SwiftLeadzSign in →

Security & Data Protection

Last updated: April 21, 2026

SwiftLeadz takes data security seriously. This page describes the technical and organizational measures we employ to protect your data and the data of your leads.

1. Infrastructure Security

Hosting

SwiftLeadz is hosted on Railway (API) and Vercel (admin portal), both of which operate on major cloud providers (AWS, Google Cloud) with SOC 2 Type II certification. Database services are provided by Supabase, which is hosted on AWS.

Network Security

  • All data in transit is encrypted using TLS 1.2 or higher
  • HTTPS is enforced on all endpoints; HTTP connections are redirected
  • API endpoints are protected by rate limiting to prevent abuse
  • Firewall rules restrict access to database and internal services

2. Data Encryption

  • In transit: TLS 1.2+ for all API calls, web traffic, and database connections
  • At rest: Database encryption at rest via Supabase (AES-256)
  • Passwords: Hashed using bcrypt with salting — we never store plaintext passwords
  • Auth tokens: JWTs signed with HS256; short expiry with refresh rotation
  • Secrets: API keys and credentials are stored as environment variables, never in code

3. Access Controls

  • Row-Level Security (RLS) is enabled on all Supabase tables — each org can only access its own data
  • API routes require valid JWT authentication for all protected endpoints
  • Admin portal enforces role-based access (admin vs. rep permissions)
  • Service-role database key is only available to the backend API, never exposed to clients
  • Internal SwiftLeadz staff access to production data is restricted and logged
  • Multi-factor authentication is available and encouraged for all accounts

4. Data Isolation

Each organization's data is logically isolated using Supabase Row-Level Security. Database queries always include org_id scoping. It is architecturally impossible for one organization to access another organization's leads, SMS messages, or settings through the API.

5. Security Monitoring

  • Application logs are retained and monitored for anomalous activity
  • Failed authentication attempts are logged and rate-limited
  • Automated alerts for unusual traffic patterns or error spikes
  • Dependency vulnerability scanning via automated tools

6. Backup and Recovery

  • Database backups are performed daily with point-in-time recovery available
  • Backup data is encrypted and stored in separate availability zones
  • Recovery procedures are documented and tested periodically

7. Incident Response

SwiftLeadz maintains an incident response plan. In the event of a data breach or security incident:

  1. The incident is detected and contained as quickly as possible
  2. The scope and impact are assessed
  3. Affected customers are notified within 72 hours (or as required by applicable law)
  4. Root cause analysis is conducted and remediation applied
  5. Regulatory bodies are notified as required by law (e.g., GDPR 72-hour notice)

To report a security incident or suspected breach: security@swiftleadz.com

8. Vulnerability Disclosure

If you discover a security vulnerability in SwiftLeadz, please report it responsibly to security@swiftleadz.com. We ask that you:

  • Allow us reasonable time to investigate and fix the issue before public disclosure
  • Not access, modify, or delete data belonging to other users
  • Not perform denial of service attacks or social engineering

We appreciate responsible disclosure and will work with you to understand and address the issue.

9. Third-Party Security

We work only with subprocessors that maintain industry-standard security practices. See our Subprocessor List for the complete list. We review the security posture of critical vendors annually.

10. Customer Responsibilities

Customers are responsible for:

  • Keeping account credentials secure and confidential
  • Enabling MFA on admin accounts
  • Promptly notifying SwiftLeadz of unauthorized access
  • Ensuring team members use strong, unique passwords
  • Revoking access for departed team members promptly
  • Not sharing API keys or access tokens with unauthorized parties

11. Compliance Certifications

SwiftLeadz is working toward SOC 2 Type II certification. In the meantime, our infrastructure providers maintain the following certifications: AWS (SOC 1/2/3, ISO 27001, PCI DSS), Vercel (SOC 2 Type II), Supabase (SOC 2 Type II in progress).

For enterprise customers requiring a Security Assessment Questionnaire (SAQ) or Data Processing Addendum (DPA), contact security@swiftleadz.com