Trust

Security at Leakbase

Last updated · April 27, 2026

Leakbase touches your most sensitive financial data — failed payments, customer billing, lifetime value. We treat that responsibility seriously. This page describes the controls we have in place today.

Infrastructure

  • Hosted on enterprise-grade infrastructure (Supabase and Cloudflare), with primary regions in the United States and the European Union.
  • All traffic served over TLS 1.2 or newer. HSTS enabled on production domains.
  • Data at rest is encrypted with AES-256 on managed Postgres and object storage.
  • Daily automated database backups with point-in-time recovery.

Application security

  • Row-Level Security (RLS) is enforced on every database table containing customer data — users can only ever read or write their own rows.
  • Roles are stored in a separate user_roles table behind a SECURITY DEFINER function, eliminating an entire class of privilege-escalation bugs.
  • Authentication uses email/password with Argon2 hashing, backed by Supabase Auth.
  • Edge functions verify caller identity before performing any privileged action.
  • Webhook endpoints (Stripe, Connected Apps) verify HMAC signatures before processing events.
  • Input is validated with Zod or equivalent on every server boundary.

Operational security

  • Production access is limited to named individuals with multi-factor authentication.
  • All admin actions are audit-logged.
  • Secrets are stored in an encrypted secrets vault — never in source code.
  • Dependencies are scanned regularly for known vulnerabilities.

Payments

Payments are processed by Stripe, which is PCI DSS Level 1 certified. We never see or store full card numbers. When you connect your own Stripe account via Stripe Connect, we receive a scoped OAuth token — not your secret key — and we can revoke it at any time.

Sub-processors

See our Data Processing Addendum for the current list of sub-processors and their roles.

Incident response

If we detect or are notified of a security incident affecting customer data, we will investigate immediately and notify affected customers within 72 hours of confirmation, in line with GDPR Article 33.

Reporting a vulnerability

We welcome reports from security researchers. Please email contact@leakbase.ai with:

  • A clear description of the issue and steps to reproduce.
  • The potential impact.
  • Any proof-of-concept code or screenshots.

We commit to acknowledging your report within 3 business days and will not pursue legal action against researchers who act in good faith and follow responsible disclosure.

What's next

SOC 2 Type II certification is in progress and not yet issued. We do not currently hold ISO 27001 certification. Any references on our marketing pages reflect our roadmap, not a completed audit. Customers who require a completed report before purchase can email contact@leakbase.ai to discuss timing and current control documentation.