Security at Leka Comply

• All data stored on enterprise-grade cloud infrastructure in the London region
• Encrypted at rest and in transit via TLS 1.2+
• Infrastructure is SOC 2 Type II certified
• Database credentials are rotated regularly and never stored in code

• Every organisation's data is completely isolated at the database level
• No data crosses organisation boundaries under any circumstances
• Access checks on every API request verify organisation ownership
• Cross-organisation access attempts return a not-found response to prevent resource enumeration

• Secure session management with HttpOnly cookies
• JWT tokens with configurable expiry
• Role-based access controls (super_admin, admin, staff)
• Multi-factor authentication for platform administrators — coming soon

• Database-level row security policies enforce isolation for every query
• Even in the event of an application bug, data cannot cross organisation boundaries at the database level

• The public chatbot on lekacomply.com has no access to any client data, tenant data, or platform content
• It answers questions about Leka Comply as a product only
• No client information is ever sent to or processed by the AI on the public chatbot
• See our AI Policy for full details

• You own your data at all times
• Leka Comply does not sell, rent or share client data with third parties
• On account closure, data is deleted within 30 days
• Full data export available on request within 14 days

If you discover a security issue, please email security@lekacomply.com. We take all reports seriously and will respond within 48 hours. Please do not disclose vulnerabilities publicly until we have had the opportunity to investigate and remediate.