Trust & security
How we handle your data
leadmaps is privacy-first analytics. That's only credible if the infrastructure backing it earns the claim. This page is the shorter-than-the-DPA, longer-than-marketing version of what we actually do.
Last reviewed 2026-05-17.
Security highlights
EU residency by default
Events ingested through collect.leadmaps.nl land in Fly Postgres in Amsterdam, and authentication state in Supabase Paris (eu-west-3). EU residency is the default on every plan.
Encryption everywhere
TLS 1.3 on every public endpoint with HSTS enforced. Workspace API keys, license keys, and OIDC client secrets are additionally AES-256-GCM encrypted at rest under a Key Encryption Key (KEK) held only in-process — a database dump alone reveals nothing usable.
No passwords, no shared accounts
Magic-link auth by default; optional TOTP per workspace. SAML 2.0 + OIDC + SCIM available on Business+. One operator = one identity, MFA enforced for every staff account.
RLS-forced by default
Every customer-data table in Supabase has Row-Level Security forced with zero policies — service-role only access. Per-workspace authorisation happens at the application layer; no path bypasses the gate.
Audit every operator action
Every leadmaps staff action against your workspace is logged with actor, target, before/after diff. Customer-side audit log surfaces config changes, IP allowlist updates, retention policy changes, and operator impersonation.
72-hour breach notification
Following GDPR Art. 33, we file with the Dutch DPA within 72 hours of detecting a personal-data breach. Workspace admins are emailed directly within 4 hours for S0/S1 incidents.
Sub-processors
Vendors we use to deliver the service. Sub-processors maintain independent security programs, including SOC 2 Type II or equivalent where applicable. The live sub-processor list is available in the dashboard DPA at app.leadmaps.nl/settings/legal (sign-in required).
| Vendor | Purpose | Region |
|---|---|---|
| Vercel | Dashboard hosting + edge functions | Global |
| Fly.io | Collector + Postgres (event storage) | EU (ams, fra), US (iad) |
| Supabase | Dashboard auth + control-plane DB | EU (Paris) |
| Paddle | Subscription billing | Global |
| Resend | Transactional email | US |
| Sentry | Error reporting (PII-scrubbed) | EU (Frankfurt) |
| Backblaze B2 | Encrypted off-site database backups | EU (eu-central-003) |
| Hostinger | Login email delivery (magic links) | EU |
Certifications
- SOC 2 Type IIIn observation window — audit opened sprint-37, report Q1 2027
- ISO 27001Planned post-SOC 2
- GDPRArt. 28 DPA available via /settings/legal in the dashboard
- CCPASelf-attest
- HIPAAAvailable on request (Business+ with BAA)
SOC 2 Type II report
We opened the SOC 2 Type II observation window in sprint-37. The report is expected once the audit completes (~Q1 2027). The download link becomes available the moment the auditor delivers it. Until then, enterprise customers under NDA can request the in-progress evidence pack via security@syntarie.com.
Reporting a vulnerability
Email security@syntarie.com. Include reproduction steps, affected surface (dashboard / collector / SDK / API), an impact estimate, and your preferred disclosure timeline. We respond within 48 hours.
Our default disclosure window is 90 days for non-critical findings. Active-exploit reports are treated as S0 incidents with immediate mitigation.
Need more detail?
Enterprise customers can request our full security policy, incident response playbook, and SOC 2 evidence pack under NDA. Reach security@syntarie.com.