Below are answers to the most often asked questions in regards to our security practices.
Customer data is only accessible by those who need to access it for their work, for example, Technical support.
Employee contractual confidentiality
All our staff contracts have clauses on confidentiality.
Access to customer data is logged
Access by our staff to any customer data is logged in detail.
Security & privacy policies
We have internal security and privacy policies in place to support our staff with dos and don’ts of handling customer data.
We enforce and implement the following practices on staff workstations and mobile devices
Mobile device remove wipe/management
Secure networks and firewalls
Security & privacy training
All our staff members receive security and privacy training at on-boarding and on an ongoing basis.
We do continuously pentesting.
Amazon Web Services
All our servers and data are hosted on Amazon Web Services, USA and Ireland.
You can read about Amazon’s security features and compliance from:
https://aws.amazon.com/security/ & https://aws.amazon.com/compliance/
Access to our websites, applications, and APIs is always secured with HTTPS.
Any data transferred to and from our integrations is encrypted.
Where applicable, intra application communication is also encrypted.
Our databases, logs, caches, and other storage where we keep customer data are encrypted at rest.
At rest, AES-256 encryption is used.
Transit in and out of Leadfeeder systems is always HTTPS encrypted (TLS 1.2 – 1.3. RSA with AES128 GCM SHA256)
Intra-application transit, inside our production network, is AES-256 encrypted.
We implement various mechanisms and are constantly improving the monitoring of our networks, servers, and applications. We monitor errors, availability, system behavior, load, and other resource usage.
We backup our customer data hourly, daily, and weekly. We routinely test our recovery mechanisms and monitor backup integrity and backup processes run as expected.
Our production infrastructure is built on fault-tolerant systems that ensure that customer data is stored redundantly across multiple data centers (AWS Availability Zones).
In addition, our production infrastructure provisioning is fully automated. In case of lost server instances due to hardware failures or others, we can start replacements quickly and safely with automated procedures.
Our technical staff is always on call and will be alerted in cases of failures or warnings in the system.
We implement various industry best practices on securing our production infrastructure.
2FA access enforced
Two-factor authentication is required for accessing production resources.
Databases, application instances, caches, and other servers have been firewalled to only allow minimal required access both in our internal network and from outside.
Network monitoring of suspicious activity
We implement automated monitoring and logging of suspicious network activity, such as brute force attacks or denial-of-service attempts.
Access, changes to, provision and decommission of any servers or resources are logged in detail.
With Leadfeeder’s privileges and access controls you can manage who can access and which data.
Users can be configured to have limited access or privileges to make changes to Leadfeeder settings.
Google and Microsoft login
We currently support Google (GSuite) and Microsoft Office 365 federated login methods.
When Microsoft Office 365 login is used, Leadfeeder requests only a couple of permissions:
openid, email, User.read.
CSA STAR level 1: