SECURITY & TRUST

Your negotiations,
properly protected.

Leverge handles sensitive business communications. Here's exactly how we keep them safe.

Encryption everywhere

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). OAuth tokens are encrypted with per-user keys.

Minimum access

We only request email permissions we actually need. We do not scan your inbox or access unrelated emails.

Full audit trail

Every action in your account is logged. You can review all agent activity and email sends at any time.

How we protect your data

Infrastructure security

  • Hosted on SOC 2 Type II certified infrastructure
  • Network isolation via private VPCs with strict firewall rules
  • DDoS protection and rate limiting on all public endpoints
  • Automated security patching and vulnerability scanning
  • Geographically redundant backups with encryption

Data encryption

  • TLS 1.3 for all data in transit — no HTTP, no exceptions
  • AES-256 encryption at rest for all databases
  • OAuth tokens encrypted with envelope encryption
  • Encryption keys rotated automatically every 90 days
  • Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext

Access controls

  • OAuth 2.0 for Google and Microsoft account connections
  • Password reset tokens expire in 1 hour and are single-use
  • Employee access to customer data requires explicit justification and is logged
  • Principle of least privilege: each service has only the permissions it needs
  • Rate limiting on all authentication endpoints

Email permissions

  • We request only the minimum scopes needed: send email, read threads you initiated
  • We do not scan your inbox, access unrelated messages, or mine email content
  • You can revoke Leverge's email access anytime from Google/Microsoft settings
  • All email access is logged and auditable
  • Email warm-up protections prevent damage to your sender reputation

AI safety

  • We use Claude by Anthropic with data processing agreements that prohibit training on your data
  • Only relevant negotiation context is sent to AI — not your full contact list
  • AI cannot take irreversible actions without your explicit approval
  • Human-in-the-loop checkpoints at critical negotiation moments
  • All AI decisions are logged and explainable

Responsible disclosure

If you discover a security vulnerability, please report it responsibly. We appreciate your help keeping Leverge safe.

Report a vulnerability

security@leverge.ai

We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.