Security overview

How customer data is protected across the platform.

Tenant isolation

Every tenant-owned record carries a workspace identifier and is only reachable through a guarded data layer that resolves the workspace from a server-verified membership — never from client input. Automated cross-tenant access tests run in continuous integration and block release on failure.

Authentication & sessions

  • Passwords hashed with bcrypt; no plaintext storage anywhere, including logs.
  • Sessions are random 256-bit tokens stored hashed, delivered in HttpOnly, SameSite cookies.
  • Email verification and token-based password reset with 24-hour expiry and single use.
  • Rate limiting on authentication and messaging endpoints.

Application security

  • All input validated on the server with schema validation (zod), independent of client checks.
  • Server-side authorisation on every protected action; hidden UI is never a security boundary.
  • Uploads are size- and type-checked and stored outside the web root.
  • Webhooks (e.g. Stripe) are signature-verified with replay protection and idempotent processing.
  • Security headers: X-Frame-Options DENY, nosniff, strict referrer policy.

Data handling

  • Workspace data export and full deletion are available to owners in settings.
  • Sensitive actions are audit-logged (imports, sends, deletions, billing and role changes).
  • Backups are operator-configurable; restoration is documented and rehearsed (see operations docs).

Responsible disclosure

Suspected vulnerabilities can be reported to support@leadmender.app. Please include reproduction steps; we commit to acknowledging reports promptly. See SECURITY.md in the source distribution for scope.