Security

Security posture, plainly stated

Leku protects project memory with layered controls, vendor governance, and explicit data-use commitments. We separate controls that exist today from compliance milestones that require independent audit or separate customer agreements.

Current controls

Practical safeguards for customer content.

Encryption

Production traffic uses HTTPS/TLS. Persistent data and platform secrets are protected by provider-managed encryption at rest, including AES-256 controls documented for the managed platforms Leku uses.

Access control

Workspace data follows a zero-trust-style access model: every request is authenticated and scoped by project membership, least privilege, and database row-level security policies. Internal platform access follows MFA requirements and periodic access review policies.

Auditability

Requests receive correlation IDs and are logged by audit middleware. Privacy-rights workflows write to an append-only audit trail with no client-side read, update, or delete policies.

API and edge protection

The API applies authentication, scoped API tokens where used, OAuth-based integrations where applicable, CORS restrictions, per-IP rate limits, request size limits, strict security headers, and request correlation IDs.

Secrets management

Application secrets are stored in managed platform secret stores, not source code. Service credentials follow rotation and emergency revocation procedures.

AI data handling

Customer content sent for AI features is used for requested processing only. Leku does not use workspace content to train AI models or improve unrelated services.

Vendor governance

Critical subprocessors are reviewed for SOC 2 Type II or equivalent controls, DPA coverage, encryption, incident response, data location, and subprocessor practices.

Compliance status

Enterprise readiness is staged.

Tier 1

Essential controls

Active: TLS, provider-managed AES-256 at rest, zero-trust-style authorization, row-level security, API rate limiting, security headers, scoped API tokens, request logging, append-only privacy audit records, vendor review, managed secret stores, and no-training commitments. In progress: SOC 2 Type II audit readiness, ISO 27001-aligned ISMS evidence, and comprehensive immutable audit records for all data access.

Tier 2

Strong customer assurance

Planned: customer DPA template, security questionnaire package, annual third-party penetration test cadence, continuous vulnerability evidence, formal customer-facing subprocessor notice process, customer MFA enforcement options, and private-network/no-public-database posture for enterprise deployments.

Tier 3

Enterprise-grade requirements

Roadmap only unless separately agreed: SSO/SAML, SCIM provisioning, customer-selected regional data residency, webhook signing for future webhook products, BAA support, FedRAMP workstreams, and advanced DoS protections.

Trust documents

Legal and privacy pages stay short and specific.

Privacy PolicyTerms of ServiceDo Not Sell or Share

Need a customer security review?

Send security questionnaires, DPA requests, and regulated-workload requirements to legal@leku.app before uploading data that requires special contractual controls.

Contact legal