Trust & security
How we handle your data
leatmap is privacy-first analytics. That's only credible if the infrastructure backing it earns the claim. This page is the shorter-than-the-DPA, longer-than-marketing version of what we actually do.
Last reviewed 2026-05-17.
Security highlights
EU residency by default
Events ingested through collect.leatmap.com land in Fly Postgres in Amsterdam. Authentication state lives in Supabase Frankfurt. US residency is available on Business+ on request.
Encryption everywhere
TLS 1.3 on every public endpoint with HSTS enforced. Workspace API keys, license keys, and OIDC client secrets are additionally AES-256-GCM encrypted at rest under a Key Encryption Key (KEK) held only in-process — a database dump alone reveals nothing usable.
No passwords, no shared accounts
Magic-link auth by default; optional TOTP per workspace. SAML 2.0 + OIDC + SCIM available on Business+. One operator = one identity, MFA enforced for every staff account.
RLS-forced by default
Every customer-data table in Supabase has Row-Level Security forced with zero policies — service-role only access. Per-workspace authorisation happens at the application layer; no path bypasses the gate.
Audit every operator action
Every leatmap staff action against your workspace is logged with actor, target, before/after diff. Customer-side audit log surfaces config changes, IP allowlist updates, retention policy changes, and operator impersonation.
72-hour breach notification
Following GDPR Art. 33, we file with the Dutch DPA within 72 hours of detecting a personal-data breach. Workspace admins are emailed directly within 4 hours for S0/S1 incidents.
Sub-processors
Vendors we use to deliver the service. Each is itself a SOC 2 Type II-certified processor; the full live list lives in your DPA at /legal/dpa.
| Vendor | Purpose | Region | SOC 2 |
|---|---|---|---|
| Vercel | Dashboard hosting + edge functions | Global | ✓ |
| Fly.io | Collector + Postgres (event storage) | EU (ams, fra), US (iad) | ✓ |
| Supabase | Dashboard auth + control-plane DB | EU (Frankfurt) | ✓ |
| Paddle | Subscription billing | Global | ✓ |
| Resend | Transactional email | US | ✓ |
| Sentry | Error reporting (PII-scrubbed) | EU (Frankfurt) | ✓ |
Certifications
- SOC 2 Type IIIn observation window — audit opened sprint-37, report Q1 2027
- ISO 27001Planned post-SOC 2
- GDPRArt. 28 DPA available via /settings/legal in the dashboard
- CCPASelf-attest
- HIPAAAvailable on request (Business+ with BAA)
SOC 2 Type II report
We opened the SOC 2 Type II observation window in sprint-37. The report is expected once the audit completes (~Q1 2027). The download link becomes available the moment the auditor delivers it. Until then, enterprise customers under NDA can request the in-progress evidence pack via security@syntarie.com.
Reporting a vulnerability
Email security@syntarie.com. Include reproduction steps, affected surface (dashboard / collector / SDK / API), an impact estimate, and your preferred disclosure timeline. We respond within 48 hours.
Our default disclosure window is 90 days for non-critical findings. Active-exploit reports are treated as S0 incidents with immediate mitigation.
Need more detail?
Enterprise customers can request our full security policy, incident response playbook, and SOC 2 evidence pack under NDA. Reach security@syntarie.com.