Security & Compliance
Protecting the data entrusted to us is foundational to how we build and deliver our products. This page outlines our approach to security, privacy, regulatory compliance, and AI governance.
Layered protection, end to end
Our products are built on enterprise-grade infrastructure with layered security controls — covering data in transit, data at rest, access management, and continuous monitoring. Our security practices are designed in alignment with the SOC 2 Trust Services Criteria.
Infrastructure
Hosted on Amazon Web Services (AWS) with enterprise-grade physical controls. All data in transit is encrypted via TLS 1.2 or higher. All data at rest is encrypted using AES-256. Backups are encrypted and stored across geographically distributed facilities.
Access Controls
Role-based access control (RBAC) enforced across all systems. Access to customer data is limited to authorized personnel and fully logged. Administrative access to infrastructure requires multi-factor authentication (MFA). Inactive sessions are automatically terminated.
Application Security
Developed following OWASP Top Ten guidelines, with input validation, secure session management, and formal change management. All changes are tested in a controlled staging environment before production deployment. Dependencies and components are managed as part of the development lifecycle to maintain product stability and security.
Vulnerability Management
Regular vulnerability assessments are conducted across LIS systems and applications. Identified vulnerabilities are assessed and remediated in accordance with internal risk management policies.
Incident Response
LIS maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident, LIS follows its incident response procedures and notifies affected parties in accordance with applicable regulatory requirements and contractual obligations.
Operational Security
All LIS personnel complete ongoing security and data privacy training to stay current with applicable legal requirements, emerging threats, and organizational policies. Third-party service providers are evaluated for security compliance before engagement and on an ongoing basis.
Privacy by design
Privacy is built into our products from the ground up. Assessment data is anonymized by default.
Privacy by Design
Data minimization is the default. Our products are architected to minimize collection of identifiable information. Assessment data is anonymized before processing wherever possible. Encryption and access controls are applied by default.
Data Subject Rights
LIS supports data subject rights under applicable data protection law. Individuals may submit requests directly to privacy@leadingindicator.com, and LIS will respond in accordance with its obligations, as applicable.
Cookies & Tracking
Cookies are used for session management and core product functionality only — not for advertising or behavioral profiling. LIS complies with applicable electronic communications and cookie regulations across its web assets. Further information is available in the LIS Privacy Policy.
Data Retention & Deletion
Data is retained in accordance with customer agreements and applicable legal requirements. Upon contract termination, data is deleted from LIS systems in accordance with our data retention procedures and applicable contractual terms.
Where we stand, jurisdiction by jurisdiction
We operate in accordance with applicable data protection regulations across the jurisdictions in which our customers operate. Our compliance program is reviewed and maintained by dedicated privacy personnel.
EU General Data Protection Regulation (GDPR)
LIS processes personal data in compliance with the EU GDPR. We maintain a lawful basis for all processing activities, support data subject rights, and apply appropriate technical and organizational safeguards.
UK GDPR & Data Protection Act 2018
LIS's data protection practices extend to the United Kingdom under the UK GDPR and the Data Protection Act 2018. We apply equivalent standards of care for personal data processed in connection with UK data subjects, ensuring consistency with our broader privacy and compliance program.
Privacy and Electronic Communications Regulations 2003 (PECR)
LIS complies with applicable electronic communications and cookie regulations across all LIS web assets. Users are provided with appropriate disclosures and controls, detailed in our Privacy Policy.
HIPAA Security Rule
LIS has completed a formal assessment against the HIPAA Security Rule as part of its commitment to supporting customers in higher-education and healthcare-adjacent environments. While our products are general-purpose platforms not purpose-built for healthcare use, LIS is prepared to execute a Business Associate Agreement (BAA) where a specific customer's use case warrants it.
SOC 2 Trust Services Criteria
LIS's information security program is designed in alignment with the SOC 2 Trust Services Criteria, addressing confidentiality, integrity, and availability. Security practices also draw on the NIST Cybersecurity Framework and ISO/IEC 27001 principles.
EU-U.S. Data Privacy Framework
LIS is certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework — providing a recognized mechanism for the transfer of personal data from the EU, UK, and Switzerland to the United States.
How we govern AI in our products
LIS incorporates AI features into its products — including conversational assistance and support for interpreting assessment results — using managed, third-party large language model services. The core psychometric scoring that underpins our assessments is not AI-based and operates independently.
No Training on Customer Data
LIS does not train AI models on customer data. LLM service providers are contractually prohibited from using interaction data for training or improving their models.
Human Oversight
AI-generated outputs within our products are designed to inform and support, not to make binding decisions about individuals. Customers retain full control over how assessment results and AI-assisted content are interpreted and acted upon.
Responsible AI Procurement
LIS evaluates AI service providers against security, privacy, and ethical standards before integration. AI subprocessors are subject to the same data protection obligations as all other LIS subprocessors.
Infrastructure you can depend on
Our products are hosted on Amazon Web Services (AWS), providing the infrastructure resilience, availability, and redundancy that our customers depend on.
Backup & Recovery
Data backups are maintained across geographically distributed AWS facilities. All backups are encrypted at rest and in transit. Recovery procedures are tested to ensure recoverability.
Managed Updates & Continuity
Product updates are deployed in a controlled manner with minimal disruption to users. LIS maintains documented business continuity procedures to support the ongoing availability of its products and services.
