← Back to home

How we keep your customer data safe.

Last updated: 2026-05-24

Your business runs on the trust your customers place in you. We treat their data, and yours, with the seriousness that trust deserves. This page is a plain-English breakdown of how LeadsLockAI is built and what we do (and explicitly do not do) with your data.

Built on certified infrastructure

We did not build a data center. We built a focused product on top of the most boring and well-audited platforms in the industry. Every layer that handles your data carries an independent audit you can verify directly with the vendor.

  • Supabase (database, auth, file storage) is SOC 2 Type II certified. Your business profile, leads, and conversation history are stored in Supabase Postgres.
  • Vercel (hosting, edge network) is SOC 2 Type II certified. All web and API traffic runs through Vercel.
  • Stripe (subscription billing) is PCI-DSS Level 1 certified. Stripe handles every card transaction. Card numbers never touch our servers.
  • Twilio(SMS delivery) is SOC 2 Type II certified. SMS messages pass through Twilio to reach the lead's phone.

Data in Canada

Our primary Supabase project lives in the ca-central-1 region (Montreal). That means your business records, lead contact details, and conversation history are stored on Canadian soil and are subject to Canadian privacy law. We chose this region specifically for Canadian-owned shops who care where their data lives.

Some downstream services (Stripe, Twilio, Groq for AI inference) are based in the United States. The specifics of what is shared with each are documented in our Privacy Policy.

Encryption

  • In transit: All requests use TLS 1.3 (HTTPS). HSTS is enforced site-wide so browsers will not even attempt an unencrypted connection.
  • At rest: Supabase encrypts the database with AES-256 by default. File uploads (logos, etc.) are encrypted in object storage.
  • Passwords: We never store plaintext passwords. All account passwords are hashed with bcrypt and a per-user salt before they touch the database.
  • API keys and webhook secrets:Stored as environment variables in Vercel's encrypted vault, never in source code.

Webhook integrity

Anyone can send a POST to a webhook URL. We verify that the request actually came from the service that claims to have sent it.

  • Stripe webhooks are verified with stripe-signature before any subscription or billing state is updated. Replays are caught by an idempotent event log.
  • Twilio webhooks (inbound SMS, status callbacks) are verified with the Twilio request signature on every call. Unsigned or mis-signed requests are dropped.

Security headers

Every page we serve includes:

  • Strict-Transport-Security (HSTS) so the browser forces HTTPS on every future request.
  • Content-Security-Policy (CSP) limiting which scripts and assets can load.
  • Cross-Origin-Opener-Policy (COOP) to isolate browser context and block side-channel attacks.
  • X-Frame-Options + X-Content-Type-Options to block clickjacking and MIME confusion.

Your data, your control

You own everything you put in. You can:

  • Export your business profile, leads, and conversation history at any time. Email support@leadslockai.com and we deliver a JSON or CSV bundle within 5 business days.
  • Delete your account. We retain backups for 90 days for disaster recovery, then everything is permanently deleted from active and backup storage.
  • Withdraw SMS consent at any moment. Customers texting STOP are opted out automatically and the next message is blocked.

These rights are written into law in Canada (PIPEDA) and we honor them regardless of where you are based.

What we DON'T do

  • We never sell your data. Not to advertisers, not to data brokers, not to anyone. There is no business model behind that.
  • We never share lead data with third parties beyond the infrastructure listed above (Supabase, Stripe, Twilio, Groq for inference, Vercel for hosting). Each of those is named and limited to a specific role.
  • We never use your lead conversations to train public AI models.Groq's API terms forbid retention for training, and we do not retain message history for our own model training either.
  • We never run ad-tracking pixels. No Meta Pixel, no Google Ads tag, no third-party analytics beyond aggregate Vercel pageviews.

Security FAQ

Is LeadsLockAI SOC 2 certified?

We are built on SOC 2 Type II certified infrastructure (Supabase, Vercel, Stripe, Twilio). We are not currently SOC 2 certified ourselves. That is the next compliance milestone on our roadmap. We will not claim a certification we do not hold. If a SOC 2 attestation is a hard requirement for your buyer, talk to us early so we can plan around it.

Are you HIPAA compliant?

No. LeadsLockAI is not built for protected health information (PHI). Do not enter PHI into the platform. If you are a healthcare practice and a customer might describe a medical condition in a chat, you are responsible for ensuring your use case complies with HIPAA. We will sign a Business Associate Agreement (BAA) once we have completed the engineering work to make the platform HIPAA-ready, on the same timeline as SOC 2.

Are you GDPR compliant?

Our primary market is Canada (PIPEDA + CASL), and we align with GDPR principles for users in the EU and UK. Specifically: you have the right to access, correct, export, and delete your data; we do not use legitimate-interest tracking; we honor opt-out signals; and we will sign a Data Processing Addendum (DPA) on request. EU users should email support@leadslockai.com for the DPA template.

What happens if there is a security breach?

We notify affected customers within 72 hours of confirming a breach, in line with PIPEDA breach-notification requirements and GDPR best practice. The notification will describe what data was affected, what we have done, and what we recommend you do. We will publish a public post-mortem for any incident that affects customer data, even if no individual records were exposed.

How do I report a vulnerability?

Email security@leadslockai.com. We respond within 24 hours and will work with you in good faith. We do not yet run a paid bug-bounty program but we publicly credit responsible disclosures on this page.

Audit history

Last audited: 2026-05-23. We run security reviews on a rolling basis and ship hardening updates as a normal part of the release cycle. See our public changelog for the most recent security-tagged entries.

Contact

Security questions: security@leadslockai.com. General privacy questions: support@leadslockai.com.