Security Policy
At LeadsEngage, the security and privacy of your data are our top priorities. We are dedicated to implementing, maintaining, and continuously improving robust security controls to ensure the confidentiality, integrity, and availability of your information.
This Security Policy outlines the framework of our security practices and the measures we employ to safeguard your data across our platform and infrastructure.
1. Shared Responsibility Model
LeadsEngage operates under a shared responsibility model to maintain a secure environment for all users.
We partner with Amazon Web Services (AWS) - one of the world’s most trusted cloud providers - to ensure a secure, reliable, and compliant foundation.
AWS (Infrastructure Security)
AWS is responsible for the security of the cloud, including:
- Physical data center protection
- Network infrastructure
- Server hardware and virtualization layer
- Global redundancy and disaster recovery
AWS maintains SOC 2 Type II, ISO 27001, PCI DSS, and CSA STAR certifications, among others.
LeadsEngage (Platform Security)
LeadsEngage is responsible for security within the cloud, which includes:
- Application and API security
- Data encryption, access control, and identity management
- Secure deployment and configuration of our cloud infrastructure
- Continuous monitoring, logging, and incident management
LeadsEngage is responsible for security within the cloud, which includes:
You (Customer Security)
You are responsible for:
- Maintaining strong, unique passwords
- Managing user access and permissions within your organization
- Securing your devices and local networks used to access the LeadsEngage platform
Security is a shared commitment - and together, we ensure data safety at every level.
2. Data Protection & Privacy
Protecting your data is central to our operations. LeadsEngage employs a multi-layered security approach to prevent unauthorized access, alteration, or disclosure.
- Data Encryption in Transit: All data transmitted between your device and LeadsEngage servers is encrypted using TLS 1.2 or higher.
- Data Encryption at Rest: Customer data stored in our databases and backups is encrypted using AES-256, the industry standard for secure storage.
- Data Segregation: Our multi-tenant architecture ensures each customer’s data is logically isolated, preventing unauthorized cross-tenant access.
- Data Minimization: We collect and store only the data required to provide and improve our Services - nothing more.
3. Application Security
We design and develop our platform with security built in from the ground up.
- Secure Development Lifecycle (SDLC): All development undergoes peer review, automated vulnerability scanning, and dependency patching.
- Penetration Testing: LeadsEngage conducts regular third-party penetration tests to identify and remediate potential vulnerabilities.
- Access Control: Access to production systems is strictly limited to authorized LeadsEngage personnel, following the principle of least privilege (PoLP).
- Multi-Factor Authentication (MFA): Administrative accounts and sensitive systems are protected by mandatory MFA.
4. Infrastructure & Network Security
Our infrastructure is hosted in secure, virtualized environments managed by AWS.
- Virtual Private Cloud (VPC): Isolated environments are used to host customer data and application components securely.
- Firewalls & Network Controls: All inbound and outbound network traffic is filtered using security groups, access control lists (ACLs), and zero-trust configurations.
- Backup & Disaster Recovery: Automated daily backups and redundant data centers ensure business continuity and resilience against outages or data loss.
5. System Monitoring & Incident Response
We maintain continuous visibility into our systems to detect, respond to, and mitigate potential threats.
- Logging & Monitoring: Comprehensive logs are collected and analyzed through automated alerting systems to detect suspicious activity.
- Intrusion Detection & Prevention: Our infrastructure employs continuous vulnerability scanning and real-time threat intelligence tools.
- Incident Response Plan (IRP): LeadsEngage has a documented and tested IRP that outlines escalation paths, communication procedures, and mitigation timelines in case of any security event.
If a data breach or security incident occurs, we will:
- 1. Contain and assess the issue promptly.
- 2. Notify affected customers within a reasonable timeframe as required by applicable laws.
- 3. Provide transparency throughout the remediation process.
6. Compliance & Governance
LeadsEngage aligns its practices with global security and data protection frameworks, including:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- SOC 2 readiness and ISO 27001 alignment
- HIPAA principles (for customers processing health-related data under a signed BAA)
Our internal policies are reviewed annually to ensure continued compliance with evolving standards.
7. Employee Security & Training
Security awareness is part of LeadsEngage’s culture.
- All employees undergo mandatory security and privacy training during onboarding and annually thereafter.
- Access to sensitive data is role-based, audited, and revoked immediately upon termination or role change.
- Employees must adhere to confidentiality agreements and device security policies.
8. Vulnerability Reporting & Responsible Disclosure
We appreciate responsible disclosure and collaboration from the security community. If you discover a potential vulnerability in our platform, please report it responsibly to:
Email: hello@leadsengage.com
Please include:
- A detailed description of the issue
- Steps to reproduce it
- Any supporting information (e.g., screenshots, proof-of-concept)