Security overview
How customer data is protected across the platform.
Tenant isolation
Every tenant-owned record carries a workspace identifier and is only reachable through a guarded data layer that resolves the workspace from a server-verified membership — never from client input. Automated cross-tenant access tests run in continuous integration and block release on failure.
Authentication & sessions
- Passwords hashed with bcrypt; no plaintext storage anywhere, including logs.
- Sessions are random 256-bit tokens stored hashed, delivered in HttpOnly, SameSite cookies.
- Email verification and token-based password reset with 24-hour expiry and single use.
- Rate limiting on authentication and messaging endpoints.
Application security
- All input validated on the server with schema validation (zod), independent of client checks.
- Server-side authorisation on every protected action; hidden UI is never a security boundary.
- Uploads are size- and type-checked and stored outside the web root.
- Webhooks (e.g. Stripe) are signature-verified with replay protection and idempotent processing.
- Security headers: X-Frame-Options DENY, nosniff, strict referrer policy.
Data handling
- Workspace data export and full deletion are available to owners in settings.
- Sensitive actions are audit-logged (imports, sends, deletions, billing and role changes).
- Backups are operator-configurable; restoration is documented and rehearsed (see operations docs).
Responsible disclosure
Suspected vulnerabilities can be reported to support@leadmender.app. Please include reproduction steps; we commit to acknowledging reports promptly. See SECURITY.md in the source distribution for scope.