Security

Your data is safe
with Leadpages.

Security isn't an afterthought. Every page you publish, every lead you capture, and every piece of customer data is protected by enterprise-grade infrastructure and industry-standard practices.

Start Free Trial
Learn about our practices ↓

Our Practices

Enterprise-grade security, built in.

From encryption to compliance, here's how we protect your data at every layer.

SSL/TLS Encryption

Every page, custom domain, and API endpoint is served over HTTPS with TLS 1.3. Free SSL certificates are provisioned automatically for all custom domains.

SOC 2 Compliance

We are actively pursuing SOC 2 Type II certification. Our security controls are designed to meet the Trust Service Criteria for security, availability, and confidentiality.

OAuth Authentication

API and MCP integrations use OAuth 2.0 and Bearer token authentication. Your credentials are never shared with third-party tools or AI agents.

Content Scanning

Every page is automatically scanned for malicious content on publish. Phishing attempts, malware, and abuse are detected and flagged before they reach visitors.

DDoS Protection

All traffic routes through Cloudflare's global CDN, providing enterprise-grade DDoS mitigation, rate limiting, and bot management at the edge.

Encryption at Rest

All data is encrypted at rest using AES-256. Database backups, file storage, and sensitive fields are encrypted independently with managed keys.

GDPR Compliance

We support data subject access requests, right to deletion, and data portability. Our infrastructure and data processing practices meet GDPR requirements.

Regular Security Audits

We conduct regular internal security reviews and vulnerability assessments. Dependencies are continuously monitored for known vulnerabilities.

Infrastructure

Built on infrastructure you can trust.

Global CDN, managed hosting, encrypted databases. Your pages are fast, reliable, and secure.

INFRASTRUCTURE

330+

Cloudflare Edge Locations

Your pages are cached and served from the nearest edge node, minimizing latency for visitors worldwide.

99.9%

Uptime SLA

Our infrastructure is designed for high availability with automated failover, health checks, and zero-downtime deploys.

Railway

Managed Hosting

Our application runs on Railway's managed platform with automatic scaling, isolated containers, and encrypted networking.

<50ms

Edge Response Time

Cloudflare CDN caching and Redis in-memory caching ensure your pages load fast for every visitor.

PostgreSQL

Encrypted Database

All data stored in PostgreSQL with encryption at rest, automated daily backups, and point-in-time recovery.

Responsible Disclosure

Found a vulnerability?

We take security reports seriously. If you've discovered a potential vulnerability in Leadpages, we want to hear from you.

How to Report

Email us at security@leadpages.com with a detailed description of the issue, including steps to reproduce if possible.

What to Expect

  • Acknowledgment within 2 business days
  • Status update within 5 business days
  • We will not take legal action against good-faith researchers
  • Credit given in our security acknowledgments (if desired)

Guidelines

Please do not publicly disclose the vulnerability until we've had a chance to address it. Do not access or modify other users' data. Do not perform actions that could harm the availability of our service.

FAQ

Security questions, answered.

Your data is stored in encrypted PostgreSQL databases hosted on Railway's managed infrastructure. Page HTML files are stored in encrypted object storage (MinIO). All data is encrypted at rest using AES-256 and in transit via TLS 1.3.
No. We never sell or share your data with third parties for marketing purposes. Data is only shared with infrastructure providers (Railway, Cloudflare, MinIO) as necessary to operate the service, and all providers are contractually bound to protect your data.
Every page created through our AI agent or MCP server goes through the same content scanning pipeline as manually created pages. Content is scanned for malicious scripts, phishing patterns, and abuse before it becomes publicly accessible.
In the unlikely event of a data breach, we will notify affected users within 72 hours as required by GDPR. We maintain an incident response plan that includes containment, investigation, notification, and remediation procedures.
Yes. You can delete your account and all associated data at any time from your dashboard settings. We also honor GDPR data subject access requests and right-to-deletion requests submitted to privacy@leadpages.com.
Yes. All custom domains receive free SSL certificates provisioned automatically via Cloudflare. Traffic is encrypted end-to-end from the visitor's browser to our origin servers. Certificates are renewed automatically before expiration.

Get Started

Build with confidence.
We've got your back.

14-day free trial. Enterprise-grade security on every plan. No credit card required.

Start Free 14-Day Trial

See all plans & pricing →