Security & Compliance

Last Updated: 03 June 2025

Table of contents

At Superleap CRM, we are committed to safeguarding your data with the highest standards of security and compliance. Our comprehensive security framework is designed to protect your information from unauthorized access, disclosure, use, and loss, ensuring continuous availability and integrity.

Certifications & Compliance

ISO 27001

Superleap CRM is proud to be ISO 27001 certified, demonstrating our adherence to a globally recognised standard for information security management.

To access a copy of our ISO 27001 report, please reach out to contact@superleap.com.

HIPAA Compliance

For organisations handling Protected Health Information (PHI), Superleap CRM is designed to support your compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Vulnerability Disclosure Policy

Superleap maintains a public Vulnerability Disclosure Policy at https://superleap.com/disclosure-policy.

We take vulnerability disclosures extremely seriously. Once disclosures are received, we rapidly verify each vulnerability contained within the report before taking the necessary steps to contain and remediate the issue.

Once verified, we will periodically send status updates as the problems are fixed and will endeavour to work with the reporter to coordinate public disclosure should they so wish.

Superleap has a well-documented response process for the detection and resolution of security incidents.

Infrastructure & Network Security

Our robust infrastructure and network security measures include:

Physical Access Control

The Superleap platform is hosted on Amazon AWS, Microsoft Azure, and Google Cloud Platform.

All of them maintain both ISO 27001 certification and SOC 2/3 reports, which can be accessed via their compliance page.

Access Control

Superleap infrastructure can only be accessed by a group of authorised Superleap employees who are subject to extended background checks and regular training. Privileged access to Superleap infrastructure is assigned in a Just-in-Time (JIT) fashion for a limited time and requires strong authentication. Each access request requires a business justification and management approval. All JIT access requests are audited.

Administration rights (including SSH, Database Access, and Infrastructure Configuration) are tightly controlled and restricted to a very small number of our team.

Penetration Testing

Superleap undergoes annual black box penetration testing by an accredited third-party agency.

Penetration testers are provided with a high-level diagram of application architecture, and tests are run against our hosted production environment.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Customers on our Enterprise plan can request a summary of our latest penetration test findings by contacting their Account Manager.

Business Continuity and Disaster Recovery

High Availability

Every part of the Superleap platform uses automatically provisioned, redundant servers to protect against failure.

Servers are regularly taken in and out of operation throughout the day as part of our routine operation without affecting availability.

Business Continuity

Superleap keeps regular daily and weekly backups of data in multiple geographic locations on AWS.

All backups are stored in an encrypted form.

In the case of platform-wide production data loss, we are able to restore data from these backups.

We regularly test our ability to restore our infrastructure from the backups we maintain.

We routinely verify the integrity of the backups that we hold.

Disaster Recovery

Superleap primarily serves traffic from a single geographic region spread across multiple availability zones.

In the unlikely event of a prolonged regional outage, we maintain a documented procedure for provisioning our deployment environment in a separate region.

Superleap has an extensively documented Incident Response Process that includes documented procedures for Business Continuity and Disaster Recovery.

Data Flow

Data Arriving from Customers

All customer data is sent to Superleap via HTTPS using TLS 1.2 or above.

All Superleap systems are configured to reject connections using TLS version below 1.2 or those using potentially insecure cipher suites.

All requests into the system are logged and monitored using a combination of rule and anomaly-based systems.

Data Leaving the System

Superleap allows customer's to access the data stored in Superleap through several methods including:

Our Web Application, hosted at app.superleap.com.

Our Mobile Applications for Android and iOS.

Our Developer REST API, hosted at api.superleap.com.

All of the methods we provide to our customers for accessing their data ensure encryption in transit using TLS 1.2 or above.

Data Deletion

When your account with us is terminated, we ensure that all your data is deleted cleanly. The details are listed in our terms of service.

Application Security

Sign In with Google

Superleap allows users to login using their Google or Google Workspace account.

Superleap participates in the Google Security Assessment program, meaning our Sign In with Google flow is assessed for Security and Privacy annually by a Google nominated third-party auditor.

REST API Authentication (API Key)

Superleap provides a REST-ful API that allows our customers to access their data through integrations with other platforms.

API keys have been designed to be resistant to brute force attacks. Customers are able to issue, modify, and revoke API tokens through their Workspace Settings page.

Superleap API also supports access tokens obtained via OAuth 2.0.

Secure Application Development Process

Superleap uses a Continuous Integration and Continuous Deployment model, which means all of our code changes are committed to a Source Code Repository, reviewed, tested, and shipped to our customers in a rapid sequence. Every source code change is tracked on GitHub.

Our rapid iteration development model significantly improves our response time to bugs, vulnerabilities, and security incidents.

Corporate Security‍

Superleap believes that good security applies equally to our team as to our platform.

Malware Protection

Superleap maintains a comprehensive Malware Protection system backed by Apple Gatekeeper and XProtect.

Endpoint Security and Configuration

Superleap uses FleetDM for Inventory Management and Configuration.

All Superleap endpoints use Full Disk Encryption, Screen Lock, Remote Wipe, and strong passwords.

Risk Management

Superleap uses a documented Risk Assessment and Treatment Process.

Superleap uses a combination of Asset-based and Scenario-based Risk Assessments.

All deployments of Superleap go through peer review, automated testing, and an automated deployment process that updates the production environment.

Superleap performs a risk management and treatment of all systems and applications on a regular basis.

Contingency Planning

Superleap places the Availability and Confidentiality of our platform at the top of our priorities.

Superleap maintains a comprehensive Incident Response Process that includes designated Disaster Recovery and Customer Communication plans.

We test all of our Incident Response Processes quarterly, and throughly review our test results for gaps.

We update our Incident Response Process at least annually.

Security Policies

Superleap maintains a comprehensive set of documented Security Policies in our company wiki.

Our policies are designed in accordance with ISO 27001, and are updated on an ongoing basis.

Customers on our Enterprise plan with special compliance requirements can contact their Account Manager to request access to a more detailed overview of these policies.

Security Training

Superleap maintains a comprehensive internal Security Training program for our team.

All Superleap employees receive security training upon joining the team and annually thereafter.

Members of Superleap’s engineering team receive regular additional training that covers secure development practices, such as the OWASP Top Ten, in addition to our internal policies.