Security and Compliance

Enterprise-grade security without enterprise overhead. We protect your data, respect compliance requirements, and maintain transparency about our security posture.

SOC 2 Type II

Planned Q2 2027

HIPAA Ready

BAA Available

EU

GDPR Compliant

DPA Available

ISO 27001

Aligned Practices

Our Security Posture

We build secure systems by default, not as an afterthought. Here's how we protect your data and maintain enterprise-grade security standards.

Infrastructure Security

  • AWS/Azure/GCP infrastructure with encryption at restAES-256 encryption for all stored data
  • TLS 1.3 for all data in transitNo unencrypted HTTP endpoints
  • Automated security patchingCritical patches deployed within 48 hours
  • Network segmentation and firewall rulesPrinciple of least privilege for all services
  • DDoS protection and WAF integrationCloudflare or equivalent CDN protection

Access Control

  • Customer-Managed Keys (BYOK)Maintain absolute data sovereignty by managing your own encryption keys
  • Multi-factor authentication (MFA) requiredHardware tokens (YubiKey) for production access
  • Role-based access control (RBAC)Minimum necessary permissions for all users
  • Just-in-time (JIT) privileged accessTemporary elevated permissions with audit logging
  • SSO integration availableSAML 2.0 support for enterprise identity providers
  • Regular access reviews and deprovisioningQuarterly audit of all system access

Code Security

  • Static application security testing (SAST)Semgrep, ESLint security plugins
  • Dependency vulnerability scanningDependabot, Snyk automated alerts and patching
  • Secrets scanning in version controlPrevents API keys, passwords in code repositories
  • Code review requirementsAll changes reviewed by senior security-trained engineer
  • OWASP Top 10 compliance testingSQL injection, XSS, CSRF prevention validated

Monitoring & Incident Response

  • 24/7 security monitoring and alertingAutomated alerts for suspicious activity
  • Centralized logging with retention90-day retention for audit and forensics
  • 4-hour incident response SLASecurity incidents escalated immediately
  • Documented incident response proceduresPlaybooks for common security scenarios
  • Post-incident reviews and remediationRoot cause analysis within 7 days of resolution

Data Handling Practices

We minimize data collection and maximize security. Your data stays under your control.

Core Principle:

We build systems in your infrastructure. Client data never leaves your cloud environment unless you explicitly configure external integrations.

Client Data Residency

  • Systems deployed to your AWS/Azure/GCP accountYou maintain full control of data location
  • No data stored on Lean Launch infrastructureWe access systems only via secure VPN or bastion hosts
  • Geographic compliance (GDPR, data sovereignty)Deploy to EU, US, or other regions as required

Development & Testing

  • Synthetic data for all developmentProduction data never copied to dev environments
  • Anonymization for testing when requiredPII scrubbed or tokenized in test datasets
  • Isolated development environmentsDev/staging/prod environments strictly separated
  • Secure deletion of test dataTest environments purged after project completion

Confidentiality

  • NDAs standard for all engagementsMutual confidentiality agreements before kickoff
  • Confidential information handling proceduresDocumented protocols for sensitive data
  • Private repositories (your GitHub/GitLab org)Code delivered to your version control system

Data Retention & Deletion

  • Active support period: 90 days post-engagementFull access to project files for handoff questions and bug fixes
  • Business archives: 7 years in secure storageRetained for legal compliance, contract disputes, and insurance requirements
  • Client-requested data deletion honored anytimeRequest deletion of sensitive data via security@leanlaunch.ai; anonymized versions retained for business records
  • Encrypted backups with secure destructionAll backups encrypted; secure wiping after 7-year retention period

Compliance Frameworks

We align our practices with industry-standard compliance frameworks and can accommodate specific regulatory requirements.

FrameworkStatusDocumentation AvailableNotes
SOC 2 Type IIPlanned Q2 2027Available Q2 2027Controls implemented and operating. Formal Type II audit scheduled Q2 2027; accelerated certification available for qualifying engagements.
HIPAABAA AvailableUpon requestTechnical safeguards implemented per 45 CFR §164.312.
GDPRCompliantDPA availableData Processing Agreements available. EU data residency options. GDPR-compliant data handling procedures documented.
ISO 27001AlignedControls matrix upon requestInformation security practices aligned with ISO 27001:2013 standards. Formal certification planned for 2026.
CCPA/CPRACompliantPrivacy policy availableCalifornia privacy rights honored. Data deletion and portability procedures documented.
PCI DSSPartner CertifiedVia Stripe/AffirmPayment processing through PCI DSS Level 1 certified partners. No direct handling of payment card data.
FedRAMPNot CertifiedN/ANot currently pursuing FedRAMP authorization. Can deploy to FedRAMP-authorized cloud providers (AWS GovCloud, Azure Government).

Custom Compliance Requirements:

Working with a regulated industry with specific compliance needs? Contact us to discuss your requirements.

Need More Security Documentation?

Have specific security questionnaires or compliance requirements? Contact our security team for detailed technical documentation.

Contact Security Team