Security Practices

At Leadsy, security is fundamental to everything we do. We implement enterprise-grade security measures to protect your data, maintain platform integrity, and ensure business continuity. This document outlines our comprehensive security practices and commitments.

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your devices and our servers is protected using industry-standard encryption:

• TLS 1.3: Transport Layer Security 1.3 protocol for all web traffic
• HTTPS Enforcement: Automatic redirection from HTTP to HTTPS for all connections
• HSTS: HTTP Strict Transport Security to prevent protocol downgrade attacks
• Perfect Forward Secrecy: Ephemeral key exchange mechanisms to protect past sessions
• Certificate Pinning: Protection against man-in-the-middle attacks

1.2 Encryption at Rest

Your data is encrypted when stored in our systems:

• AES-256-GCM Encryption: Authenticated encryption with Galois/Counter Mode for sensitive data including OAuth tokens
• PBKDF2 Key Derivation: Secure key derivation with random 64-byte salts using scrypt algorithm
• Random Initialisation Vectors: 16-byte random IVs generated per encryption operation
• Authentication Tags: GCM authentication tags ensure data integrity verification
• Database Encryption: Supabase PostgreSQL with encryption at rest
• Backup Encryption: All database backups encrypted before storage

1.3 Key Management

We employ secure key management practices:

• Hardware Security Modules (HSMs) for key generation and storage
• Separation of duties for key access and management
• Automated key rotation schedules
• Secure key backup and disaster recovery procedures
• Comprehensive audit logging of all key operations

2. Access Controls

2.1 Authentication

Multiple layers of authentication protect your account:

• Supabase Auth: Enterprise-grade authentication powered by Supabase with JWT-based session management
• Multi-Factor Authentication (MFA): Support for TOTP (Time-based One-Time Password) with backup codes for account recovery
• Google OAuth Integration: Secure OAuth2 flow for Gmail account connection with automatic token refresh
• Password Security: Passwords hashed using bcrypt with secure salt generation
• Email Confirmation: Required email verification for new account registration
• Session Management: HTTP-only secure cookies with SameSite protection and automatic session timeout
• CSRF Protection: Token-based CSRF validation on all state-changing API endpoints with 1-hour TTL

2.2 Authorisation

Granular permissions ensure users access only what they need:

• Role-Based Access Control (RBAC): Four predefined roles with specific permissions:
  • Admin: Full system access, user management, organisation settings
  • Campaign Manager: Campaign/sequence/list management, prospect assignment
  • Sales Manager: Team management, analytics, performance monitoring
  • Sales Rep: View assigned prospects, send/review emails, respond to replies
• Multi-Tenant Isolation: Strict data isolation between customer organisations using organisation_id scoping on all database queries
• Prospect Assignment: Sales reps can only access prospects explicitly assigned to them
• Least Privilege: Default minimal access with explicit permission grants based on role

2.3 Account Security

Proactive measures to protect your account:

• Login anomaly detection and alerts
• Automatic account lockout after failed login attempts
• IP allowlisting and geo-restrictions
• Session activity monitoring and forced logout capabilities
• Account recovery with identity verification

3. Infrastructure Security

3.1 Cloud Infrastructure

We leverage world-class cloud providers with proven security:

• Supabase: SOC 2 Type II certified PostgreSQL database hosting with automatic backups and point-in-time recovery
• Vercel: SOC 2 Type II certified application hosting with edge network deployment
• Geographic Distribution: Edge deployment for low-latency access globally
• Auto-Scaling: Serverless architecture with automatic resource scaling
• DDoS Protection: Built-in DDoS mitigation at the edge network level
• Separate Tracking Service: Email tracking hosted on dedicated infrastructure for isolation

3.2 Network Security

Comprehensive network protection:

• Firewalls: Next-generation firewalls with intrusion detection/prevention
• WAF: Web Application Firewall protecting against OWASP Top 10 vulnerabilities
• Network Segmentation: Isolated network zones for different service tiers
• Zero Trust Architecture: No implicit trust; verification required for all access
• VPN Access: Encrypted VPN for internal system access

3.3 Server Hardening

Our servers are configured with security best practices:

• Minimal installed software and services
• Regular security patching and updates
• Disabled unnecessary ports and protocols
• Host-based intrusion detection systems
• Immutable infrastructure with automated deployments

4. Application Security

4.1 Secure Development

Security is integrated into our development lifecycle:

• Security Training: Regular security awareness training for all developers
• Code Reviews: Peer review of all code changes with security focus
• Static Analysis: Automated scanning for security vulnerabilities in source code
• Dependency Scanning: Continuous monitoring of third-party libraries for vulnerabilities
• Secure Coding Standards: OWASP guidelines and internal security policies

4.2 Vulnerability Management

Proactive identification and remediation of security issues:

• Penetration Testing: Annual third-party security assessments
• Vulnerability Scanning: Automated daily scans of infrastructure and applications
• Bug Bounty Programme: Rewards for responsible disclosure of security issues
• Patch Management: Expedited patching of critical vulnerabilities
• Security Advisories: Transparent communication of security updates

4.3 Input Validation

Protection against injection attacks:

• Comprehensive input sanitisation and validation
• Parameterised queries to prevent SQL injection
• Content Security Policy (CSP) to mitigate XSS attacks
• Output encoding for all user-generated content
• File upload validation and malware scanning

5. Compliance and Certifications

5.1 SOC 2 Type II

We undergo annual SOC 2 Type II audits, demonstrating our commitment to maintaining controls over security, availability, processing integrity, confidentiality, and privacy. Audit reports are available to enterprise customers under NDA.

5.2 GDPR Compliance

Full compliance with the General Data Protection Regulation:

• Data Processing Agreements (DPAs) available for all customers
• Standard Contractual Clauses for international data transfers
• Data subject rights support (access, rectification, erasure, portability)
• Privacy by design and by default
• Data breach notification procedures

5.3 Australian Privacy Principles

Compliance with the Privacy Act 1988 and Australian Privacy Principles, including transparent data handling practices, secure storage, and individual rights to access and correct personal information.

5.4 Industry Standards

Alignment with internationally recognised security frameworks:

• ISO 27001 Information Security Management System
• OWASP Top 10 protection measures
• CIS Controls implementation
• NIST Cybersecurity Framework alignment

6. Security Monitoring

6.1 Real-Time Monitoring

24/7 security monitoring and alerting:

• SIEM: Security Information and Event Management system for centralised logging
• Intrusion Detection: Network and host-based intrusion detection systems
• Anomaly Detection: Machine learning-based identification of suspicious activities
• Log Aggregation: Comprehensive logging of all security-relevant events
• Alert Management: Automated alerting with 24/7 security operations centre monitoring

6.2 Audit Logging

Comprehensive audit trails for compliance and investigation:

• Authentication and authorisation events
• Data access and modification activities
• Administrative actions and configuration changes
• API requests and responses
• Tamper-proof log storage with retention policies

6.3 Threat Intelligence

Proactive threat detection and response:

• Integration with global threat intelligence feeds
• Automated blocking of known malicious IP addresses
• Behavioural analysis for zero-day threat detection
• Threat hunting and investigation capabilities

7. Incident Response

7.1 Incident Response Plan

We maintain a comprehensive incident response plan:

• Preparation: Defined roles, responsibilities, and communication protocols
• Detection: Automated and manual monitoring for security incidents
• Containment: Immediate isolation of affected systems
• Investigation: Forensic analysis to determine root cause and impact
• Remediation: System restoration and vulnerability patching
• Post-Incident Review: Lessons learned and process improvements

7.2 Breach Notification

Transparent communication in the event of a security incident:

• Notification to affected customers within 72 hours
• Detailed information about the incident and impact
• Recommended actions to protect your data
• Compliance with GDPR, CCPA, and other notification requirements
• Public disclosure via security advisory page

7.3 Business Continuity

Ensuring service availability during incidents:

• Disaster recovery procedures with defined RTOs and RPOs
• Regular backup and restore testing
• Geographic redundancy for critical systems
• Incident escalation protocols
• Communication plans for status updates

8. Employee Security

8.1 Security Training

All employees receive comprehensive security training:

• Security awareness training during onboarding
• Annual refresher training on security best practices
• Phishing simulation exercises
• Role-specific security training for developers and operations
• Compliance training (GDPR, privacy regulations)

8.2 Background Checks

All employees with access to customer data undergo background verification including criminal record checks, employment verification, and reference checks (where legally permissible).

8.3 Access Policies

Strict controls on employee access to systems and data:

• Principle of least privilege for all system access
• Just-in-time access provisioning for elevated permissions
• Mandatory MFA for all internal systems
• Regular access reviews and recertification
• Immediate access revocation upon termination

8.4 Confidentiality Agreements

All employees and contractors sign comprehensive confidentiality and data protection agreements, ensuring contractual obligations to protect customer information.

9. Third-Party Security

9.1 Vendor Risk Management

Rigorous assessment of third-party service providers:

• Security questionnaires and audits for all vendors
• Review of SOC 2, ISO 27001, and other security certifications
• Data Processing Agreements with privacy and security terms
• Regular vendor security reassessments
• Contractual security requirements and SLAs

9.2 Approved Vendors

We work only with trusted, security-certified providers:

• Database & Authentication: Supabase (SOC 2 Type II, ISO 27001)
• Application Hosting: Vercel (SOC 2 Type II)
• Email Services: Gmail API for prospect emails, SendGrid for system notifications (SOC 2)
• Payment Processing: Stripe (PCI DSS Level 1)
• B2B Data Enrichment: KnowFirst (Australian B2B database)
• CRM Integration: HubSpot (SOC 2, ISO 27001)

9.3 Data Sharing

We share customer data with third parties only as necessary to provide services, under strict contractual terms, and in compliance with applicable privacy laws. A complete list of subprocessors is available upon request.

10. Responsible Disclosure

10.1 Security Research Policy

We welcome and encourage responsible security research:

• Safe harbour for good-faith security research
• Clear scope and rules of engagement
• Coordinated disclosure timelines
• Recognition for security researchers
• Bug bounty rewards for qualifying vulnerabilities

10.2 Reporting Security Issues

If you discover a security vulnerability, please report it to us:

10.3 Disclosure Guidelines

When reporting security issues:

• Provide detailed information about the vulnerability
• Include steps to reproduce the issue
• Do not access, modify, or delete customer data
• Do not publicly disclose the issue until we've addressed it
• Allow reasonable time for remediation before public disclosure

11. Security Transparency

11.1 Security Documentation

We provide comprehensive security information:

• This Security Practices page (updated quarterly)
• Security white papers for enterprise customers
• SOC 2 Type II reports (under NDA)
• Data Processing Agreements
• Security questionnaire responses

11.2 Security Status

Real-time security and operational status available at status.leadsy.com, including historical incident reports and scheduled maintenance windows.

11.3 Security Updates

Subscribe to our security mailing list at security@leadsy.com to receive notifications about security updates, patches, and advisories.

12. Questions and Contact

For security-related enquiries, contact our security team: