Encryption in transit
TLS 1.3 enforced via Caddy + Let's Encrypt; HSTS header pinned (1-year max-age, includeSubDomains, preload).
Security
How we protect your data.
Honest disclosure of what's in production today and what's on the roadmap. No claims we can't back up.
In place today
Encryption at rest
Hetzner CX23 disk + libsql DB stored on encrypted volume. Stripe handles all payment-card data — we never see or store card numbers.
Geofenced data access
CA / TX / VT / OR resident contacts and EU IPs blocked entirely at the edge (Caddy MaxMind geoIP) AND at every API endpoint AND at DB ingest. Three layers of defense.
Application security
Security headers (X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy lockdown). Drizzle ORM with parameterized queries (no SQL injection vectors). Rate-limited APIs with anti-bot UA filtering.
Authentication
Bcrypt password hashing via better-auth. Session tokens stored as httpOnly cookies, 30-day rolling expiry. Per-IP login attempt rate-limiting.
On the roadmap
Not yet shipped- ›Content-Security-Policy enforcement (currently report-only while GTM/PostHog/Stripe iframes are vetted)
- ›Two-factor authentication (TOTP) for accounts
- ›Geographic-redundant backups (currently single-region encrypted backups; off-site duplication coming Q3)
- ›SOC 2 Type 1 certification (planned for Q4, not yet certified)
- ›Automated dependency vulnerability scanning (Dependabot integration scheduled)
- ›Bug bounty program
We'll update this page when each item lands. We won't claim certifications or controls we don't have.
Breach disclosure
We maintain an incident response plan and will notify affected users within 72 hours of a confirmed data breach, as required by applicable regulations.
Responsible disclosure
Found a vulnerability? Email security@leadsapp.com. We'll acknowledge within 24 hours.