Built to pass your security review.
Read-only connectors. AES-256 encryption. Workspace isolation. RBAC. Tamper-evident audit log. GDPR compliant. Share this page with your IT and InfoSec teams — everything they need is here.
Read-only
All connectors
AES-256-GCM
Credential encryption
Workspace isolation
Structural data boundary
GDPR compliant
EU data residency
Security architecture
How LeakIQ is designed to protect your data at every layer.
Read-only connectors. No write-back.
LeakIQ connects to your systems using read-only credentials. We surface gaps — we never write, update, or delete records in your source systems. Every connector uses OAuth or encrypted API keys scoped to the minimum permissions required.
AES-256-GCM credential encryption
All connector credentials are encrypted at rest using AES-256-GCM before being stored. The encryption key is held separately from the database and is never logged. The key can be rotated at any time by updating the server environment variable — no data migration is required.
Workspace isolation
Every customer operates in an isolated workspace with a separate data partition. No customer can access another customer's data. Workspace IDs are scoped to every database query — cross-workspace data access is structurally impossible.
Role-based access control (RBAC)
Three roles — Viewer, Operator, and Admin — with enforced capability boundaries. Role changes are audit-logged. All permission checks are enforced server-side, not in the UI layer.
Tamper-evident audit log
Every significant action (login, data access, role change, approval, recovery action) is written to an append-only audit log with actor, timestamp, and IP address. Logs are exportable for compliance review.
Data residency and subprocessors
Data is processed and stored in the EU (Neon PostgreSQL, hosted on AWS eu-west-1). Our subprocessors include Neon (database), Vercel (compute), Resend (transactional email), and Stripe (billing). A full DPA is available on request.
Authentication and session security
Sessions are signed with a rotating HMAC secret (NEXTAUTH_SECRET). Passwords are hashed using bcrypt. MFA is available for all workspace members. Sessions expire after inactivity.
Data retention and deletion
Data is retained for the duration of the workspace subscription plus a 90-day grace period. Workspaces can request deletion at any time. Deletion purges all workspace data, connector credentials, and audit records.
Common InfoSec questionnaire answers
The 10 questions we receive most often from IT and security teams during vendor review.
Do you store our financial data?
We store the minimum data needed to detect and surface revenue gaps: metric snapshots, event records, and derived issues. We do not store raw transaction records or payment card data. All data is associated with your workspace and deleted when the workspace is closed.
Can you write to our systems?
No. All connectors are read-only. LeakIQ does not send requests that create, update, or delete records in your source systems.
How are credentials protected?
Credentials are encrypted with AES-256-GCM using a secret key that is separate from the database. Credentials are never returned in API responses or written to logs.
Where is data stored?
In the EU (AWS eu-west-1 via Neon PostgreSQL). Compute runs on Vercel's EU edge network. No data is stored in the US unless explicitly requested.
Do you offer a DPA (Data Processing Agreement)?
Yes. Contact us at support@leakiq.io and we will provide a signed DPA within two business days.
Are you SOC 2 certified?
We are working towards SOC 2 Type II. Our infrastructure providers (Vercel, Neon, AWS) are SOC 2 certified. Contact us for our current security posture documentation.
How do we revoke access?
Disconnect a connector from the Connected Systems page at any time — this immediately revokes token usage. Close the workspace via Settings → Billing to purge all data.
What happens if LeakIQ is compromised?
We have an incident response plan covering detection, containment, notification (within 72 hours per GDPR requirements), and recovery. Affected customers are notified by email with a full incident report.
Can we get a penetration test report?
We conduct annual penetration tests. The executive summary is available under NDA. Contact support@leakiq.io.
How do we conduct a security review before connecting systems?
Start here. For deeper review, email support@leakiq.io — we respond within one business day and can schedule a technical call with your InfoSec team.
Ready to proceed with your review?
Email us at support@leakiq.io for a DPA, penetration test summary (under NDA), or to schedule a call with your InfoSec team. We respond within one business day.