Lead Friendly

Security at Lead Friendly

Lead Friendly handles call data, contact records, and recordings on behalf of customers. This page describes the controls we have in place to keep that data safe and the posture we hold ourselves to. For binding commitments, see our Terms of Service and Privacy Policy.

Data encryption

All traffic to Lead Friendly is forced over TLS 1.2+ via HSTS with a two-year max-age and includeSubDomains; preload. Customer data at rest in our Supabase Postgres database is encrypted with AES-256. Call recordings are stored in object storage with server-side encryption and short-lived signed URLs for playback.

Tenant isolation

Every customer organization is a row-level-security boundary in the database. Every domain table carries an organization_id with an org-scoped RLS policy. The application uses the service-role key only inside trusted server paths (cron jobs, webhooks, billing); user requests run with the authenticated user's session token, so a database query can never cross-tenant a row by accident.

Authentication

Sessions run on Supabase Auth (cookie-based, HttpOnly, Secure). Optional Google OAuth on registration. Passwords are checked against the Have I Been Pwned k-anonymity API on signup to prevent reuse of breached credentials. Session cookies are SameSite=Lax and rotate on privilege change.

Telephony + voice security

Outbound voice + SMS run through Telnyx with 10DLC registration for US local-number traffic. Every outbound message goes through a unified compliance guard that checks KYC tier, AUP status, per-number quarantine state, DNC scrub, opt-out ledger, and quiet-hours window before a single byte leaves the platform. Inbound webhooks are HMAC-verified (Telnyx signature, Resend via Svix).

Web application security

Strict Content-Security-Policy with scoped allow-lists for every external origin. X-Frame-Options: DENY plus CSP frame-ancestors 'none' block clickjacking. X-Content-Type-Options: nosniff, Referrer-Policy strict-origin-when-cross-origin, and a tightened Permissions-Policy round out the header baseline. The marketing surface is statically rendered — no sensitive data ever crosses an unauthenticated origin.

Sub-processors

Lead Friendly relies on a small set of named sub-processors for hosting, telephony, payments, and email. The current list is published at /legal/subprocessors and is updated whenever the stack changes.

Compliance posture

TCPA, the FCC's February 2024 AI-voice ruling, 10DLC + TCR, DNC scrub, and two-party-consent recording rules are wired into the outbound guards documented in our Acceptable Use Policy. SOC 2 Type I is on the roadmap; we do not yet hold a certificate. HIPAA is not in scope today and the platform must not be used to transmit protected health information.

Incident response

Suspected security issues should be reported to security@leadfriendly.com. We acknowledge confirmed reports within one business day, triage within three, and follow a coordinated disclosure process. We will notify affected customers of any material security incident as required under our Data Processing Addendum and applicable law.

Vulnerability disclosure

We welcome good-faith security research. Please test only against your own organization, do not run automated scanners against production, do not access other customers' data, and give us reasonable time to remediate before publishing. Reports to security@leadfriendly.com.

Need a security questionnaire or DPA?

Email security@leadfriendly.com for our latest security questionnaire response, the standard Data Processing Addendum, or any custom security review your procurement team needs.