Lead Distro AILead Distro AI
Security & Compliance

Built for enterprise lead distribution

Lead Distro AI processes millions of leads a month for agencies, brokers, and buyers in regulated verticals. Our security program is designed for the volume, sensitivity, and compliance requirements that come with that scale.

Start free trialRequest security questionnaire

Last updated: April 11, 2026

Six layers of protection

Every lead record is protected by the same controls enterprise buyers expect from any SaaS platform handling regulated data.

Encrypted at every layer

TLS 1.2+ in transit. AES-256 at rest. OAuth tokens wrapped in application-layer envelope encryption.

Role-based access control

Granular team roles, principle of least privilege, and MFA required on all employee accounts.

Append-only audit logs

Every sign-in, impersonation, data export, and sensitive change is logged and immutable.

Tenant isolation

All customer data scoped by organization ID at the application layer, with row-level security at the database layer.

72-hour breach SLA

Documented incident response runbook. Customers notified within 72 hours of any confirmed personal data breach.

Daily encrypted backups

Point-in-time recovery across a 90-day window. Backup rotation purges on a fixed schedule.

Compliance & regulations

Lead distribution runs into more regulations than almost any other SaaS category. We document every obligation and give you the tooling to meet it.

GDPR & UK GDPR

Full Data Processing Addendum available, incorporating EU Standard Contractual Clauses (SCCs) Module Two and the UK International Data Transfer Addendum.

View DPA

CCPA / CPRA

California Consumer Privacy Act and California Privacy Rights Act obligations documented in our DPA and Privacy Policy.

View Privacy Policy

TCPA compliance tooling

Built-in consent verification, do-not-call scrubbing, time-of-day enforcement, and audit trails for every lead routed through the platform.

Read the TCPA guide

Sub-processor transparency

Full list of sub-processors (Supabase, Vercel, Clerk, Stripe, Anthropic, and others) disclosed in our DPA with 30-day advance notice of any additions.

View sub-processors

Infrastructure & operations

We run on the same infrastructure Fortune 500 companies use for their most sensitive workloads, configured for the lead distribution use case.

Enterprise cloud infrastructure

  • Hosted on Vercel (iad1) and Supabase (us-east-1)
  • Edge CDN with DDoS protection
  • Automated failover and horizontal scaling
  • Daily encrypted database backups with point-in-time recovery

API-first architecture

  • REST API available on every paid plan
  • Webhook delivery with signature verification
  • Rate limiting and quota management
  • Full API documentation and sandbox environment

Operational security

  • Automated dependency scanning and CVE remediation
  • Environment-based secrets (no credentials in source control)
  • MFA required for all employee accounts
  • Documented incident response runbook

Frequently asked questions

The security questions we hear most from enterprise buyers.

Is Lead Distro AI SOC 2 compliant?

Lead Distro AI is built on SOC 2 Type II compliant infrastructure (Vercel, Supabase, Clerk, Stripe) and implements the controls required for SOC 2 Type II at the application layer, including encryption, access controls, audit logging, and incident response. Formal SOC 2 Type II certification for the Lead Distro AI application is on our compliance roadmap. Enterprise customers can request our current security questionnaire and subprocessor attestations.

How is lead data encrypted?

All data in transit uses TLS 1.2 or higher. All data at rest is encrypted with AES-256. OAuth tokens for third-party integrations (Meta, Google, Clio, HubSpot, Salesforce) are wrapped in application-layer envelope encryption so they cannot be read even from a database backup.

Does Lead Distro AI support single sign-on (SSO)?

SSO via Google and Microsoft is available out of the box. SAML 2.0 SSO (Okta, Azure AD, Google Workspace, OneLogin) is available for Enterprise customers. Contact sales to enable SAML on your workspace.

What is your breach notification SLA?

72 hours. After confirming a personal data breach, we notify affected customers within 72 hours as required under GDPR Article 33 and documented in our Data Processing Addendum.

Where is my data stored?

Primary data storage is in the United States (AWS us-east-1 via Supabase; Vercel iad1 for application hosting). EU data residency options are available for Enterprise customers with specific residency requirements. International transfers are governed by the EU Standard Contractual Clauses (SCCs) Module Two.

How do you handle TCPA compliance for lead distribution?

Lead Distro AI includes built-in TCPA compliance tooling: consent capture and storage on every inbound lead, configurable time-of-day enforcement per buyer, do-not-call list scrubbing, and complete audit trails that show exactly which buyer received which lead and when. TCPA obligations still rest with the customer as the data controller, but our tooling is designed to make compliance enforceable at the platform layer.

Can I request a security questionnaire or audit?

Yes. Enterprise customers can request our standard security questionnaire, sub-processor attestations, and reasonable audits of our controls. Contact support@leaddistro.ai with your request.

Do you offer a Business Associate Agreement (BAA) for HIPAA?

Lead Distro AI is not currently a HIPAA-covered entity and does not sign BAAs by default. Customers processing protected health information (PHI) should contact sales before using the platform so we can assess whether a BAA and additional controls are appropriate.

Ready for enterprise lead distribution?

Start a free trial or request our security questionnaire, sub-processor list, and SLA terms. Our team responds within one business day.

Start free trialTake the product tour

Questions? Email support@leaddistro.ai