L
LeadGen
← Back to Home

Security

Last updated: March 2026

Security is a core part of how LeadGen is built and operated. This page describes the technical and organizational measures we take to protect your data and keep the platform secure.

🔐Authentication & Access Control

  • User authentication is powered by Supabase Auth, using industry-standard JWT tokens with secure expiry.
  • Passwords are never stored in plaintext — they are hashed using bcrypt via Supabase's auth system.
  • All authenticated sessions use short-lived access tokens with automatic refresh.
  • Row-Level Security (RLS) is enforced at the database level — users can only query and modify their own data, even if they bypass the application layer.

🔒Data Encryption

  • All data in transit is encrypted using TLS 1.2+ (HTTPS). Plain HTTP connections are automatically redirected.
  • Data at rest is encrypted using AES-256 via Supabase's managed PostgreSQL infrastructure.
  • Stripe handles all payment data. Card numbers and sensitive payment details never touch our servers — they go directly to Stripe's PCI-DSS Level 1 certified environment.

🏗️Infrastructure

  • The application is hosted on Vercel's edge network with automatic DDoS mitigation.
  • Our database is hosted by Supabase on AWS infrastructure in a managed, SOC 2 Type II compliant environment.
  • Environment variables and secrets are stored in Vercel's encrypted secrets store and never committed to source code.
  • API routes that perform sensitive operations (billing, cancellation) require a verified Supabase JWT — unauthenticated requests are rejected with a 401.

🛡️Application Security

  • All user inputs are validated on the server side before being processed or stored.
  • Our early access email form includes honeypot bot detection and IP-based rate limiting (3 submissions per hour per IP).
  • Admin functionality is protected by a strong server-side password check — the password is never exposed in client-side code.
  • We do not use third-party advertising or tracking scripts that could introduce supply-chain risks.

📋Data Practices

  • We do not sell, rent, or share your personal data with third parties for marketing purposes.
  • Lead data you generate is associated with your account only and is not accessible to other users.
  • You can request deletion of your account and all associated data at any time.
  • Payment and billing data is managed exclusively by Stripe under their security and compliance framework.

🔄Ongoing Security

  • We regularly review dependencies for known vulnerabilities and apply updates promptly.
  • Security issues in the codebase are prioritized and addressed before new feature development.
  • We follow the principle of least privilege — services and components only have access to what they strictly need.

For security concerns or to report a vulnerability, please contact us directly. You can also review our Privacy Policy and Terms of Service.