Security & Compliance

Trust Leads processes personal data (business email addresses, names, phone numbers, and job titles) solely for B2B lead validation and enrichment purposes. We act as a data processor on behalf of our customers, who remain the data controllers for the contact data they upload.

We comply with GDPR Articles 28, 32, and 33: we maintain a Data Processing Agreement (DPA) available on request, implement appropriate technical and organisational security measures, and will notify affected customers within 72 hours of identifying a personal data breach.

Data subjects may exercise their rights (access, rectification, erasure, portability, restriction) by contacting us at privacy@trustleads.ai. Requests are fulfilled within 30 days.

We do not sell personal data to third parties. Enrichment data is used exclusively to fulfil your enrichment requests and is not used for any other commercial purpose.

Trust Leads is building towards ISO 27001 certification. Our information security management system (ISMS) covers the full lifecycle of customer data: ingestion, processing, storage, and deletion.

We have implemented controls aligned with ISO 27001 Annex A, including: access control (A.9), cryptography (A.10), physical and environmental security (A.11), operations security (A.12), communications security (A.13), supplier relationships (A.15), and incident management (A.16).

Internal security audits are conducted quarterly. Findings are tracked in our risk register and remediated according to priority. External penetration testing is performed annually.

Our security posture is aligned with the SOC 2 Trust Services Criteria (TSC), covering Security (CC6–CC9), Availability (A1), and Confidentiality (C1). We are working toward a formal SOC 2 Type II report.

Logical access is granted on a least-privilege basis. All production access requires multi-factor authentication. Employee access is reviewed quarterly and revoked within 24 hours of offboarding.

Change management follows a documented SDLC with code review requirements, automated test suites, and staged deployments. No direct production changes are permitted outside of the change management process.

System availability is monitored 24/7. Incident response procedures are documented and tested semi-annually via tabletop exercises.

All security-relevant events are captured in immutable audit logs: user sign-in and sign-out, API key creation and revocation, enrichment job submission and completion, billing events, org membership changes, and administrative actions.

Billing events are stored in an append-only JSONL audit log with full event metadata (actor, timestamp, previous and new values). These records cannot be modified or deleted by application code.

Audit logs are retained for a minimum of 12 months and are available to Enterprise plan customers on request. Automated alerting triggers on anomalous patterns (e.g. high-volume API calls from a new IP, repeated authentication failures).

Authentication is handled by Supabase Auth, a battle-tested open-source auth platform built on PostgreSQL Row Level Security. Passwords are hashed using bcrypt with a work factor of 10. We never store plaintext passwords.

Sessions are managed via short-lived JWTs (1 hour expiry) with secure, HttpOnly, SameSite=Lax cookies. Refresh tokens are rotated on every use. Compromised refresh tokens are automatically detected and sessions invalidated.

Email confirmation is required for new accounts. All confirmation and password-reset links are single-use, time-limited (24 hours), and delivered over TLS. Magic-link tokens are exchanged server-side via a dedicated /auth/callback route and never exposed client-side.

We support SSO via SAML 2.0 and OAuth 2.0 (Google Workspace) on Enterprise plans.

Trust Leads uses a multi-tenant architecture where all customer data is scoped to an organisation. Users can belong to multiple organisations with independent role assignments.

Roles: Owner (full control including billing and org deletion), Admin (member management, invite, remove), Member (enrichment and history access only). Role assignments are enforced server-side on every API request — client-side role checks are supplementary display logic only.

Team invitations are scoped to a specific organisation and expire after 7 days. Invites are single-use; accepting an invite with an existing account does not bypass authentication.

Seat limits are enforced at the organisation level. Exceeding the seat limit blocks new member activation until the plan is upgraded, ensuring billing and access remain in sync.

Uploaded CSV files (inputs) and enriched output files are retained for 30 days after job completion, after which they are automatically deleted from our storage layer. Customers may download their outputs at any time within this window.

On account or organisation deletion, all associated data — uploaded files, job records, enriched outputs, usage records, and billing metadata — is permanently deleted within 30 days. A deletion receipt is available on request.

We do not retain backups of deleted customer data beyond 30 days. Backup media is encrypted with AES-256 and physically destroyed at end of life.

Customers on Enterprise plans may request custom data retention periods (shorter or longer) as part of a negotiated DPA.

Uploaded files are validated for type, size, and structure before processing. Files exceeding the plan limit are rejected before any data is read. Only CSV files are accepted; other MIME types are blocked at the API layer.

File storage paths are randomised UUIDs — not sequential IDs or user-guessable strings. Files are not publicly accessible; all downloads require a valid authenticated session with appropriate organisation membership.

File processing occurs in isolated worker processes with no network access. Enrichment workers read input files, call external APIs over TLS, and write to output files; they cannot access other organisations' data.

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed by the cloud provider's Key Management Service (KMS) with automatic annual rotation.

All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor. Trust Leads never receives, transmits, or stores raw card numbers, CVVs, or other sensitive cardholder data.

Stripe webhooks are verified using HMAC-SHA256 signatures with a dedicated webhook signing secret. Replayed or tampered webhook events are rejected before any state changes occur.

Subscription state changes (upgrades, downgrades, cancellations, payment failures) are processed idempotently. All billing events are appended to the billing audit log with full event metadata for reconciliation.

Customers receive Stripe-hosted, tax-compliant invoices for all charges. VAT/GST handling follows Stripe Tax rules based on billing address. Invoice history is accessible at any time via the Billing dashboard.