Security built for your revenue data
LeadJourney handles some of your most sensitive data: ad spend, lead records, pipeline, and revenue. We protect it with encryption throughout the stack, strict access controls, EU hosting, and privacy by design.
Defense at every layer of the stack
Security is not one control, it is many working together. Here is how we protect access, data, infrastructure, and operations.
Access & identity
- Two-factor authentication (TOTP)
- Enforced password complexity
- bcrypt password hashing (12 rounds)
- Token and Redis-backed sessions
Encryption
- AES-256 at rest for sensitive data
- TLS/HTTPS enforced in transit
- Encrypted OAuth and 2FA secrets
- Encrypted recovery codes
Infrastructure
- Hosted in Frankfurt, Germany (EU)
- Kubernetes-orchestrated services
- Least-privilege across services
- Encrypted credentials at rest
Monitoring
- Exception and performance monitoring
- Centralized log aggregation
- Real-time alerting to the team
- Signed, verified inbound webhooks
Only the right people get in
Every account is protected by modern authentication, and access to production systems follows the principle of least privilege.
Two-factor authentication
Passwords
Sessions & tokens
Integrations
Encrypted in transit and at rest
Data is protected on the wire and in the database, with the most sensitive fields encrypted individually.
In transit
At rest
Secrets management
Credentials
Hosted in the EU, in Frankfurt
We chose EU-based infrastructure so European teams can keep their core data in the European Union by default.
Location
Platform
File storage
Sub-processors
Verified data in, encrypted secrets out of reach
LeadJourney connects to your ad platforms and tools. Those connections are authenticated, and everything that flows into the platform is verified.
Signed webhooks
Encrypted tokens
Watched around the clock
We watch for errors, performance regressions, and anomalies, with alerts routed to the team in real time.
Exceptions & performance
Centralized logs
Alerting
Privacy is built in, not bolted on
LeadJourney is built for European marketing and revenue teams, so data protection is part of the foundation.
GDPR
Data Processing Agreement
Data Protection Officer
First-party tracking
Found something? We want to hear from you
If you believe you have found a security vulnerability, please let us know before disclosing it publicly. Email us with the details and steps to reproduce, and we will get back to you quickly. We will not pursue legal action against good-faith researchers who report responsibly.
The questions security teams ask us
Where is my data stored?
All production infrastructure runs in Frankfurt, Germany, inside the European Union. Application, database (MySQL), cache (Redis), and realtime (Soketi) services run on Kubernetes there, and file storage is on Amazon S3. European customers keep their core data in the EU by default.
Is my data encrypted?
Yes. All traffic is served over HTTPS/TLS in production. Sensitive data, including OAuth tokens, two-factor secrets, and personal data, is encrypted at rest with AES-256.
Do you support two-factor authentication?
Yes. LeadJourney supports TOTP-based two-factor authentication (for example Google Authenticator), with encrypted recovery codes.
How are passwords stored?
Passwords must meet complexity rules (minimum length, upper and lower case, numbers, and symbols) and are hashed with bcrypt using 12 rounds. We never store passwords in plain text.
Do you support SAML single sign-on?
We use OAuth 2.0 for connected integrations. SAML single sign-on for user login is not available yet. If your team needs it, contact us and tell us about your requirements.
How do you secure integrations and webhooks?
Integration tokens and webhook secrets are encrypted in the database, and secrets are managed through environment configuration. Every inbound webhook is verified with an HMAC-SHA256 or Ed25519 signature before it is processed.
Do you offer a Data Processing Agreement (DPA)?
Yes. If you process personal data through LeadJourney, we make a GDPR-compliant Data Processing Agreement available on request that meets the requirements of Article 28 GDPR.
Are you GDPR compliant?
Yes. We host in the EU, keep a public list of sub-processors, support data subject rights, and have an appointed Data Protection Officer. Full detail is on our GDPR and Data Protection page.
Passing a security review?
We are happy to help your team through vendor security and procurement. Email us for our security overview and a DPA, or start using LeadJourney today.
Track every lead
With Pixel-Perfect Accuracy
Stop losing data to iOS, ad blockers and CRM gaps. Server-side tracking, built for lead generation — live in 21 minutes.

