LeadStrive Security Controls — last updated May 2025
In order to protect the data that is entrusted to us, LeadStrive utilizes layers of administrative, technical, and physical security controls throughout our organization. This page describes those controls in plain language.
LeadStrive uses Google Cloud Platform Services and AWS for hosting. Google provides a monthly uptime percentage to customers of at least 99.5%, and AWS guarantees between 99.95% and 100% service reliability. All infrastructure resides in the United States.
Multiple filtering layers protect our web applications. Logical firewalls and security groups are implemented across the environment. By default, firewalls are configured to deny network connections that are not explicitly authorized, and firewall rulesets are reviewed on a recurring schedule.
Our infrastructure environment is automated. Server configurations are embedded in images and configuration files. In the event that a production server deviates or drifts from the baseline configuration, it will be overwritten with the baseline within 30 minutes.
Actions and events are comprehensively logged through a central cloud logging solution, with controlled write access to the storage service.
Automated monitoring and alerting detect anomalies in error rates, abuse, and application attacks. Automatic responses include traffic throttling and process termination.
We use firewall and application security protections aligned with OWASP Top 10 guidelines. DDoS attack protections are included.
We use a continuous delivery approach. Code reviews and testing run before any deployment. Static code analysis runs regularly against code repositories. Dynamic security vulnerability testing is performed periodically. Our QA environment is separate from production. Deployments are automated with a rollback capability, and SaaS updates roll out with no downtime.
A multi-layered vulnerability management program runs regular scans with adaptive tooling, plus annual penetration tests. Mitigation is prioritized by risk.
Per our Terms of Service, customers are responsible for appropriate data collection. The following types of data are prohibited on the platform:
LeadStrive is a multi-tenant SaaS with logical separation enforced by unique tenant identifiers. Authorization rules sit in the design architecture and are continuously validated. Authentication, availability, and user access are logged.
All data is encrypted in transit with TLS version 1.2 or 1.3 and 2,048-bit keys or better. Platform data is stored using AES-256 encryption. Passwords are hashed and encrypted following industry best practices.
TLS private keys are managed through our content delivery partner. Volume and field-level encryption keys live in a hardened KMS and are rotated based on data sensitivity. TLS certificates are renewed annually. Customer-supplied encryption keys are not currently supported.
Redundancy is built into all services. Server infrastructure is strategically distributed across multiple availability zones, with point-in-time recovery for web, application, and database components.
Regular backups are taken on a documented schedule. Seven days of backups are kept for any database, with daily backups to the local region. Backup execution and replication failures are monitored with alerting. Backup storage uses public cloud services rather than physical media. Access controls, Write Once Read Many (WORM) protections, and file system access control lists guard backup integrity.
LeadStrive manages disaster recovery operations. A recycle bin restores deleted records — contacts, opportunities, custom fields, tags, notes, and tasks — for up to 30 days. Version history is available for web pages, blog posts, and emails. Export tools and public APIs are available for ongoing data sync.
Customers create and manage their own users, assign privileges with granular authorization rules, and limit access at any time.
Native LeadStrive login is available with a uniform password policy that requires a minimum of 8 characters and a combination of upper and lower case letters, special characters, and numbers. Two-factor authentication is available, and portal administrators can require 2FA for all users.
LeadStrive does not store, process, or collect credit card information and is not PCI-DSS compliant. Card transactions are handled by PCI-compliant payment processors. Additional details on sensitive-data processing are in our Terms of Service and Privacy Policy.
We do not sell your personal data to third parties. Customer data is retained while your account is active. Written deletion requests are honored as required by privacy regulations. Logs and metadata may be retained for security, compliance, and statutory needs. Custom retention policies are not currently available.
LeadStrive will notify customers as required by law if we become aware of a data breach that impacts your personal data.
LeadStrive aims to provide features that enable our customers to easily achieve and maintain their GDPR compliance requirements.
This document is intended to be a resource for our customers. It is not intended to create a binding or contractual obligation between LeadStrive and any parties, or to amend, alter, or revise any existing agreements between the parties. LeadStrive is continuously improving the protections we have implemented, so our procedures may be subject to change.
