Security at LeadTale

Built on practices your security team will recognize.

LeadTale is built for businesses that move fast but can’t compromise on how customer and prospect data is handled. Here’s how we protect it — end to end.

Encryption
TLS 1.2+ / AES-256
In transit and at rest
MFA
100%
On all production access
Incident response
24/7
Monitoring + on-call
Third-party data
Never sold
Tenant-isolated by design
Security program

Nine areas. One connected program.

Security isn’t a feature — it’s a practice we build around every layer of the platform. These are the controls that protect your data today.

Infrastructure

The LeadTale platform runs on Google Cloud Platform in hardened, multi-zone regions. Our marketing site runs on Vercel. Databases are hosted on MongoDB Atlas with network isolation and at-rest encryption. We rely on providers with SOC 2 Type II and ISO 27001 attestations.

Encryption

All data is encrypted in transit over TLS 1.2+ and at rest using AES-256. Secrets are stored in a centralized secret manager, never in source control, and rotated on a regular schedule.

Access controls

Access to production systems follows least-privilege principles, is restricted to a small on-call group, and requires single sign-on with mandatory multi-factor authentication. All production actions are audit-logged.

Application security

Every change is reviewed, tested, and run through automated checks — lint, type-check, unit and integration tests, dependency scanning, and secret scanning — before it reaches production. High-risk surfaces (auth, billing, data access) receive additional adversarial review.

Operational security

Automated backups, infrastructure-as-code deployments, health monitoring, error tracking, and alerting keep the platform observable. Incident response runbooks cover detection, triage, communication, and remediation — with post-incident reviews for every significant event.

People and access

Team members sign confidentiality agreements and receive security training. Production data access is granted on a need-to-know basis and revoked promptly when roles change. Workstations require disk encryption, screen lock, and managed endpoint protection.

Monitoring and logging

Structured audit logs, uptime monitoring, and anomaly detection run continuously. Unusual authentication, export, or data-access patterns trigger alerts to the on-call team.

Data handling

Customer data is isolated per tenant and never used for cross-customer purposes. We do not sell personal information. On termination, customer data is returned or deleted in accordance with our Terms of Service and Data Processing Addendum.

Compliance and privacy

LeadTale supports obligations under GDPR, UK GDPR, CCPA/CPRA, and other US state privacy laws. Our Data Processing Addendum is available on request and we sign it for enterprise customers who require one.

Compliance

We meet you where your legal team is.

LeadTale is designed to support your obligations under major privacy regimes — from EU and UK GDPR to the California Privacy Rights Act and other US state laws. Our Data Processing Addendum is pre-signed and incorporated by reference into our Terms.

GDPRUK GDPRCCPA / CPRADPA available on request
Agreement
Terms of Service

The rules governing use of the Service.

Read terms →
Privacy
Privacy Policy

How we collect, use, and protect information.

Read policy →
For enterprise
Data Processing Addendum (DPA)

GDPR / UK GDPR / CCPA-compliant DPA, pre-signed and ready to attach to your agreement.

Read DPA →
Responsible disclosure

Found a vulnerability? Tell us.

We appreciate security researchers who report responsibly. Email us and we’ll acknowledge within two business days, triage, and keep you updated through remediation.

security@leadtale.com
FAQ

Frequently asked.

Where is my data hosted?

Production workloads run primarily in Google Cloud Platform regions in the United States, with MongoDB Atlas as our primary datastore. Our marketing site is hosted on Vercel. We use providers with SOC 2 Type II and ISO 27001 attestations and can provide a current subprocessor list on request.

Do you support SSO?

Single sign-on is on our roadmap for team and enterprise plans. If SSO is a requirement for your procurement process, email security@leadtale.com and we'll share current timing.

Can I sign a DPA with LeadTale?

Yes. See our Data Processing Addendum — it's pre-signed on our side and incorporated by reference into our Terms of Service. For enterprise customers who require a counter-signed copy, contact privacy@leadtale.com.

What happens to my data if I cancel?

You can export your data at any time. On cancellation, we return or delete customer personal data on request, subject to limited retention required by law. Backups expire on our standard backup retention schedule.

Do you offer a security questionnaire or documentation package?

Yes — email security@leadtale.com with your procurement or vendor-review questionnaire and we'll turn it around within a few business days.

How do I report a vulnerability?

Email security@leadtale.com with as much detail as you can share. We appreciate responsible disclosure and will acknowledge receipt within two business days.