Security for owned contractor lead capture.
LeadForm protects homeowner requests, contractor workspaces, CRM tokens, billing events, consent evidence, and launch test data with practical controls designed for a US Home Services SaaS.
Governance, risk and compliance
Honest security posture.
LeadForm should not claim SOC 2 Type II or ISO 27001 certification until those audits are complete. This page documents current controls and the certification roadmap without overclaiming.
SOC 2 readiness
Controls are being shaped around audit-ready SaaS operations, but LeadForm is not yet SOC 2 certified.
ISO 27001
Information security management certification is a future milestone, not a current claim.
Privacy and TCPA
Product flows include privacy pages, Terms, TCPA consent capture, and launch-data cleanup controls.
Security you can build on
Controls that protect the launch path.
The biggest security risk in this product is mishandled homeowner data. LeadForm turns that risk into explicit controls around auth, tenancy, consent, CRM, billing, and launch testing.
Authentication and workspace isolation
LeadForm uses Supabase Auth, server-side session checks, and organization-scoped data access so each contractor workspace can only access its own operating data.
Row Level Security and service boundaries
Workspace data is isolated by server-side access controls. Elevated access is limited to trusted server routes such as public form submissions, webhooks, and background jobs.
Encrypted integration tokens
HubSpot OAuth tokens are encrypted before storage. The app treats HubSpot access as sensitive infrastructure, not ordinary profile data.
Signed webhooks
Billing events are accepted only through signed Lemon Squeezy webhooks, and event processing is idempotent to reduce replay and duplicate-event risk.
Security headers
Production responses include hardened browser headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, COOP, and permissions policy controls.
Launch test separation
Synthetic 🔥 Urgent requests and 50-request simulation are tagged as launch data so admins can validate readiness and clean test records before paid traffic.
Responsible disclosure
If you believe you found a vulnerability in LeadForm, please report it responsibly. Do not access, modify, exfiltrate, or delete customer data. Do not run destructive tests or disrupt service.
security@useleadform.comReview priorities
Secure software development
LeadForm routes validate inputs server-side, keep private credentials out of the browser, and run sensitive operations in Route Handlers or Server Components.
CRM and payment safety
HubSpot delivery, HubSpot avancé setup, test delivery, billing checkout, and webhook processing are handled server-side with explicit configuration checks.
Consent and audit context
Quote forms can store legal proof, timestamps, form URLs, user agent context, HubSpot status, activity timelines, and launch checklist history.
Responsible disclosure
LeadForm does not run a public paid bug bounty yet. Security reports are accepted by email and reviewed as a priority.
Subprocessors directory
Providers that help operate LeadForm.
Vercel
Application hosting and edge delivery
Supabase
Authentication, database, storage, and server data access
HubSpot
Optional HubSpot delivery when connected by a workspace
Lemon Squeezy
Checkout, subscription, tax, and billing operations
Optional Google sign-in and configured platform services
Resend / email provider
Transactional email when configured
Security controls
Built for a contractor revenue workflow.
The controls below map to real LeadForm product surfaces: quote forms, Incoming Quotes, HubSpot, Lemon Squeezy billing, Traffic simulator, and public homeowner requests.
App visibility and governance
Owner alerts, launch exceptions, traffic mode, and readiness reports turn technical risk into visible operational states.
Integration boundaries
HubSpot and billing integrations are configured server-side and surfaced through explicit readiness states.
Public endpoint hardening
Public submission, webhook, and cron endpoints use constrained handlers, signatures where applicable, and server-side validation.
No false compliance badges
LeadForm can show readiness and controls now, while reserving SOC 2 and ISO claims for completed audits.