Security-first launch controls

Security for owned contractor lead capture.

LeadForm protects homeowner requests, contractor workspaces, CRM tokens, billing events, consent evidence, and launch test data with practical controls designed for a US Home Services SaaS.

Governance, risk and compliance

Honest security posture.

LeadForm should not claim SOC 2 Type II or ISO 27001 certification until those audits are complete. This page documents current controls and the certification roadmap without overclaiming.

Roadmap

SOC 2 readiness

Controls are being shaped around audit-ready SaaS operations, but LeadForm is not yet SOC 2 certified.

Roadmap

ISO 27001

Information security management certification is a future milestone, not a current claim.

Active

Privacy and TCPA

Product flows include privacy pages, Terms, TCPA consent capture, and launch-data cleanup controls.

Security you can build on

Controls that protect the launch path.

The biggest security risk in this product is mishandled homeowner data. LeadForm turns that risk into explicit controls around auth, tenancy, consent, CRM, billing, and launch testing.

Authentication and workspace isolation

LeadForm uses Supabase Auth, server-side session checks, and organization-scoped data access so each contractor workspace can only access its own operating data.

Row Level Security and service boundaries

Workspace data is isolated by server-side access controls. Elevated access is limited to trusted server routes such as public form submissions, webhooks, and background jobs.

Encrypted integration tokens

HubSpot OAuth tokens are encrypted before storage. The app treats HubSpot access as sensitive infrastructure, not ordinary profile data.

Signed webhooks

Billing events are accepted only through signed Lemon Squeezy webhooks, and event processing is idempotent to reduce replay and duplicate-event risk.

Security headers

Production responses include hardened browser headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, COOP, and permissions policy controls.

Launch test separation

Synthetic 🔥 Urgent requests and 50-request simulation are tagged as launch data so admins can validate readiness and clean test records before paid traffic.

Responsible disclosure

If you believe you found a vulnerability in LeadForm, please report it responsibly. Do not access, modify, exfiltrate, or delete customer data. Do not run destructive tests or disrupt service.

security@useleadform.com

Review priorities

Secure software development

LeadForm routes validate inputs server-side, keep private credentials out of the browser, and run sensitive operations in Route Handlers or Server Components.

CRM and payment safety

HubSpot delivery, HubSpot avancé setup, test delivery, billing checkout, and webhook processing are handled server-side with explicit configuration checks.

Consent and audit context

Quote forms can store legal proof, timestamps, form URLs, user agent context, HubSpot status, activity timelines, and launch checklist history.

Responsible disclosure

LeadForm does not run a public paid bug bounty yet. Security reports are accepted by email and reviewed as a priority.

Subprocessors directory

Providers that help operate LeadForm.

View privacy policy

Vercel

Application hosting and edge delivery

Supabase

Authentication, database, storage, and server data access

HubSpot

Optional HubSpot delivery when connected by a workspace

Lemon Squeezy

Checkout, subscription, tax, and billing operations

Google

Optional Google sign-in and configured platform services

Resend / email provider

Transactional email when configured

Security controls

Built for a contractor revenue workflow.

The controls below map to real LeadForm product surfaces: quote forms, Incoming Quotes, HubSpot, Lemon Squeezy billing, Traffic simulator, and public homeowner requests.

App visibility and governance

Owner alerts, launch exceptions, traffic mode, and readiness reports turn technical risk into visible operational states.

Integration boundaries

HubSpot and billing integrations are configured server-side and surfaced through explicit readiness states.

Public endpoint hardening

Public submission, webhook, and cron endpoints use constrained handlers, signatures where applicable, and server-side validation.

No false compliance badges

LeadForm can show readiness and controls now, while reserving SOC 2 and ISO claims for completed audits.

Security without theater

Build the quote engine before scaling traffic.

Start building