Trust Center · Security questionnaire

Vendor Security Questionnaire

Leapo's answers to the standard vendor-security domains drawn from the Cloud Security Alliance's CAIQ. We've pre-answered the questions procurement teams ask first so the back-and-forth on a vendor review can start at a useful place.

Version 1.0·Last updated May 20, 2026·Press Ctrl+P to save as PDF

Answer status legend

Yes — implemented todayPartial — partially implementedPlanned — on roadmapNo — not in scopeN/A — not applicable

DOMAIN 1

Governance, Risk Management & Compliance

GRC-01Partial

Do you have a formal information security program?

Yes — security-by-design practices are documented and followed. A formal, audit-ready ISMS is on the roadmap for SOC 2 Type I (Q1 2027).

GRC-02Yes

Do you have a designated security officer?

Yes — the founder (Hussam Abu Ramadan) holds the security officer role. The single-person team means accountability is unambiguous.

GRC-03Partial

Do you maintain a risk register?

Yes — informal risk register maintained internally. Formal register with quarterly review on the SOC 2 roadmap.

GRC-04Yes

Are you GDPR-compliant?

Yes. See our Privacy Policy and DPA template. EU-hosted infrastructure, data-subject rights workflows, 72-hour breach notification commitment.

GRC-05Planned

Are you SOC 2 / ISO 27001 / ISAE 3402 certified?

Not yet. SOC 2 Type I planned Q1 2027, SOC 2 Type II planned Q4 2027, ISAE 3402 Type I planned 2027. Roadmap published at /security.

GRC-06Planned

Do you carry cyber liability insurance?

€1M policy in procurement. Expected active Q3 2026.

DOMAIN 2

Data Security & Information Lifecycle

DSI-01Yes

Is customer data encrypted at rest?

Yes — AES-256 via Supabase's PostgreSQL transparent data encryption. Backups encrypted with the same standard.

DSI-02Yes

Is customer data encrypted in transit?

Yes — TLS 1.3 enforced (TLS 1.2 fallback). HSTS enabled on leapo.app with 12-month max-age.

DSI-03Yes

Are encryption keys managed by a key management system?

Yes — encryption keys are managed by Supabase (AWS KMS underneath). Customer-managed keys (BYOK) are not currently supported but available on the roadmap for enterprise customers.

DSI-04Partial

Do you classify data by sensitivity?

Yes informally — PII vs non-PII distinction enforced in code (RLS policies). Formal classification scheme on the SOC 2 roadmap.

DSI-05Yes

Is data segregated between customers (multi-tenancy model)?

Yes — row-level security (RLS) policies on every Supabase table holding user data ensure a user can never read another user's records, even at the database driver level. Future B2B partners get a separate tenant_id partitioning scheme.

DSI-06Yes

Where is customer data physically stored?

EU only. Supabase eu-central-1 (Frankfurt, Germany), on AWS infrastructure. See /security/subprocessors for full data-residency map.

DSI-07Yes

Do you have a data retention and deletion policy?

Yes. Account data retained for account lifetime; on deletion request, purged from primary DB within 30 days, from encrypted backups within 60 days total. Stripe billing records retained 7 years per Belgian tax law.

DSI-08Planned

Can customers retrieve their data in a portable format?

GDPR Art. 20 data export endpoint planned Q3 2026. Until then, requests are honored manually within 30 days via privacy@leapo.app.

DOMAIN 3

Identity & Access Management

IAM-01Yes

Is multi-factor authentication (MFA) required for administrative access?

Yes — MFA enforced on all administrative accounts (Supabase, Vercel, Stripe, GitHub, OpenAI, domain registrar).

IAM-02Planned

Is MFA available to end users?

Not yet. Users authenticate via email + password or Google OAuth. End-user MFA on roadmap for Q4 2026.

IAM-03Yes

Do you enforce password complexity requirements?

Yes — Supabase Auth enforces minimum 8-character passwords with complexity checks. Common-password lists checked at signup.

IAM-04Planned

Do you support Single Sign-On (SAML/OIDC)?

Google OAuth supported today. Full SAML / OIDC SSO planned for enterprise customers (no fixed date — driven by customer demand).

IAM-05Partial

Are administrative actions logged?

Database-level audit logs available via Supabase. Formal application-level audit log (immutable, with admin-action attribution) planned Q3 2026.

IAM-06Yes

Are user sessions automatically terminated after inactivity?

Yes — Supabase Auth session JWTs expire after 1 hour by default and require refresh tokens for extension.

IAM-07Yes

Is principle-of-least-privilege enforced for personnel?

Yes — single-person team, but the same person uses separate roles for development (read-only prod), operational tasks (scoped service-role), and emergency (full admin).

DOMAIN 4

Infrastructure & Virtualization Security

IVS-01Yes

Where is the application hosted?

Vercel (compute, EU regions for serverless functions) and Supabase (database, EU/Frankfurt). Both run on top of AWS, which is SOC 2 Type II, ISO 27001, and ISO 27018 certified.

IVS-02Yes

Is the production network segmented from the development network?

Yes — separate Supabase projects for production and development, with separate API keys and database credentials.

IVS-03Yes

Are network communications between services encrypted?

Yes — all service-to-service traffic (Vercel ↔ Supabase ↔ Stripe ↔ OpenAI) is HTTPS-only, no plaintext fallback.

IVS-04Partial

Is a Web Application Firewall (WAF) in front of the application?

Vercel includes built-in DDoS protection and bot mitigation at the edge. A dedicated WAF (Cloudflare or Vercel Firewall) is on roadmap for Q4 2026.

IVS-05Partial

Are public-facing endpoints rate-limited?

Some endpoints (AI usage) are rate-limited at the application layer. Comprehensive rate-limiting across all routes planned Q3 2026.

DOMAIN 5

Supply Chain & Subprocessors

SUP-01Yes

Do you maintain a list of subprocessors?

Yes — leapo.app/security/subprocessors. Publicly maintained with country, purpose, transfer mechanism, and DPA link for each.

SUP-02Yes

Do you have DPAs in place with each subprocessor?

Yes — every subprocessor has signed standard DPAs available publicly (linked from the subprocessors page). We do not engage processors without a DPA.

SUP-03Yes

Do you notify customers of changes to subprocessors?

Yes — at least 30 days in advance for B2B partners under contract; public subprocessor page updated for everyone.

SUP-04Yes

Are international data transfers covered by Standard Contractual Clauses?

Yes — US-based subprocessors (OpenAI, Resend, Sentry, PostHog) all transfer under SCCs. Roadmap includes migration to EU-hosted alternatives where viable (Azure OpenAI EU).

DOMAIN 6

Business Continuity & Disaster Recovery

BCR-01Yes

Do you have documented backup procedures?

Yes. Supabase performs daily point-in-time recovery snapshots, retained 7–30 days depending on plan. Backups encrypted at rest in the same EU region.

BCR-02Partial

What is your Recovery Time Objective (RTO)?

Target: 4 hours. Best-effort today; formal SLA negotiable per B2B contract.

BCR-03Partial

What is your Recovery Point Objective (RPO)?

Target: 24 hours (worst-case data loss). With Supabase PITR active, real RPO is closer to minutes for most scenarios.

BCR-04Planned

Have you tested the disaster-recovery procedure?

Annual DR exercise planned for Q4 2026 — first time. Until then, recovery procedure is documented but untested in production-scale.

BCR-05Partial

Do you offer an uptime SLA?

No formal SLA on the public plan. B2B partners can negotiate SLA into their contracts (typical: 99.9% monthly uptime, excluding planned maintenance and force majeure).

DOMAIN 7

Incident Response

IR-01Partial

Do you have a documented incident response plan?

Yes — written plan covering detection, containment, eradication, recovery, and post-mortem. Tabletop exercises planned for Q4 2026.

IR-02Yes

What is your breach notification SLA?

72 hours to supervisory authority (GDPR Art. 33). 24 hours to B2B partners affected. Affected users notified without undue delay (Art. 34).

IR-03Partial

How are anomalous events detected?

Sentry for runtime errors, Supabase logs for database anomalies, Stripe webhooks for failed-payment patterns. Centralized SIEM / SOC monitoring not in place — planned alongside SOC 2.

IR-04Yes

Is there a security contact for responsible disclosure?

Yes — security@leapo.app. 72-hour acknowledgement commitment. No legal action against good-faith researchers.

DOMAIN 8

Vulnerability & Patch Management

VM-01Yes

Are dependencies scanned for vulnerabilities?

Yes — GitHub Dependabot enabled on the repository; npm audit run in CI on every build. Vercel reports vulnerable production dependencies in its dashboard.

VM-02Partial

Is application code scanned for vulnerabilities (SAST)?

Yes — GitHub code scanning + CodeQL enabled. Plus manual code review on every change. Formal SAST tool (Snyk Code, Semgrep) on roadmap.

VM-03Planned

Have you completed a penetration test in the last 12 months?

Not yet. First pen test planned Q4 2026 by a Belgian security firm (Toreon or NVISO under evaluation). Annual cadence thereafter.

VM-04Partial

Do you have a documented patching SLA?

Critical security patches: deployed within 24 hours of disclosure. High-severity patches: within 7 days. Medium / low: best-effort. Formal SLA documented in /security roadmap.

Need more depth?

If your procurement team uses a longer or different questionnaire (full CAIQ, SIG, ISO 27001 control list, Belgian banking-supervisor template), send it to security@leapo.app and we'll complete it within 5 business days at no charge.