Security · Privacy · Compliance

Security & compliance,
built into how we deliver.

LeanScale embeds delivery teams inside our clients' own SaaS tenants. We retain minimal data, operate as a data processor under each client's DPA, and run on SOC 2-attested infrastructure. This is our posture, in plain sight.

Request access to documents View security overview
Security contact: [email protected] · Reviewed at least annually
261
CAIQ v4.0.3 items self-assessed
9
Sub-processors, all SOC 2-attested with DPAs
AES-256
Encryption at rest; TLS 1.2+ in transit, via platforms
100%
Named accounts under enforced MFA & SSO
01 — Security overview

Controls in place today.

LeanScale provides human talent, not software. Customer production data resides in each client's own SaaS tenants — primarily Salesforce. Our internal footprint is small and runs on attested providers. Everything below is operating now.

Identity & access

  • SSO via IdP (Rippling / Google)
  • Enforced multi-factor authentication
  • Bitwarden password manager, unique named accounts
  • Least-privilege onboarding / offboarding
  • Quarterly access reviews

Endpoints

  • Rippling MDM — inventory + enforcement
  • Full-disk encryption
  • SentinelOne EDR
  • Host firewall, auto-lock
  • Remote wipe

People

  • Background checks for all hires
  • Signed agreements + NDAs
  • Annual security-awareness training
  • Phishing simulations (Rippling LMS)

Data

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256) via platforms
  • Platform backups
  • Standard client DPAs — scope, confidentiality, breach notice, data return

Change & resilience

  • Git + pull-request review, CI/CD
  • Separate prod / non-prod
  • Documented Incident Response and BC/DR plans
  • Maintained risk register

Governance

  • CSA CAIQ v4.0.3 self-assessment
  • Standard DPAs with sub-processors
  • Annual documentation review
  • Honest, published SOC 2 roadmap
Self-assessed
CAIQ v4.0.3 self-assessment

Our latest CSA CAIQ self-assessment covers 261 items. The 25 "No" answers are our honest SOC 2 roadmap — see Roadmap. The full workbook is available on request.

209
Yes
25
No
27
N/A
02 — Sub-processors

The register.

These sub-processors support LeanScale's internal operations and engagements. Client CRM and similar data primarily resides in the client's own tenant; this register reflects the services LeanScale uses on its own behalf. All are SOC 2 (and where noted, ISO 27001) attested, with DPAs in place.

VendorPurposeData handledRegionAttestationDPA
Salesforce CRM platform Client CRM data US SOC 2ISO 27001 Yes
Supabase / AWS App database & hosting Minimal app data US SOC 2 Yes
Netlify App hosting / CDN App assets US SOC 2 Yes
Google Workspace Email / docs / identity Internal + correspondence US SOC 2ISO 27001 Yes
Slack Messaging Internal comms US SOC 2ISO 27001 Yes
GitHub Source control App code / config US SOC 2 Yes
Bitwarden Password manager Secrets US SOC 2 Yes
Rippling HRIS / MDM / LMS Employee data US SOC 2 Yes
SentinelOne EDR Endpoint telemetry US SOC 2 Yes

If a sub-processor notifies LeanScale of a breach affecting data processed on a client's behalf, we relay the relevant details to affected clients per the applicable DPA. The client remains the data controller.

03 — Shared responsibility

Three parties. No assumed coverage.

Because LeanScale's people work inside client-owned environments operated by third-party platforms, security responsibility is shared three ways. Each area has a designated primary owner — no control is assumed to be handled by someone else.

Processor
LeanScale
// owns its corporate security

Identity & access for its staff, endpoint security, personnel screening & training, and how its people handle client data. Processes client data only on the client's documented instructions.

Controller
Client
// owns the tenant & the data

Its SaaS tenants, the data in them, tenant configuration, and all data-controller duties under applicable privacy law. Classifies its data and grants LeanScale the specific access an engagement requires.

Infrastructure
Sub-processors
// own the platform layer

SOC 2-attested platforms — Salesforce, Supabase/AWS, Netlify, Google, and similar — own and attest the physical, network, and platform/application security underpinning the systems in scope.

The full responsibility matrix — encryption, configuration, change management, incident response, backups — is in our Shared Responsibility Model document, available on request.

04 — Security FAQ

Straight answers.

Customer production data resides in each client's own SaaS tenants (primarily Salesforce), hosted in the US by SOC 2-attested providers. LeanScale holds minimal data and acts as a data processor. Our own small app footprint runs on Supabase/AWS and Netlify (US).
Data is encrypted in transit using TLS 1.2+ and at rest using AES-256, provided by the underlying platforms. Encryption capability is owned by our sub-processors; LeanScale and clients use and configure it within scope.
Yes. We use SSO via our IdP (Rippling/Google) with enforced MFA, unique named accounts, a Bitwarden password manager, least-privilege onboarding/offboarding, and quarterly access reviews. We access client environments only with the client's grant and approval.
Our current sub-processors are listed in the register above — Salesforce, Supabase/AWS, Netlify, Google Workspace, Slack, GitHub, Bitwarden, Rippling, and SentinelOne. We review the register at least annually.
We maintain a documented Incident Response & Breach Notification plan. If a sub-processor reports an incident affecting client data, we relay the relevant details to affected clients within the timelines set out in the applicable DPA. Because client data lives in the client's tenant, the client remains the controller and handles any regulatory or end-user notifications, with our cooperation.
Not yet. SOC 2 Type II is on our roadmap, not certified today. We rely on the SOC 2 attestations of our infrastructure sub-processors, and we maintain our own controls and a CSA CAIQ self-assessment. The CAIQ "No" answers transparently map to our SOC 2 roadmap items.
Use the Request documents action. You'll provide your name, work email, company, and reason, and sign our NDA via DocuSign. Our security contact ([email protected]) reviews each request and follows up by email with access to the relevant documents.
05 — Roadmap
Planned · not yet implemented

What we're building next — in the open.

In the spirit of transparency, the capabilities below are planned but not yet implemented. They make up our SOC 2 roadmap and correspond directly to the "No" answers in our CAIQ self-assessment.

SOC 2 Type II
Independent audit & penetration testing.
Automated scanning
Vulnerability and dependency scanning across the stack.
BC/DR & IR exercises
Tabletop testing of business-continuity and incident-response plans.
Centralized SIEM
Anomaly detection across consolidated security telemetry.
Just-in-time access
Time-bound, approved privileged-access grants.
Vendor-risk scoring
Independent vendor security assessments & formal risk scoring.
Request access

Need our full documentation?

Policies, plans, registers, and the full CAIQ workbook are available under NDA. Tell us a bit about you, sign the NDA, and our security contact follows up by email.

01
Tell us about you
Name, work email, company, and the reason for your request.
02
Sign the NDA
Securely via DocuSign — documents are shared under NDA.
03
We follow up
Our security contact reviews each request and emails the relevant documents.
Security contact: [email protected]
Document request
Sign our NDA

Documents are shared under a non-disclosure agreement. Sign it securely via DocuSign (opens in a new tab), then confirm below.

Sign the NDA via DocuSign

We use your details only to review this request and provide documentation.

Request received.

Our security contact will review and follow up by email with access to the relevant documents. Thanks for your interest in LeanScale's security posture.