EZLeads

Legal

Security

The technical, administrative and physical controls EZLeads uses to protect dealership and end-user data.

Effective date: April 29, 2026 Last updated: April 29, 2026

Security at a glance

  • Data hosted in Microsoft Azure US-East with multi-AZ redundancy.
  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • SSO/MFA enforced for production access; least-privilege roles.
  • SOC-2 Type II program in progress; ISO 27001 control mapping maintained.
  • 24/7 monitoring, paging and incident response.
  • Annual third-party penetration tests; continuous vulnerability scanning.

Infrastructure & hosting

EZLeads is hosted on Microsoft Azure in the United States. Production runs in multi-availability-zone configurations with automatic failover, redundant storage, and tiered backups. Network ingress is fronted by Cloudflare's WAF, DDoS-mitigation and bot-management; only required ports are exposed and all traffic is forced over HTTPS.

Data protection

  • In transit: TLS 1.2+, HSTS, modern cipher suites only.
  • At rest: AES-256 disk and database-level encryption with envelope keys managed in Azure Key Vault.
  • Backups: Encrypted daily backups retained 30 days; tested for restorability quarterly.
  • Segregation: Multi-tenant logical isolation with row-level tenant filters and per-tenant audit logs.
  • Deletion: Cryptographic erasure of customer data within 90 days of termination.

Access control & identity

  • Mandatory SSO + MFA for all employees with access to production.
  • Just-in-time elevation for sensitive operations; default deny.
  • Quarterly access reviews and immediate offboarding playbooks.
  • Customer-side: SAML 2.0 / OIDC SSO available on Group plans; granular role-based permissions on every plan.

Secure development lifecycle

  • Code review required for every change; protected main branches.
  • Static analysis (SAST), dependency scanning (SCA) and secrets scanning on every PR.
  • Container image scanning and signed deploy artifacts.
  • Annual third-party penetration tests; results summarised on request under NDA.
  • Bug bounty / responsible disclosure program (see below).

Monitoring & incident response

  • Centralised log aggregation with anomaly alerting (Datadog, Sentry).
  • Documented incident-response runbooks; quarterly game-day exercises.
  • 72-hour customer notification commitment for confirmed breaches affecting their data.

Business continuity

  • RPO ≤ 1 hour, RTO ≤ 4 hours for the core platform.
  • Geo-redundant backups, tested restore drills.
  • Documented disaster-recovery plan; reviewed annually.

Compliance & certifications

  • SOC-2 Type II audit in progress; bridge letter available on request.
  • GDPR & CCPA-aligned data-subject-rights workflows.
  • Aligned with PCI-DSS where in scope — we minimise scope by relying on a PCI-Level-1 payment processor (Stripe).
  • Member of the Meta App Review program for our Facebook integrations.

Reporting a vulnerability

Security researchers and customers can report suspected vulnerabilities to security@ezleads.io. We acknowledge reports within 2 business days and aim to resolve high-severity issues within 30 days. Please act in good faith — no testing against production data, no social-engineering of staff, no extortion. We will not pursue legal action against researchers who follow these rules.

For emergency security issues affecting your account, call (786) 755-0991.

Questions about this document?

EZLeads is a fully online platform. Reach our legal & privacy team at privacy@ezleads.io. EZLeads Management, Corp. is governed by the laws of the State of Florida, United States.