Trust & Security

Built to be trusted.

Leadflowly handles your leads' names, numbers and conversations. This page is the straight account of how that data is protected — what is in place today, and what is on the way.

Last updated 22 May 2026Live system status →
§ 01

Overview

Leadflowly is run by an independent developer, not a faceless vendor — so security is handled deliberately rather than left to a team that assumes someone else owns it. The controls below are real and in the codebase today. Where something is planned rather than done, this page says so.

Security questions, or a procurement review? Email security@leadflowly.in.

§ 02

Encryption

  • In transit. All traffic is served over HTTPS (TLS 1.2+). HTTP Strict Transport Security is enforced in production, and connections are upgraded to HTTPS automatically.
  • At rest. The database is encrypted at rest by our infrastructure provider. On top of that, the most sensitive columns — Instagram, Messenger and WhatsApp access tokens, and OAuth credentials — are additionally encrypted at the application layer with AES-256-GCM, so a raw database read alone never exposes them.
  • Passwords. Never stored in plain text — they are salted and hashed. One-time verification codes are hashed at rest too.
§ 03

Account security

  • Two-factor authentication. Time-based one-time-password (TOTP) 2FA is available on every account from Dashboard → Security, with single-use backup codes for recovery.
  • Breached-password blocking. Every new or changed password is checked against the Have I Been Pwned breach corpus (via k-anonymity — your password never leaves our server).
  • Verified email. Accounts must verify their email with a 6-digit code before first sign-in. Disposable email domains are rejected.
  • Strong passwords + session hygiene. A minimum 12-character policy, httpOnly + Secure + SameSite session cookies, and server-side sessions that expire.
  • Abuse protection. Authentication and other sensitive endpoints are rate-limited; signup is gated by reCAPTCHA.
§ 04

Access control

  • Role-based access. Workspaces have three roles — owner, admin and agent — and every capability is checked server-side from a single source of truth, so a permission can never drift between the UI and the API.
  • Tenant isolation.Every record is scoped to a workspace; one customer's data is never reachable from another's session.
  • Immutable audit log. Security-relevant actions — sign-ins, role changes, billing changes, exports and channel disconnections — are written to an append-only audit log that owners and admins can review from Dashboard → Security.
§ 05

Infrastructure

Leadflowly runs on managed, industry-standard infrastructure rather than self-hosted servers — patching, network security and physical security are handled by providers who specialise in it.

  • Application & API. Hosted on Vercel, a SOC 2-compliant platform, with automatic TLS.
  • Database. Managed PostgreSQL on Supabase (built on AWS), with encryption at rest and automated backups.
  • Secrets. API keys and credentials are held as environment secrets, never committed to source control.
§ 06

Data residency

Today, customer data is stored in a single managed PostgreSQL region (our primary region). Dedicated EU and Indiadata regions are on the roadmap for customers with residency requirements (GDPR, India's DPDP) — the application is already structured so that a workspace carries its own region.

If your organisation needs data pinned to a specific region before that ships, contact security@leadflowly.in — we will tell you honestly where things stand.

§ 07

Backups & availability

  • Backups. The database is backed up automatically by Supabase, enabling point-in-time recovery.
  • Status & uptime. Live component health and a 90-day uptime history are public at leadflowly.in/status, and a machine-readable feed is at /api/status.
§ 08

Your data & rights

You own the conversation flows you build and the leads you capture. We do not sell your data or use it to train AI models. The Privacy Policy is the full account of what we collect and why; account and lead deletion is covered on the Data Deletion page.

§ 09

Sub-processors

Leadflowly relies on a small set of vetted providers to deliver the service. Each processes only the data needed for its function:

  • Vercel— application & API hosting.
  • Supabase — managed PostgreSQL database.
  • Stripe — subscription billing (card data is handled entirely by Stripe; we never see it).
  • Resend — transactional email delivery.
  • Meta Platforms — the Instagram, Messenger and WhatsApp messaging APIs.
  • Google — OAuth and Google Sheets export, when you connect them.
  • Groq, Google Gemini & Anthropic — the AI providers behind reply suggestions and lead intelligence.
§ 10

Compliance posture

Leadflowly is built toward the SOC 2 control set — audit logging, access control, encryption and change management are all in place — but is not yet SOC 2 certified; a formal audit is planned as the company matures. We would rather state this plainly than imply a certification we do not hold.

Our data handling is aligned with the GDPR and India's DPDP Act. A Data Processing Agreement is available on request for customers who need one.

§ 11

Responsible disclosure

If you believe you have found a security vulnerability, please report it to security@leadflowly.in before disclosing it publicly. We will acknowledge your report, keep you updated, and will not pursue action against good-faith research that respects our users' privacy and avoids service disruption.

Machine-readable contact details are published at /.well-known/security.txt per RFC 9116.