Security & Trust
Leakeo is built to be trusted with sensitive revenue data. Here is how we protect it.
All user authentication is handled by Firebase Authentication (Google). Leakeo never stores passwords. Firebase manages credential storage, session tokens, and token rotation securely.
Every API request is authenticated server-side: the Firebase Admin SDK verifies ID tokens on each request, ensuring only the token's owner can access their data.
Firebase App Check with reCAPTCHA v3 is enforced on all client-initiated requests. App Check prevents unauthorised clients, bots, and replay attacks from interacting with Leakeo's backend.
Stripe and Shopify webhooks are verified using their respective signing secrets before any data is processed, ensuring revenue data cannot be injected by third parties.
All data is encrypted in transit via HTTPS (TLS 1.2+). HSTS is enforced in production with a two-year max-age and subdomain inclusion to prevent downgrade attacks.
Data at rest is encrypted by Google Cloud (Firestore) using AES-256 by default.
Each Leakeo customer's data is stored under a unique account-scoped path in Firestore. Firestore Security Rules enforce that no customer can read or write another customer's data via the client SDK.
Server-side API endpoints verify the caller's identity before accessing any data, and cross-account access is blocked at the API layer.
Leakeo is hosted on Vercel, a SOC 2 Type II certified platform. Application functions run as serverless edge-adjacent compute. There are no persistent servers to patch or secure.
Data is stored in Google Cloud Firestore, part of Google's ISO 27001, SOC 1/2/3, and PCI-DSS certified infrastructure. Firebase itself benefits from Google's security investment at scale.
All Leakeo responses include the following security headers:
Strict-Transport-Security(HSTS) — enforces HTTPSX-Frame-Options: DENY— prevents clickjackingX-Content-Type-Options: nosniff— prevents MIME sniffingReferrer-Policy: strict-origin-when-cross-originPermissions-Policy— disables unused browser APIs
The tracker collects behavioral signals (scroll depth, click patterns, form interactions, search queries) and funnel events. All data is aggregated into statistical summaries — no individual visitor sessions can be reconstructed from the stored summaries.
Raw events deleted after 30 days. Aggregated daily and monthly summaries retained indefinitely (contain only statistical counters, no personal data). We do not use advertising cookies, third-party analytics, or cross-site tracking of any kind.
Hashed identifiers are used for transaction deduplication. Plaintext customer names and email addresses from your website are never stored.
In the event of a security incident affecting customer data, Leakeo will:
- Investigate and contain the incident promptly.
- Notify affected customers via the Leakeo dashboard within 72 hours of discovering a breach involving personal data, in line with UK GDPR obligations.
- Provide a post-incident summary of what occurred and steps taken.
Current platform status is available at leakeo.com/trust/status.
If you discover a security vulnerability in Leakeo, please report it responsibly via the in-app report form or the contact form on this site. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
We will acknowledge your report within 5 business days and keep you informed of progress.
Internal access to customer data is restricted by role and requires authentication. The Leakeo owner panel is protected by a server-side allowlist in addition to role verification — access cannot be granted by modifying client-side state alone.
We do not access customer data except as required to provide support (with customer permission), investigate incidents, or comply with legal obligations.