Security & Privacy

Data Isolation

Every user's data is completely isolated:

• Row-level security (RLS) on every database table — queries automatically filter to your data only
• Dedicated VPS — your AI agent runs on its own server, separate from all other users
• No shared state — your agent communicates with the web app only via authenticated API calls

Credential Security

• Email infrastructure — Managed @leadclaw.io addresses with pre-configured SPF, DKIM, and DMARC
• API keys hashed — Agent API keys are stored as hashes, never in plaintext
• Session management — Sessions expire after inactivity; all connections use HTTPS/TLS
• No password storage — Passwords are hashed with industry-standard algorithms (bcrypt via Supabase Auth)

Infrastructure Security

• VPS firewall — Only ports 443 (HTTPS) and 22 (SSH) are open on agent servers
• Encrypted at rest — Database backups are encrypted
• Automated backups — Point-in-time recovery with 7-day retention
• Rate limiting — All API endpoints are rate-limited to prevent abuse

Email Compliance

Your agent automatically enforces:

• SPF/DKIM/DMARC — Email authentication configured on all sending domains
• CAN-SPAM — Physical address and one-click unsubscribe in every email
• GDPR — Consent tracking, data export, and right to deletion
• Bounce monitoring — Campaigns auto-pause at 2% bounce rate or 0.1% spam complaints

What We Don't Do

• We never sell or share your data with third parties
• We never store passwords in plaintext
• We never use your business data to train AI models
• We never send emails from your personal address — only from your managed @leadclaw.io address