Protecting your data
As a cloud-service, the security of your data is our top priority. We've outlined important measures to keep your data private below. We employ a broad range of additional safeguards and protective measures that would be either (i) too complicated to explain or (ii) unwise to share with the public. Please do get touch if you have any questions.
Our application is hosted on servers provided by Amazon Web Services in its European data centers. Amazon Web Services is a leading "platform as a service" provider that allows customers (including Siemens, Novartis, Nasdaq, Vodafone and others) to develop, run and manage applications without the complexity of building and maintaining the infrastructure associated with it. It provides best-in-class security infrastructure, takes care of back-ups, logging, auditing and other infrastructure-related services.
Amazon Web Services is constantly auditing its services and has approved to be compliant with the following standards, among others:
- ISO 27001
- ISO 27017
- ISO 27018
- SOC 2
- SOC 3
Other subcontractors used by Leapsome to provision its service may include similarly renowned and certified companies such as
- Google, Inc.
- ObjectLabs, Inc.
- MongoDB, Inc.
- Zendesk, Inc.
- SendGrid, Inc.
- NewRelic, Inc.
- Rocket Science Group, LLC (Mailchimp)
- Stripe, Inc.
Any transfer of data to a state which is not a member state of either the European Union or the European Economic Area will only occur in compliance with the GDPR and if the specific requirements of Article 44 et seq. of the General Data Protection Regulation (GDPR) have been fulfilled. Specifically, a transfer requires a clear contractual agreement between Leapsome and any subcontractor that guarantees at least the same level of data protection, either under a valid Privacy Shield certification or under standard contractual clauses as stipulated by the European Commission.
Your passwords are always encrypted (hashed, with salts) and never saved in plain text. When a user tries to log in, his password is encrypted in the same way and the platform compares the encrypted versions to check if they match. This also means that we cannot recover a password for you (we only hold the encrypted version) and you have to reset your password in case you lose it. For additional security, we enforce a minimum password length when a user signs up.
If your company uses GSuite for internal communication, you can also Sign in with Google via a secure connection. In that case, your passwords are not stored on our servers at all. Instead, your users are redirected to a page where they authenticate Leapsome as a trusted service and a token gets generated which we can use to identify your users. You can revoke that token at any time via your Google account settings.
Cookies and Tokens
All communication between your users and our servers is SSL-encrypted. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
Additionally, we employ encryption-at-rest to encrypt all data in our database with the industry-standard AES-256 algorithm. This means that your data is encrypted before and after accessing the database and never lies there in plain text.
In addition to a secure hosting environment, we're building on established software libraries to guarantee that your data is secure and your users are not exposed to vulnerabilities.
Our frontend framework Angular (mainly maintained by Google), combined with the use of unique user tokens, protects your users against common threats such as cross-site scripting (CSS / XSS) and cross-site request forgery (CSRF / XSRF).
We're using MongoDB as a data store, meaning that our application is not vulnerable to SQL injections. The use of an established middleware and input sanitation of all input adds further protection.
As mentioned above, our application runs on Microsoft Azure servers. Microsoft keeps the server software up to date at all times and fixes any newly security vulnerabilities immediately.
Preventing access from within
Even an authenticated (logged in) user may try to exploit vulnerabilities - someone could, for example, register for a demo account and try to access other clients' information.
While the software frameworks listed above already protects the system from that threat, the application code additionally checks each request and verifies that the database object's company ID matches the company ID of the user. Each database object is tagged with a company ID and any potential attempts to breach those trigger immediate notifications to our administrators.
We also apply a strict role-based model to all requests and views of the platform. This prevents employees from accessing functionality (like modifying user data, editing billing information etc.) that should be reserved to administrators only.
Access restrictions to code and database
Our application and database are hosted in a securely guarded data center where professional staff takes care of the physical security of servers.
Remote access is strictly limited, too. Within our team, each deployment of new code has to be approved by one of two people that have access. The same access limitation applies to our databases and internal administration area. Access to the databases, to our central code repository and to our hosting environment is furthermore protected by 2-factor-authentication. We regularly update passwords and security tokens.
In our internal administration data, we only display aggregated statistics and company level data (such as invoicing information), not the content of actual feedback, reviews, etc. We do not look into a raw customer data unless we have been granted permission to do so to fix a bug. That said, most bugs can be fixed by analysing server logs and reproducing the problem with dummy data.
Data processing agreement (DPA)
Once you start using Leapsome, you will sign a data processing agreement with us. It lays out how we may handle your data, explains the security measures deployed, states your rights and is needed to be fully compliant with the GDPR.
Internal security policies
Our team is highly security-aware. To avoid falling prey to outside tricksters, we regularly hold internal security briefings, only deploy up-to-date and modern browsers, use password managers and different passwords for all sites, regularly update passwords and encrypt the hard drives of our devices.
Availability and disaster recovery
Our application and databases are distributed and replicated across various servers. In the event that one of those servers goes down, another instance would take over the job of serving the application, usually without the end user actually noticing.
Databases are backed up on an hourly basis and can be restored should the software or server ever fail in a significant way. Back-ups are stored in different European data centers for additional security. Please note that we cannot restore individual customer accounts - if you delete something within your account, it actually gets deleted.
We closely monitor the performance of our application and databases via Micosoft Azure's in-built monitoring tools and NewRelic. Any internal errors or potential failures of our various integrations are logged and trigger notifications to our development team, usually allowing us to identify the problem within a few minutes and swiftly remedy the situation.
User requests and bug reports
Having said the above, sometimes it's users who notice a glitch or stumble across a bug in the software. We do encourage you to get in touch via our support form (accessible via the button in the bottom-right corner of the screen) or email at firstname.lastname@example.org - we greatly appreciate any hints or feedback. If you can, please include a screenshot and exact description of the situation you encountered. Critical issues receive immediate attention and are usually fixed within 2 hours; we strive to deal with non-critical requests within 24 hours.
Found a security threat?
If you think you have found a security threat in our system, please contact us immediately via email@example.com or via +49 160 9798 2209. Your information will remain confidential and we will deal with your request immediately.
Full disclosure policy
If anything serious ever happens and your data is affected, we will provide full disclosure to enable you to take precautions and minimise the damage. Our previous experience at companies such as Funding Circle has taught us that transparency is paramount in earning and keeping your trust, if security should ever be threatened.