← Back to Lead Validator Pro
Security Overview
Last updated: May 20, 2026 GLBA Compliant SOC 2 Readiness 2026
1. Data Storage
Your data is stored in managed PostgreSQL hosted by Render (US-based infrastructure) with encryption at rest enabled at the storage layer. All organizations share a single logical database with row-level security (RLS) enforcing strict tenant isolation — your data is never mixed with other customers.
2. Encryption
- All data in transit encrypted via TLS 1.2+ (Cloudflare edge proxy enforces HTTPS)
- Identity, password storage, and session management are provided by WorkOS, a SOC 2 Type II certified identity platform. Passwords are hashed by WorkOS using industry-standard algorithms (bcrypt) and are never stored in our systems
- Sessions use sealed JWE cookies (encrypted-and-signed) with rotation per WorkOS recommendations; cookies are httpOnly, Secure, and SameSite-restricted
3. Access Control
- Role-based access control (5 roles: Viewer, Analyst, Producer, Admin, Super Admin) with principle of least privilege
- Multi-factor authentication via WorkOS-managed TOTP (RFC 6238) is supported and can be required for privileged roles
- Account lockout and brute-force protection are managed by WorkOS based on geolocation, device, and risk signals
- Session revocation on password change and on administrative action
4. Backups
- Daily encrypted backups managed by Render
- Point-in-time recovery (PITR) over a 7-day window
5. Tenant Isolation
- PostgreSQL row-level security (RLS) enforces per-tenant
org_id isolation on every query
- Tenant context is set on each transaction; cross-tenant reads or writes are prevented at the database layer
- API requests are scoped to the authenticated user's organization, with permissions verified server-side
6. Network Security
- Cloudflare DNS + SSL + WAF in front of application
- Strict Content Security Policy, HSTS, X-Frame-Options: DENY
- CORS restricted to production domains only
7. Compliance Status
| Standard | Status | Details |
|---|
| GLBA Safeguards Rule | Implemented | MFA enforced, access controls implemented, WISP maintained internally |
| CCPA / CPRA | Implemented | Self-serve erasure and portability endpoints + GPC honored; DNS opt-out per Privacy § 7.1 |
| TDPSA (Texas) | Implemented | Right to access, correct, delete, port, opt-out per Privacy § 8 |
| GDPR / UK GDPR | Available for enterprise | SCC Module 2 + UK IDTA incorporated in DPA § 12 |
| SOC 2 Type II | Readiness in progress (target 2026) | Internal readiness pack maintained; SIG-Lite / CAIQ-Lite responses available on request to security@leadvalidatorpro.com |
| WISP | Maintained internally | Written Information Security Program reviewed annually |
| TCPA Allocation | Documented | Customer/Processor allocation per Terms § 5 |
Infrastructure sub-processors (Render, Cloudflare, WorkOS, Stripe, Resend, Sentry, Anthropic, Google) hold current SOC 2 Type II or equivalent (ISO 27001, FedRAMP, PCI DSS) attestations. Certification status per sub-processor is disclosed at /subprocessors.
For security questions or to report a vulnerability: support@leadvalidatorpro.com