Commitment to Security | Leverage AI Security & Trust

Our Commitment to Security

Leverage drives transparency and alignment across teams while automating what was previously manual data entry. With this level of data transparency also comes great responsibility to maintain the highest standards of data privacy and security.

With an ongoing focus on security, data privacy, and GDPR-readiness, we aim to strike a balance between transparent communications and maintaining your employee's and customer's privacy rights.

"Without our customers, we are nothing - so every decision we make is with the customer first. At Leverage, our team operates around the clock to uphold customer trust and stay abreast of the evolving security landscape through meticulous, ongoing research by both our team and expert advisors. World class security controls and privacy policies are Leverage's #1 priority."

Enterprise Ready Compliance

SOC 2 Type II

We are SOC 2 Type 1 certified and actively postured for SOC 2 Type 2 certification in the near term, with a security posture and controls meticulously aligned with SOC 2's rigorous standards. This dual approach underscores our commitment to organizational oversight, vendor management, risk management, and regulatory compliance. Our established procedures and controls not only meet SOC 2 criteria today but are designed to sustain the elevated requirements of ongoing SOC 2 Type 2 certification, ensuring a resilient and forward-thinking security foundation.

CSA STAR

We have completed the CSA STAR Self-Assessment and align with the industry-leading security principles outlined by the Cloud Security Alliance. Our commitment to cloud security is demonstrated through our adherence to their best practices.

ITAR

We are registered with ITAR, underscoring our commitment to adhering to the International Traffic in Arms Regulations. This registration reflects our dedication to implementing robust control measures and a comprehensive compliance framework to ensure the secure handling, storage, and transfer of defense-related articles and services. Our commitment to national security and the protection of sensitive military-related technology is demonstrated through our rigorous adherence to ITAR requirements.

FedRAMP Moderate

We have actively prepared for a FedRAMP authorization, with our security posture and cloud infrastructure designed to align with the stringent security and risk management standards outlined in the FedRAMP Moderate baseline. Our robust controls and procedures adhere to the NIST SP 800-53 framework, ensuring we meet the comprehensive security requirements expected by federal agencies. While we await an agency sponsor to formally begin the authorization process, our cloud security infrastructure is positioned to meet the criteria necessary for FedRAMP certification, ensuring the security and integrity of government data.

Secure and Reliable Infrastructure

Leverage uses Amazon Web Services (AWS) exclusively for hosting staging and production environments. AWS data centers are monitored 24×7 with biometric scanning, video surveillance, and other advanced security measures. AWS is SOC 1, SOC 2, SOC 3 certified, and holds ISO 27001, ISO 27017, ISO 27018, and ISO 9001 certifications. These standards ensure rigorous security practices, privacy protections, and quality management systems across all AWS services.

World-Class Application Security

Data Encryption

Data is encrypted in-transit using bank-grade TLS 1.2, the safest method available today. Data is encrypted at-rest using 256-bit encryption via native AWS capabilities.

OAuth

Customers always authenticate via their platforms of choice (Okta, GSuite or Office365) and never set a Leverage-specific password.

Continuous Commitment to Security

PENETRATION TESTING

In addition to our SOC 2 readiness, Leverage is committed to conducting manual penetration testing following industry best practices. Additionally, we use multiple scanning services to continuously scan our application, both from outside and inside, daily.

CONTINUOUS THREAT MONITORING

We employ multiple solutions to provide continuous threat intelligence and vulnerability testing, with real-time alerting. Static and dynamic code analysis is a core component of our continuous integration and delivery software development approach.

DEDICATED SECURITY

We employ onsite staff responsible for reviewing, updating, testing and maintaining our security and privacy controls in accordance with our SOC 2 readiness and in preparation for new certifications, security threats, laws and regulations.

SECURITY PROJECT REVIEWS

All engineering projects must go through architecture reviews and receive sign off from the Security team before work can begin.

SECURITY CODE REVIEWS

Engineers are required to complete a security review checklist as part of the software development life cycle (SDLC) for all code changes.

Internal Processes

SSO / SCIM / MDM

We never use or store passwords internally. From the wifi and applications we use to do our jobs, to how we secure our physical location, the only authentication source-of-truth is our SSO / SCIM / MDM solution. Leverage does not support login or password-driven access. All access controls are centralized around tight integration with our IAM system (Okta), MDM (Okta), and AWS IAM per industry best practices.

BREACH NOTIFICATIONS

We treat breaches with the highest level of urgency and are committed to delivering timely communications to customers who might be impacted. Any breaches will be communicated within 72 hours per internal process and GDPR compliance. There have been no recorded breaches to date.

EMPLOYEE DEVICES

We use Macs exclusively. Each Mac is fully-managed. Only managed machines can get onto our network, or AWS. Our policies prohibit anyone from being able to move customer data to an unauthorized device, as well as to any laptop or other device. Our policies restrict all employees from downloading data from our production environment, mounting external drives in MacOS on personal devices, or transferring files online without leaving a significant trail behind.

MANDATORY EMPLOYEE TRAINING

All employees are required to complete training on data privacy and best practices for securing and handling user data.

EMPLOYEE BACKGROUND CHECKS

All employees go through thorough background checks executed by a Tier 1 vendor as a prerequisite for employment.

How does Leverage Maintain GDPR Compliance?

DATA PROTECTION BY DESIGN AND BY DEFAULT (ARTICLE 25)

All customer data is stored in logically separated AWS VPC environments with full encryption, using native AWS means and AES 256-bit encryption algorithm
Review of data sharing and processing agreements of all partner organizations to ensure compliance with the provisions of the GDPR
Exclusive use of AWS infrastructure for all data processing

RIGHT TO DATA PORTABILITY (ARTICLE 20)

Export activity by request

RIGHT TO ERASURE (ARTICLE 17)

Data deletion requests are triple-validated, and through

PSUEDONYMISATION (ARTICLE 5.C)

Everything is encrypted, everywhere
No personal data in application logs

BREACH NOTIFICATIONS (ARTICLE 33)

Early notification upon identified breach
Details about our commitments are outlined in our EUSA

SENSITIVE CONTENT

Automated sensitive content flagging and notification
Leverage does not collect or store PCI, HIPAA, or Special Categories of Personal Data (Article 9)

OPT-OUTS FOR ALL EXTERNAL COMMUNICATIONS

All customers have the right and option to opt-out of Leverage communications

EMPLOYEE TRAINING

Mandatory onboarding training on data protection, GDPR, and the rights and freedoms of data subjects
Quarterly engineering training on InfoSec and web application security

Security & Trust