The signed authorization artifact. The contract behind it.
Lorica is biometric step-up verification at the moment of a high-risk action. This page documents the five gate security layers, the data we hold, the data we refuse to hold, and how to report a vulnerability.
Between credential and action.
The boundary Lorica draws sits between session and authorization. Between "logged in 90 days ago" and "authorized this withdrawal, right now." Between a credential that proved who you were once and a fresh proof that the same human is at the keyboard — or in front of the camera — at the moment value moves.
Below — the 2025–2026 incidents Lorica's verification layer addresses, and the data-handling guarantees that come with each verification. We do not publish internal threat-decomposition specifics. That belongs in the security review, not the marketing page.
Five incidents. One unsolved moment.
2025 saw approximately $3.4B in crypto theft across the sector (Chainalysis). The five incidents below — totaling about $1.93B — are the subset where the architectural pattern is identical: authentication held at signup, no re-verification when money moved. MiCA and NYDFS recommend re-verification on high-value actions.
| Date | Entity | Vector | Loss |
|---|---|---|---|
| 2025-02 | Bybit | Cold-wallet exploit | $1,500,000,000 |
| 2025-05 | Coinbase | Insider data sale | $400,000,000 |
| 2026-03-31 | Kraken (user) | Social engineering | $18,200,000 |
| 2026-04-13 | Kraken (insider) | Extortion attempt | $0 (no funds moved) |
| 2026-04-16 | Grinex | Account takeover at withdrawal | ~$13,000,000 |
| Total | 5 incidents | Same architecture flaw | ~$1.93B |
SOURCES — Chainalysis 2025 Crypto Crime Report (Feb 2026). Bybit incident disclosure (Feb 2025). Coinbase insider data theft disclosure (May 2025). Kraken security blog: Mar 31 2026 ($18.2M social engineering) and Apr 13 2026 (insider extortion, no funds moved) — these are separate events. Grinex public post-mortem (Apr 16, 2026).
Five gate security layers. Composition under MNDA.
The verify path runs five gate security layers, designed against ISO/IEC 30107-3 methodology. The gates are not enumerated publicly because adversaries read marketing pages too. The full composition is shared with prospective customers under MNDA prior to integration.
FAR, FRR, and PAD targets are defined against ISO/IEC 30107-3 methodology; third-party-tested results follow, shared under MNDA prior to integration. Both readers — the engineer integrating the SDK and the underwriter pricing the policy — anchor to the same artifact. There is no developer page and no compliance page.
The artifact is a signed receipt.
Every verification returns a signed receipt naming the human authorized and the action they authorized, timestamped at issuance. Lorica does not retain server-side receipts; the receipt is your audit trail. Cryptographic and integration detail under MNDA.
What we collect. What we refuse to collect.
At enrollment and at every verification, the user's camera captures frames in their browser. The frames are processed into a non-reversible biometric reference and the originals are discarded. Photos are not retained.
We store the encrypted biometric reference (per-tenant key, cryptographic detail under MNDA), the user_id you provided at enrollment, the enrollment timestamp and a reference identifier, and the verification audit log with action, verdict, receipt identifier, and timestamp.
We do not store photos, video, or frame buffers. We do not infer demographics — no age, gender, or ethnicity scoring. We do not retain location data beyond IP geolocation at verify time. References are per-tenant and isolated; there is no cross-tenant correlation.
Users can request deletion at any time. The deletion zeros the stored biometric reference and revokes any active receipts. The response includes a signed deletion proof — a timestamp verifiable independently. GDPR Article 17 and CCPA compliant. Target — deletion within 24 hours of acknowledged request.
Consent is per-session. At enrollment the user is presented with the browser camera prompt plus an in-app consent screen specifying that a biometric reference will be stored encrypted. At each subsequent verification, the camera prompt fires again. Consent is not implicit.
Each tenant's biometric references are encrypted under a key unique to that tenant. Keys are rotated on a regular schedule. Old keys are retained for the duration of legal retention, then destroyed. References are re-encrypted under the new key during rotation.
Default windows. Configurable per tenant.
| Data type | Default window | Configurable range | Reason |
|---|---|---|---|
| Camera frames (raw) | Never persisted | 0 (always) | Privacy-by-design |
| Biometric reference (encrypted) | Until deletion requested | 0 – 7 years | User authentication continuity |
| Verification audit log | 7 years | 1 – 10 years | Regulatory — BSA, AML |
| Signed receipt (server-side) | Not persisted server-side | 0 (always) | Receipt is client-held |
| Server logs (request metadata) | 90 days | 30 – 365 days | Operational debugging |
| Aggregate metrics | 2 years | 6 months – 5 years | Capacity planning |
Deletion is user-initiated (target acknowledgment within 24 hours, signed deletion proof returned) or tenant-initiated bulk (target 7-day completion, per-user proofs returned).
Lorica may retain data beyond the windows above if legally required — subpoena, court order, regulatory investigation. The affected tenant is notified within 5 business days unless prohibited by law. Held data is segregated and access-logged.
On contract termination, all tenant biometric references and audit logs are deleted within 30 days. Aggregate metrics carrying no PII may be retained for capacity planning. A final deletion certificate is issued.
Report it. We patch it.
Send vulnerability reports to security@loricaapi.com. Encrypted reports welcomed; PGP key on request. Best-effort acknowledgment within 5 business days; patch target of 30 days for any vulnerability with a working proof-of-concept. We do not publicly disclose details before a patch ships.
Researchers who report in good faith are credited in the next post-patch release note (with permission). We do not pursue legal action against research conducted under standard responsible-disclosure norms.
Defining the artifact by its boundary.
- We don't replace KYC. Lorica runs at the action moment, not at signup. KYC verifies identity once; Lorica re-verifies the human at every high-risk action.
- We don't store photos. Frames are processed in memory and discarded. There is no image archive.
- We don't write to your database. The signed JWT is returned synchronously; you persist what you need from it. We hold no transaction record on your behalf.
- We don't ship background agents. No webhooks, no eventual consistency. Every verification is a synchronous POST returning a JWT.
- We don't decide which actions need verification. Your risk policy decides which actions are high-risk. Lorica runs the verification when you call it.