Security
Information Security Policy
Version 1.0 · Last updated 7 July 2026 · Next review July 2027
This policy sets out how LeakIQ Ltd (company number 17311148) protects the confidentiality, integrity and availability of the LeakIQ platform and the data it processes. It is the umbrella policy under which LeakIQ's more detailed controls and supporting documents sit, and applies to all personnel, contractors and systems.
1. Purpose and scope
The objective of this policy is to protect customer data and LeakIQ systems against unauthorised access, loss, disclosure or disruption, and to meet LeakIQ's legal, regulatory and contractual obligations. It applies to all LeakIQ information assets, the production platform, development and business systems, and everyone who accesses them.
2. Governance and ownership
Overall accountability for information security rests with LeakIQ's directors. Security is treated as a first-class part of building and operating the platform rather than a separate function. This policy and its supporting documents are owned by management, reviewed at least annually, and updated when the platform, threat landscape or regulatory environment changes materially.
3. Risk management
LeakIQ identifies and manages security risks on an ongoing basis. New features, connectors and sub-processors are assessed for their data protection and security impact before adoption. Risks are prioritised by likelihood and impact, and mitigations are tracked to completion. The principles of least privilege, defence in depth, and secure-by-default guide design decisions.
4. Access control
- Access to customer data and production systems is granted on a least-privilege, need-to-know basis and reviewed periodically.
- The platform enforces three-tier role-based access control (Viewer, Operator, Admin), server-side, on every request; workspace data is isolated at the ORM layer so cross-tenant access is structurally prevented.
- Authentication uses strong password hashing (bcrypt), rate limiting with account lockout, and optional TOTP multi-factor authentication that Admins can mandate for all members.
- Privileged and administrative actions are restricted, enforced server-side, and written to the audit trail.
- Access is revoked promptly when personnel leave or no longer require it.
Full detail is in the technical documentation.
5. Data protection and encryption
- All data is encrypted in transit using TLS 1.2 or higher.
- Connector credentials are encrypted at rest with AES-256-GCM; the encryption key is stored separately from the database and is never logged or returned in API responses.
- Connectors are read-only — LeakIQ never writes back to connected systems.
- LeakIQ collects and retains only the data needed to detect and recover revenue leakage, in line with the Data Retention & Deletion Policy.
- No payment card data is stored (card processing is handled by Stripe); LeakIQ is not in PCI scope.
See the Data Retention & Deletion Policy and the Data Processing Agreement in the Master Subscription Agreement.
6. Secure development and change management
- Changes are version-controlled, reviewed, and validated by automated type-checking and build checks before release.
- Security is considered throughout design and development, following secure-by-default and least-privilege principles.
- Dependencies are kept current and monitored for known vulnerabilities.
- Production changes are deployed through an automated pipeline with the ability to roll back to a last known-good release quickly.
- Development and production data are separated; production customer data is not used in development or testing.
7. Vendor and sub-processor management
LeakIQ relies on a small, deliberately-chosen set of sub-processors. Each is assessed for security and data protection before adoption and is bound by data protection terms equivalent to LeakIQ's own obligations. The current list, the data each handles and change-notification terms are published on the sub-processors page.
8. Personnel security
- Personnel and contractors are bound by confidentiality obligations and are granted only the access needed for their role.
- Everyone is briefed on how to recognise and report security incidents, and on their data protection responsibilities, at onboarding and on an ongoing basis.
- Access is provisioned on joining and revoked promptly on departure or role change.
- Devices used to access LeakIQ systems are expected to be kept up to date and protected.
9. Logging and monitoring
LeakIQ maintains a structured security event log (covering failed authentication, access-control violations, MFA challenges, privileged re-authentication, configuration changes and secret rotation) and an append-only, hash-chained audit trail of all actions taken in the platform. These support detection, investigation and tamper-evidence.
10. Incident response and continuity
Security incidents are handled under the Incident Response Plan, including breach notification to affected customers without undue delay and within 72 hours. Service and data recovery are governed by the Business Continuity & Disaster Recovery Plan. Vulnerabilities can be reported under the Vulnerability Disclosure Policy.
11. Compliance and review
LeakIQ complies with the UK GDPR and the Data Protection Act 2018 and is registered with the ICO (ZC187738). LeakIQ commissions an annual independent penetration test and is working towards SOC 2 Type II. This policy is reviewed at least annually and after any significant incident or change. Questions can be directed to security@leakiq.io.