Skip to main content
← Back to Leemu

Security

Last updated: December 2024

At Leemu, we take the security of your data seriously. This page outlines our security practices, data handling procedures, and how we protect your information.

1. Data Storage

All Leemu data is stored securely on Google Cloud Platform (GCP) infrastructure:

  • Database: Cloud SQL PostgreSQL with encryption at rest
  • Application: Google Cloud Run with automatic scaling and security updates
  • Region: Data is stored in US-based data centers (us-central1)
  • Backups: Automated daily backups with point-in-time recovery

2. Data Retention Policy

We retain your data according to the following policies:

  • Active Accounts: Data is retained for the duration of your subscription
  • Account Deletion: Upon account deletion request, all personal data is removed within 30 days
  • OKR Data: Historical OKR data is retained for reporting and analytics purposes during your subscription
  • Logs: System logs are retained for 90 days for security and debugging purposes
  • Backups: Database backups are retained for 30 days and then automatically deleted

3. Data Archival and Removal

You can request data archival or removal at any time:

  • Data Export: Export your complete OKR data at any time from your account settings
  • Data Deletion: Request complete data deletion by contacting privacy@leemu.io
  • Right to be Forgotten: We comply with GDPR data deletion requests within 30 days
  • Third-Party Integrations: Data shared with connected services (e.g., Slack, Microsoft Teams, Jira) is subject to their retention policies

4. AI and LLM Usage

Leemu does not expose customer data to external Large Language Models (LLMs) or AI training.

  • Our AI features use on-platform processing only
  • Your OKR data is never sent to third-party AI services for training
  • AI-generated suggestions are created without exposing your data externally
  • We do not use customer data to train machine learning models

5. Authentication and Access Control

5.1 Single Sign-On (SSO)

Yes, we support SSO. Leemu offers Single Sign-On through:

  • Google OAuth 2.0: Sign in with your Google Workspace account
  • Email/Password: Traditional email-based authentication with secure password hashing

5.2 SAML Support

SAML-based SSO is not currently available but is on our roadmap for enterprise customers. Contact us at sales@leemu.io if you require SAML integration.

5.3 Third-Party Authentication

The following third-party authentication is required or available:

  • Google OAuth: Required for Google SSO users and Google Calendar integration
  • Slack OAuth: Required for Slack integration features
  • Microsoft Teams OAuth: Required for Microsoft Teams integration features (via Microsoft Entra ID)
  • Jira OAuth: Required for Jira integration features (via Atlassian)

6. Security Practices

  • Encryption in Transit: All data is encrypted using TLS 1.3
  • Encryption at Rest: Database and backups are encrypted using AES-256
  • Access Controls: Role-based access control (RBAC) for all users
  • Session Management: Secure session handling with automatic expiration
  • Input Validation: All user inputs are validated and sanitized
  • Dependency Scanning: Regular automated scanning for vulnerable dependencies

7. Security Team

As an early-stage startup, Leemu does not have a dedicated security team. Security responsibilities are handled by our engineering team with the following measures:

  • Security-focused code reviews for all changes
  • Regular security training for all team members
  • Use of industry-standard security tools and practices
  • Engagement with external security consultants as needed

8. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue:

  • Email: security@leemu.io
  • Response Time: We aim to acknowledge reports within 48 hours
  • Resolution: Critical vulnerabilities are prioritized and addressed promptly

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information for follow-up

9. Bug Bounty Program

Leemu does not currently operate a formal bug bounty program. However, we appreciate and acknowledge security researchers who responsibly disclose vulnerabilities. We may offer recognition or rewards at our discretion for significant findings.

10. Compliance

We are committed to maintaining compliance with applicable regulations:

  • GDPR: We comply with EU data protection requirements
  • SOC 2: SOC 2 Type II certification is in progress
  • Data Processing Agreements: Available upon request for enterprise customers

11. Third-Party Integrations Security

When you connect Leemu with third-party services:

  • Slack: We use OAuth 2.0 for secure authorization. Only requested permissions are used.
  • Microsoft Teams: We use OAuth 2.0 via Microsoft Entra ID for secure authorization. Only requested Microsoft Graph API permissions are used.
  • Jira: We use OAuth 2.0 via Atlassian for secure authorization. Only requested Jira API scopes are used.
  • Google Calendar: Read/write access is limited to OKR-related calendar events.
  • Data Sharing: Only necessary data is shared with connected services.
  • Revocation: You can disconnect integrations at any time from your account settings.

12. Contact Us

For security-related inquiries, please contact:

Security: security@leemu.io
Privacy: privacy@leemu.io
General: support@leemu.io