no way to bypass MFA once it is enabled. Your password must meet the platform's security policy: minimum 8 characters, at least one uppercase letter, and at least one digit. All public-facing endpoints -- including client portal PIN entry, presentation views, and survey submissions -- are protected by rate limiting to prevent brute-force attacks. Client portal PINs are validated using constant-time comparison, which eliminates timing-based attack vectors. Liru is fully GDPR-compliant. Your data is stored on EU-based servers (AWS eu-central-1) and encrypted both in transit via TLS and at rest. You have complete ownership of your data at all times. If you decide to leave the platform, go to Settings, then Account, and click Delete Account. This triggers a full cascade delete that permanently removes every piece of data associated with your account: all projects, rooms, products, presentations, surveys, moodboards, client portal configurations, uploaded files, and 3D models. No data is retained after deletion and no backups are kept. The platform undergoes regular security audits and penetration testing. Known vulnerabilities from previous audits -- including IDOR protections on portal links, cross-resource write validation on presentations and surveys, and survey payload size limits -- have all been identified and resolved. Security is not a feature you configure; it is the foundation everything else runs on.