Our security architecture, compliance posture, data handling practices, and privacy commitments — transparently published in one place. No request required.
Our compliance posture covers Canadian and US privacy law, encryption standards, and data residency requirements applicable to every individual and business client we serve.
Personal Information Protection and Electronic Documents Act — the federal privacy law governing how private-sector organisations in Canada collect, use, and disclose personal information. All LeakTrace data processing is fully compliant.
California Consumer Privacy Act and California Privacy Rights Act compliance for all US-resident users. Includes full right-to-deletion, opt-out of data sale, and disclosure rights.
All data at rest is encrypted using AES-256. All data in transit is secured using TLS 1.3. Encryption keys are managed using industry-standard key management systems with no shared keys.
All data processing, storage, and compute occurs within Canada and the United States. No data is transferred to, processed in, or accessible from outside North America.
Personal identifiable information provided during a scan is not retained after report delivery. No user profiles. No persistent databases of scan subjects. We find your exposure — we do not become part of it.
SOC 2 Type II audit covering Security, Availability, and Confidentiality trust service criteria is currently in progress. Expected completion in Q3 2026. Documentation available to enterprise clients on request.
The technical and operational controls that govern how LeakTrace systems are built, operated, and monitored.
All internal system access requires multi-factor authentication. Role-based access controls restrict data access to the minimum required for each function. No standing administrative privileges — privileged access is just-in-time and fully logged.
Production infrastructure is isolated from development and staging environments. All configuration changes are code-reviewed and deployed through automated pipelines. Unauthorised changes to production are automatically detected and escalated.
AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Encryption keys are managed separately from encrypted data with automated rotation policies. No plaintext storage of sensitive identifiers.
All system activity is logged to a centralised security data lake. Automated detection pipelines identify anomalous access patterns and potential security events. Alerts are routed to on-call engineers with defined response SLAs.
All code changes undergo peer review before deployment. Automated secret scanning, dependency vulnerability scanning, and static analysis run on every commit. Security reviews are required for all feature changes that touch data handling.
External penetration testing is conducted annually by independent third-party security firms. Findings are remediated on a defined timeline based on severity. Audit reports are available to enterprise clients under NDA.
A precise statement of what data is collected, how long it is retained, and what happens to it after your scan or assessment is complete.
Email addresses and domain inputs used to run a scan are not retained after report generation. We process them to query breach databases — we do not store them permanently.
Delivered reports are accessible via the dashboard for the duration of an active subscription. On cancellation, report data is deleted within 30 days. You may request immediate deletion at any time.
Name, email, and payment information required to operate your account. Payment data is processed by Stripe and never stored on LeakTrace systems. Account data is deleted on cancellation within 30 days.
Anonymised usage data is collected to improve the platform. No user-identifiable information is included in analytics. Data is never sold or shared with third parties for advertising purposes.
How to report a vulnerability, request compliance documentation, or exercise your privacy rights.
If you have identified a potential security vulnerability in any LeakTrace system, please contact our security team directly. We commit to acknowledging your report within 24 hours and providing a remediation timeline within 5 business days. We do not pursue legal action against good-faith researchers.
[email protected]Enterprise clients may request copies of our security documentation including penetration test summaries, compliance attestations, and data processing agreements. Documentation is shared under NDA. Contact us to initiate a request.
Request DocumentationYou may request access to, correction of, or deletion of any personal information LeakTrace holds about you. Requests are processed within 30 days. To opt out of communications, email us or reply STOP to any SMS.
[email protected]Our public Security Standards page documents the full set of controls, policies, and procedures that govern the LeakTrace platform — written for technical and compliance audiences.
Read Security StandardsMaterial changes to our security posture, compliance status, or privacy practices — documented as they occur.
Engaged an independent third-party auditor to begin SOC 2 Type II assessment covering Security, Availability, and Confidentiality trust service criteria. Expected completion Q3 2026.
In ProgressUpgraded all production endpoints to enforce TLS 1.3. TLS 1.0 and 1.1 deprecated and blocked. All traffic now uses HSTS with a 1-year max-age.
CompletedScan subject data (email addresses and domain inputs) is now automatically purged from all systems within 24 hours of report delivery. Retention policy documented and auditable.
CompletedFull legal review of data processing practices against CCPA and CPRA requirements completed. Privacy policy updated to reflect new consumer rights disclosures. Data deletion workflow implemented.
CompletedAnnual external penetration test completed by independent third-party firm. All critical and high findings remediated within 30 days. Report available to enterprise clients under NDA.
Completed