Security & Trust
How LeaderHQ protects your downline data
Your downline is the most valuable asset you’ve ever built. We treat it that way — with encryption at every layer, strict access controls, and a written commitment to tell you the moment anything goes wrong.
Last updated: June 2026
Encryption
Encrypted at rest and in transit
Every byte that touches LeaderHQ — your card content, your captured leads, your Memory Moment photos, your comp-plan uploads — is encrypted both while it’s moving across the network and while it’s sitting in our database.
TLS 1.2+ in transit
All traffic to and from leaderhq.io and our API is served over HTTPS with TLS 1.2 or higher. HTTP requests are redirected. HSTS is enabled on the marketing and app domains.
AES-256 at rest
Our managed Postgres database encrypts data on disk using AES-256. Daily encrypted backups are retained for 30 days in a separate region from the primary.
Secrets isolated
API keys, JWT signing secrets, and database credentials are stored in a managed secrets vault — never committed to source control and never present in build artifacts.
Hashed credentials
Passwords are hashed with bcrypt (cost factor 12). OTP codes are single-use, hashed in storage, and expire in 10 minutes. We can never read your password.
Access control
Only the right people see the right data
Inside LeaderHQ, access is gated by identity. Inside our company, access is gated by role. Every action is logged.
Single sign-on
One LeaderHQ account signs you into every Leader Suite product — LeaderLeads, LeaderCal, LeaderStreams, LeaderAffiliate. Sessions are JWT-signed and bound to the .leaderhq.io cookie scope.
Role-based permissions
Inside a team workspace, owners, managers, and members see different surfaces. A downline member can never view another member’s leads or pipeline.
Audit log
Sign-ins, permission changes, data exports, and admin actions are recorded with timestamp, IP, and acting user. Workspace owners can review the log on request.
Step-up OTP
High-risk actions — adding a new sign-in device, exporting your full lead list, deleting your account — require a one-time code delivered to your verified email.
Compliance posture
GDPR, CCPA, and SOC 2 in flight
We build to the highest standard our customers ask for. Today that means GDPR and CCPA commitments are written into the product. SOC 2 Type I is in active preparation with a Q4 2026 target.
GDPR
CommittedEU residents may request a full export or deletion of their data through the in-app privacy controls or by emailing privacy@leaderhq.io. Requests are honored within 30 days. We act as a data processor for workspace owners, who remain the data controller for the contacts they collect.
CCPA
CommittedCalifornia residents have the right to know what information we hold, to request deletion, and to opt out of any sale of personal information. We do not sell personal information.
SOC 2 Type I
In progress · Q4 2026We are working with an external auditor on a SOC 2 Type I report covering the Security and Confidentiality trust services criteria. A summary will be available under NDA to enterprise prospects once the report is issued.
HIPAA
Out of scopeLeaderHQ is not designed for protected health information. Workspace owners agree not to upload PHI as a condition of the Terms of Service.
Sub-processors
The vendors behind the product
We use a small, deliberate set of sub-processors. Each one is contractually bound to handle your data only on our instructions. This list is current as of the date above; we’ll update it before adding new vendors that touch customer data.
| Vendor | Purpose | Data region |
|---|---|---|
| Vercel | Marketing site & web app hosting | United States |
| Hostinger VPS | API + Postgres database hosting | United States |
| Postmark | Transactional email (OTP, lead alerts) | United States |
| Stripe | Subscription billing & payments | United States |
| Cloudflare | DNS & DDoS mitigation | Global edge |
To subscribe to sub-processor change notifications, email security@leaderhq.io.
Breach response
If something goes wrong, you’ll hear from us
We hope this section never applies to you. If it ever does, here’s what you can count on.
- 1
Detection & containment
Our on-call engineer is paged within minutes of a confirmed security incident. The first priority is to stop the bleed — rotate keys, revoke sessions, isolate affected systems.
- 2
Notification within 72 hours
If we determine that a breach has affected your data, we will notify the workspace owner by email within 72 hours of confirmation, in line with our GDPR commitments. The notice will describe what we know, what we don’t, and what we’re doing about it.
- 3
Post-incident report
Within 14 days of containment, affected customers receive a written post-incident report covering root cause, remediation, and the changes we’re making to prevent recurrence.
- 4
Regulatory cooperation
Where applicable law requires notice to a supervisory authority, we cooperate fully and provide the information requested.
Coordinated disclosure
Report a vulnerability
If you believe you’ve found a security vulnerability in LeaderHQ, we want to hear from you. We commit to acknowledging good-faith reports within two business days, working with you on a fix, and not pursuing legal action against researchers who follow this policy.
What to include in your report
- A clear description of the vulnerability and its impact.
- Steps to reproduce, ideally with a proof-of-concept request or screenshot.
- The affected URL, endpoint, or surface area.
- Your name and a way for us to follow up with you.
What’s in scope
- leaderhq.io and any *.leaderhq.io subdomain we operate.
- The LeaderHQ web application and Leader Suite product apps.
- Our public API endpoints.
What’s out of scope
- Social engineering of our staff, vendors, or customers.
- Denial-of-service attacks.
- Reports based solely on automated scanner output.
- Third-party services we don’t operate.