Encryption in transit
TLS 1.3 enforced everywhere; HSTS header pinned (1-year max-age, includeSubDomains, preload).
Security
How we protect your data.
Honest disclosure of what's in production today and what's on the roadmap. No claims we can't back up.
In place today
Encryption at rest
Customer data stored on encrypted volumes in the United States. Stripe handles all payment-card data — we never see or store card numbers.
Geofenced data access
CA / TX / VT / OR resident contacts and EU IPs are blocked at multiple layers — at the network edge, at every API endpoint, and at data ingest.
Application security
Content-Security-Policy enforced (script / style / connect / frame sources allowlisted, frame-ancestors none, object-src none, base-uri self). Plus X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy lockdown. Parameterized queries throughout (no SQL injection vectors). Rate-limited APIs with anti-bot UA filtering.
Authentication
Bcrypt password hashing. Session tokens stored as httpOnly cookies, 30-day rolling expiry. Per-IP login attempt rate-limiting.
On the roadmap
Not yet shipped- ›Content-Security-Policy nonce-based hardening
- ›Two-factor authentication (TOTP) for accounts
- ›Geographic-redundant, off-site backups
- ›SOC 2 Type 1 certification (in progress)
- ›Automated dependency vulnerability scanning
- ›Bug bounty program
We'll update this page when each item lands. We won't claim certifications or controls we don't have.
Breach disclosure
We maintain an incident response plan and will notify affected users within 72 hours of a confirmed data breach, as required by applicable regulations.
Responsible disclosure
Found a vulnerability? Email security@leadsapp.com. We'll acknowledge within 24 hours.