Security

Last updated: 12th August 2024

Industry Exceeding Standards

Overview

We understand that privacy and security are essential to fulfilling our obligation to provide you with the best service possible. This begins with trust and peace of mind. We've gone above and beyond to implement industry-exceeding security standards and are guided by recognized cybersecurity experts who are part of our Advisory Board.

leafplanner is ISO 27001:2022 and SOC 2 Type II certified.

Please visit our Trust Center to request access to reports or policies and to get a more robust picture of our security posture.

Data Security

Data Encryption

Data in Transit - All data transferred between the user’s browser and leafplanner’s servers is encrypted in transit using TLS.

Data at Rest - Data is encrypted at rest in AWS using AES-256 key encryption. We further protect client data by utilizing ShardSecure's Microshard™ service.

Data Center Security

Data Center Provider - leafplanner uses Amazon Web Services (AWS) to host its production servers, databases, and supporting services.

Multi-Region - leafplanner uses a multi-region setup for its infrastructure. With one AWS region as a primary and another AWS region as a backup.

Application Security

Development Security

Access Controls - Access to leafplanner's systems is limited based on employee roles and responsibilities. The principle of least privilege is enforced (PoLP).

Testing and Review - All changes to our application are subject to peer review and testing before being merged or released.

Separate Environments - leafplanner maintains segregated development, staging, and production environments.

Product Security

Authentication

MFA - MFA or 2FA (Two-Factor Authentication) is available and recommended for all leafplanner users. We strongly recommend enabling two-factor authentication for your account and requiring it for additional users.

Industry Exceeding Strong Password Protection - Passwords must be a minimum length of 12 characters. Passwords must combine letters, numbers, and special characters, including lower- and upper-case characters.

Permission-Based Access - Control what additional users on your account have access to.

Audit Log

Activity Monitoring - A detailed activity log is visible within every leafplanner account that records session information, including; who accessed, what was accessed, and any changes made.

People Security

Employee Checks

Background Checks - All potential employees are subject to a background check before hiring.

Contact & Reporting

The leafplanner Security Team can be reached via email at [email protected].

To anonymously report security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints, you can do so here.