Security

LeadNova AI is built to handle the conversations and customer data of thousands of operators. Security is therefore not a feature we add later — it is part of how the product is designed, deployed, and operated. 1. Encryption. All traffic uses TLS 1.2+. Data at rest is encrypted with AES-256, including database storage and object-storage attachments. Application secrets are encrypted with `ENCRYPTION_KEY` and rotated on demand via the `ENCRYPTION_KEY_PREV` mechanism. 2. Infrastructure. Compute runs on Vercel (SOC 2 Type II, ISO 27001). The primary database is Neon Postgres in EU-Frankfurt (PITR + automated snapshots). Object storage uses S3-compatible providers with server-side encryption. Caches and rate-limit state run on Upstash Redis. None of these vendors hold decryption keys for our application secrets. 3. Access control. Workspaces are tenant-isolated at the database row level — every domain table carries a `workspaceId` column and every server-side query filters on it. Operator roles (owner / admin / manager / agent / viewer) gate actions in the UI and on the server. Super-admin access to the ops console is gated by an explicit env-list of allowed emails plus session auth — workspace membership cannot escalate to platform admin. 4. Authentication. Passwords are hashed with argon2id (memory-hard, OWASP-recommended). Sessions are signed JWTs with a 30-day max age and 24-hour refresh. Optional OAuth via Google, X (Twitter), and Meta. Password-reset tokens are 256-bit, hashed before storage, single-use, and expire in 30 minutes. 5. Application security. Every server action and route handler runs through a small set of auth guards (`requireAuth`, `requireWorkspace`, `requireWorkspaceRole`, `requireApp`). Inbound webhooks (Meta, Stripe, Paddle) verify provider signatures with constant-time comparison. Cron endpoints require a shared secret with timing-safe comparison. 6. Rate limiting & abuse prevention. Public endpoints (auth, webhooks, OAuth dialogs, web chat widget) are rate-limited per IP and per workspace via Upstash Redis. Password-reset requests are double-bucketed per IP and per email so neither dimension can be abused for enumeration or spam. 7. Logging & monitoring. Structured logs (pino) ship to the Vercel platform log surface. Application errors are reported to Sentry with workspace and feature tags. Failed billing webhooks, cron runs, and outbound message sends are tracked and replayable. We do not log password values, full card numbers, conversation content beyond a short preview, or third-party OAuth tokens. 8. Vulnerability management. Dependencies are scanned automatically on every push (npm audit + GitHub Dependabot). High-severity findings block deploy. Secrets are stored only in Vercel project env (encrypted at rest); commits are scanned for accidental secret disclosure. 9. Incident response. Suspected security issues should be reported to security@leadnova.app. We acknowledge within 24 hours, mitigate critical issues within 72 hours, and notify affected workspaces of confirmed personal-data breaches within 72 hours of discovery (per GDPR Art. 33). 10. Compliance posture. GDPR + UK GDPR aligned. SOC 2 Type II controls implemented; formal audit on the public roadmap. HIPAA-readiness available for Pro and above on request. Standard Contractual Clauses + UK Addendum cover international transfers. A current sub-processor list is published in our DPA at /legal/dpa. 11. Responsible disclosure. We commit to good-faith handling of security research: no legal action against researchers acting in good faith, public credit on request, and a private reporting channel at security@leadnova.app. Out of scope: social engineering, denial of service, physical attacks. Contact: security@leadnova.app · PGP key on request.