Skip to main content
Security
Security Policy
Responsible disclosure and how we protect your data.
Reporting a vulnerability
If you believe you have found a security vulnerability in Lead16, please email security@lead16.com. We aim to acknowledge reports within 48 hours and will work with you to understand and resolve the issue. Please give us a reasonable opportunity to remediate before any public disclosure.
Scope
- lead16.com and its API
- The Lead16 mobile applications (iOS & Android)
- mcp.lead16.com
Please do not run automated scanners that degrade service, access or modify data that isn't yours, or perform denial-of-service testing.
How we protect your data
- All traffic encrypted with HTTPS/TLS.
- Passwords hashed with Argon2id.
- Strict per-tenant data isolation — accounts can only ever access their own data.
- Bearer tokens and API keys are scoped and revocable; OAuth tokens are encrypted at rest.
- Hosted on dedicated European infrastructure (Hetzner, Falkenstein, Germany) with daily encrypted backups.
Machine-readable policy
Our security.txt (RFC 9116) lists the current security contact.