Security controls
- Leadping requires authenticated access for the app, customer workflows, and user-scoped API access.
- Access is scoped by user, business membership, role, and credential.
- Customer data is separated by business context.
- App and API traffic uses encrypted transport.
- Data at rest is protected through managed storage and infrastructure controls.
- Security-relevant events are logged for troubleshooting, abuse prevention, compliance review, and incident investigation.
- Service health, API behavior, delivery signals, provider signals, suspicious usage, and abuse indicators are monitored.
- Production access is limited to authorized personnel and service providers with a business need.
- Backup and recovery practices are maintained for service continuity.
API keys and secrets
Treat every API key, source key, token, webhook secret, and connected-system credential as confidential.- Store credentials outside source code.
- Share credentials only with systems and people that need them.
- Use separate credentials for separate systems when traceability matters.
- Rotate credentials if they are exposed, sent to the wrong party, or no longer needed.
- Never put credentials in lead metadata, screenshots, analytics fields, support messages, or public repositories.
Customer responsibilities
Customers are responsible for securing the systems and workflows they control.- Use unique credentials and protect account recovery email inboxes.
- Manage users and roles.
- Remove access when a user no longer needs it.
- Protect API keys, source keys, tokens, webhook secrets, CRM credentials, exports, and local files.
- Use HTTPS for integrations.
- Review publishers, partners, CRMs, webhooks, and other connected systems.
- Keep required legal, consent, suppression, CRM, compliance, and export records outside Leadping when needed.
- Report suspected unauthorized access, credential exposure, or security incidents involving Leadping-connected systems.