LeadScrapper.proHome

Security Standards

Last Updated: May 26, 2026

At LeadScrapper Pro, we treat your business data with the highest level of security. We implement industry-standard encryption, strict access control logic, and trusted payment integrations to protect your account, settings, and search pipelines.

1. Encryption in Transit and at Rest

All communication between your browser and our platform is encrypted in transit using Transport Layer Security (TLS 1.3) protocols. We enforce HTTPS across our entire web application to prevent interception or tampering.

Database entries, search caches, and account configurations are encrypted at rest using Advanced Encryption Standard (AES-256) on fully managed secure infrastructure.

2. Strict Tenant Isolation (Row Level Security)

Our database utilizes PostgreSQL Row Level Security (RLS) policies to isolate user records. RLS guarantees that every SQL query is dynamically scoped to the authenticated user ID of the requesting session:

  • Users can only select, update, or delete records that match their verified Supabase authentication ID.
  • Wildcard queries or horizontal privilege escalation attempts (e.g. changing query parameters to target another user's leads) are rejected at the database engine level.
  • Backend scripts accessing database features are governed by parameterized RPC methods, preventing SQL Injection vulnerabilities.

3. Secure Payment Infrastructure

All monetary transactions, billing details, and subscription tiers are processed through Gumroad, a secure, PCI-DSS Level 1 compliant merchant processor. LeadScrapper Pro does not store, see, or transmit credit card numbers or raw billing credentials on its own servers.

4. Authentication Security

We leverage Supabase Auth to handle user credentials securely:

  • Mandatory password complexity filters to prevent brute-force attacks.
  • JWT-based session authentication with short token lifespans and automated refresh token rotation.
  • Rate limiting on signup and login endpoints via the Flask API middleware to mitigate denial of service (DoS) and credential stuffing attacks.

5. Vulnerability Disclosure Policy

We welcome responsible disclosure from security researchers. If you identify a vulnerability in our application, please report it immediately by sending details to thenavital@gmail.com.

We request that you do not perform destructive actions, access other users' data, or publicly disclose findings until we have had a reasonable timeframe to review and patch the issue.