Trust Center

Security, privacy, compliance documented in one place.

We treat trust as an engineering concern, not a marketing surface. Below is what we run, what we promise, and where the documents live so a procurement review can finish in twenty minutes instead of two weeks.

Pillars

Four controls we will not negotiate.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest on backups. Field-level encryption on personally identifiable data. Workspace-scoped key material so one customer cannot read another’s rows.

Access by default zero

MFA enforced on every account. Production access is restricted to a small named set of engineers and fully logged. Customer support never reads workspace data without explicit consent.

Data in the European Union

Primary storage in Frankfurt (eu-central-1). Backups within the same region. International transfers happen only through Standard Contractual Clauses with supplementary measures.

Compliance as engine

GDPR, UK-GDPR, KVKK, CASL, and CCPA / CPRA all handled before a message leaves the queue. Country routing, suppression hygiene, and audit log are core, not settings.

Compliance posture

Where we stand on every regime that matters.

GDPR · UK-GDPR

EU + UK data subject rights honoured, 30-day DSAR SLA, SCCs in place for non-EU transfers.

Compliant

KVKK · Türkiye

KVKK Art. 5(2)(f) legitimate-interest framework + IYS preflight on every Turkish send.

Compliant

CCPA · CPRA · California

No sale / no share posture. Right to know, delete, correct, and limit sensitive PI honoured.

Compliant

CASL · Canada

Country router blocks sends to Canadian addresses by default unless prior consent is documented.

Compliant

SOC 2 Type I

Initial readiness audit underway. Report available under NDA once issued.

In progress · Q3 2026

ISO 27001

Roadmapped after SOC 2. Will be pursued in parallel with the next funding milestone.

Planned · 2027

Documents

Everything procurement will ask for, before they ask.

Sub-processor list

Every third-party vendor that processes data on our behalf, with location, purpose, and DPA link.

Security FAQ

Practical answers to the questions a procurement security review asks first.

Data Processing Addendum

Standard DPA template aligned with GDPR Art. 28. Signed-PDF version on request.

What we collect, how we use it, how long we keep it, and the rights you have. Plain English.

Operational

The day-to-day controls behind the policy.

Real-time status

Every dependency is monitored. Current uptime + incident history visible at any time.

View status page

Audit log

Immutable trail of every send, block, opt-out, and admin action. Retained seven years. Export on request.

Breach notification

Reportable personal-data breaches notified within 72 hours of detection. Customer notice without undue delay.

Backups + recovery

30-day rolling backups, AES-256 at rest, exercised quarterly. Documented RTO + RPO available under NDA.

Procurement security review

Need a security questionnaire, an architecture review, or a signed DPA?

Email security@leafer.io with what you need. We reply within one business day with the documents, the answers, and a redline if you have one. No NDA required for the first call.

Email security@leafer.io Read the DPA