Security & Compliance

Our Commitment to Security & Compliance

At RansomLeak, we understand that trust is earned through transparency and action. Your organization's security awareness training data is valuable and sensitive, and we take our responsibility to protect it seriously. This page outlines the comprehensive security measures, compliance standards, and enterprise commitments we've implemented to ensure your data remains secure, private, and accessible only to those who should have access.

Our security infrastructure is built on AWS with industry best practices, including encryption at rest and in transit, multi-tenant isolation, network segmentation, least-privilege access controls, and continuous monitoring. We maintain compliance with GDPR, CCPA, NIST Framework, DORA, NIS2 Directive, and WCAG 2.1 Level AA accessibility standards through robust data protection policies and transparent data handling practices.

Compliance & Certifications

RansomLeak maintains compliance with industry-leading security frameworks and regulatory requirements. Our infrastructure is built on AWS with certifications including Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) for secure international data transfers.

NIST Framework

Aligned with NIST Cybersecurity Framework controls across identify, protect, detect, respond, and recover functions.

DORA

Supports EU Digital Operational Resilience Act requirements for operational resilience and ICT risk management.

NIS2 Directive

Implements security measures aligned with EU Network and Information Security Directive for essential services.

CSA STAR Level 1

Cloud Security Alliance STAR certification demonstrating cloud security best practices and transparency.

WCAG 2.1 Level AA

Meets Web Content Accessibility Guidelines ensuring the platform is accessible to users with disabilities.

GDPR Compliant

Implements technical and organizational measures required by EU General Data Protection Regulation for data privacy.

CCPA Compliant

Supports California Consumer Privacy Act requirements including data access, deletion, and portability rights.

AWS Security Best Practices

Built on AWS infrastructure following Well-Architected Framework and inheriting AWS certifications including SOC 2 and ISO 27001.

Data Encryption

We employ comprehensive encryption to protect your data at every stage:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption, including your database (RDS PostgreSQL), file storage (Amazon S3), and application secrets (AWS Secrets Manager). This ensures that your data is protected even if physical storage media is compromised.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. HTTPS is enforced across all connections, with HTTP requests automatically redirected to HTTPS.
• Key Management: Encryption keys are managed securely through AWS Key Management Service (KMS), with automatic rotation and strict access controls ensuring that keys remain protected.

Multi-Tenant Data Isolation

Enterprise-grade data separation ensures complete isolation between organizations:

• Schema-Based Separation: Each organization's data is logically isolated using dedicated database schemas, providing strong separation boundaries at the database level.
• Query-Level Filtering: All database queries include mandatory tenant identification, ensuring that data access is automatically filtered and scoped to the appropriate organization.
• Access Control Validation: Application-level security controls prevent cross-tenant data access, with multiple layers of validation ensuring data remains isolated.
• Audit Trail: All data access is logged with tenant context, providing complete visibility into data operations and enabling rapid detection of any anomalies.

Network Security Architecture

Our infrastructure is designed with defense-in-depth principles and multiple security layers:

• Private Subnet Isolation: All application servers, databases, and caching layers operate within private subnets with no direct internet access. These resources can only communicate through carefully controlled network paths.
• Network Segmentation: We use Amazon Virtual Private Cloud (VPC) to create isolated network environments across multiple availability zones, ensuring both security and high availability. Public subnets are used exclusively for load balancers that handle incoming HTTPS traffic.
• Firewall Configuration: Security groups act as stateful firewalls controlling inbound and outbound traffic at the instance level, with rules implementing least-privilege network access.
• Intrusion Detection & Prevention: Our infrastructure supports IDS/IPS capabilities for monitoring and blocking malicious network activity, providing real-time threat detection and response.
• DDoS Protection: AWS Shield Standard provides automatic protection against common DDoS attacks, ensuring service availability during malicious traffic attempts.
• NAT Gateway: Outbound internet access from private resources is controlled through a NAT Gateway, providing additional isolation and security monitoring capabilities.

Access Controls & Identity Management

We implement comprehensive access controls to ensure that only authorized personnel and systems can access your data:

• Least-Privilege Principle: All system components and users operate with the minimum permissions necessary to perform their functions. IAM roles and policies are scoped to specific resources using Amazon Resource Names (ARNs), never using wildcard permissions.
• Role-Based Access Control (RBAC): User permissions are assigned based on roles and responsibilities, ensuring appropriate access levels for different user types (administrators, trainers, learners).
• Multi-Factor Authentication (MFA): MFA is enforced for administrative access to our AWS infrastructure and can be configured for end-user accounts, adding an additional layer of protection beyond passwords.
• Temporary Credentials: Infrastructure access credentials are temporary and rotate automatically every 6-12 hours, eliminating the risk of long-lived credentials being compromised.
• Session Management: User sessions include timeout policies, secure cookie handling, and automatic termination after periods of inactivity to prevent unauthorized access.
• Separation of Concerns: We maintain distinct IAM roles for infrastructure bootstrap operations (task execution role) and application runtime operations (task role), ensuring proper isolation of privileges.

Monitoring & Auditing

Continuous monitoring and comprehensive auditing help us detect and respond to security events:

• Security Information and Event Management (SIEM): We implement SIEM practices for aggregating, analyzing, and correlating security events from multiple sources, enabling rapid threat detection and response.
• Continuous Security Monitoring: Our systems continuously monitor for security anomalies, unusual access patterns, suspicious activities, and potential threats across the entire infrastructure.
• Real-Time Threat Detection: Automated alerting systems identify and notify our security team of potential security incidents in real-time, enabling immediate investigation and response.
• Application Logging: All application activities are logged to Amazon CloudWatch Logs, providing a comprehensive audit trail of system operations and user activities.
• API Auditing: AWS CloudTrail logs all API calls made to our infrastructure, creating an immutable record of administrative actions and resource changes.
• Network Flow Monitoring: VPC Flow Logs capability allows us to capture information about network traffic for security analysis and troubleshooting when needed.
• Log Retention & Analysis: Security logs are retained according to compliance requirements, with regular analysis for identifying trends, anomalies, and potential security issues.
• Session Logging: All administrative access sessions to containers are logged, providing complete visibility into system access and operations.

Data Retention & Backup

We maintain appropriate backup and retention policies to ensure data durability while respecting your privacy:

• Database Backups: Automated daily backups of our PostgreSQL database are retained for 7 days, allowing us to recover from data corruption or accidental deletion. All backups are encrypted at rest.
• S3 Lifecycle Policies: File storage includes versioning and lifecycle policies that archive old versions after 90 days and permanently delete them after 180 days, balancing data protection with privacy requirements.
• Log Retention: Application logs are retained for 7 days by default, providing sufficient time for security analysis while minimizing data storage.
• Disaster Recovery: Our multi-availability zone architecture ensures that we can quickly recover from infrastructure failures without data loss.

Incident Response

We maintain clear procedures for responding to security incidents:

• Breach Notification: In accordance with GDPR Article 33 and CCPA requirements, we will notify affected parties within 72 hours of becoming aware of any personal data breach that poses a risk to individual rights and freedoms.
• Incident Detection: Our monitoring systems continuously watch for security anomalies, unusual access patterns, and potential threats, enabling rapid detection of security incidents.
• Response Procedures: We maintain documented incident response procedures that ensure consistent, effective handling of security events, including containment, investigation, and remediation steps.
• Security Contact: For security concerns or to report a vulnerability, please contact us at security@ransomleak.com. We take all security reports seriously and respond promptly to verified issues.

Secure Development Lifecycle (SDLC)

Security is integrated into every phase of our software development process:

• Secure SDLC Practices: We follow secure software development lifecycle methodologies, incorporating security considerations from initial design through deployment and maintenance.
• Version Control: All code is managed using Git version control with comprehensive change tracking, enabling audit trails and facilitating security reviews.
• Code Reviews & Peer Review: Every code change undergoes peer review before being merged, ensuring multiple eyes examine code for potential security issues and adherence to best practices.
• Development Pipeline: Our deployment pipeline includes staging environments for testing, comprehensive QA processes, and automated checks before any code reaches production.
• Static Code Analysis: We employ static application security testing (SAST) tools that automatically scan code for security vulnerabilities, coding errors, and potential weaknesses.
• Dependency Vulnerability Scanning: All third-party dependencies are automatically scanned for known vulnerabilities, with updates applied promptly to address security issues.
• Secure Coding Standards: Our development team follows established secure coding guidelines and standards to prevent common vulnerabilities and security weaknesses.

Security Testing & Quality Assurance

Comprehensive testing ensures our security controls function correctly:

• High Test Coverage: We maintain extensive test coverage including unit tests, integration tests, and functional tests to ensure code quality and catch potential security issues early.
• Static Application Security Testing (SAST): Automated static analysis examines source code for security vulnerabilities before deployment, identifying issues like SQL injection, XSS, and insecure configurations.
• Dynamic Application Security Testing (DAST): Runtime security testing evaluates the application while it's running, detecting vulnerabilities that only appear during execution.
• Automated Vulnerability Scanning: Regular automated scans identify known vulnerabilities in dependencies, containers, and infrastructure configurations.
• Penetration Testing: Periodic penetration testing by security professionals helps identify potential security weaknesses that automated tools might miss.
• CI/CD Security Checks: Our continuous integration and deployment pipeline includes automated security checks, preventing vulnerable code from reaching production environments.

Employee Security Training & Awareness

Our team receives regular security training to maintain high security standards:

• OWASP Top 10 Training: Our development team receives comprehensive training on the OWASP Top 10 security risks, ensuring awareness of the most critical web application security vulnerabilities.
• Secure Coding Practices: Developers are trained in secure coding techniques, input validation, output encoding, authentication, authorization, and other security fundamentals.
• Annual Security Awareness Training: All employees complete annual security awareness training covering data protection, privacy regulations, company security policies, and best practices.
• Social Engineering & Phishing Awareness: Regular training helps employees recognize and respond appropriately to social engineering attempts, phishing emails, and other manipulation techniques.
• Incident Response Training: Team members are trained in incident response procedures, ensuring they know how to identify, report, and respond to security incidents effectively.
• Continuous Security Education: We maintain ongoing security education programs, keeping our team updated on emerging threats, new attack vectors, and evolving security best practices.

Security Audits & Third-Party Assessments

Independent verification ensures our security controls are effective:

• Regular Internal Security Audits: We conduct periodic internal security audits to assess our security posture, identify potential weaknesses, and verify compliance with security policies.
• Third-Party Security Assessments: Independent security professionals conduct external assessments of our infrastructure, applications, and security practices, providing unbiased evaluation.
• Vulnerability Assessment Schedules: Regular vulnerability assessments identify and prioritize security weaknesses for remediation before they can be exploited.
• Compliance Audits: Periodic compliance audits verify adherence to regulatory requirements including GDPR, CCPA, and industry security standards.
• Remediation Tracking: All identified security issues are tracked through to resolution, with verification testing ensuring vulnerabilities are properly addressed.

Accessibility Compliance

We are committed to making our platform accessible to all users:

• WCAG 2.1 Level AA Compliance: Our platform is designed and developed to meet Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards, ensuring accessibility for users with disabilities.
• Accessible Design Principles: We follow accessible design principles including clear navigation, consistent layouts, sufficient color contrast, and readable typography.
• Keyboard Navigation Support: Full keyboard navigation support ensures users can access all functionality without requiring a mouse or pointing device.
• Screen Reader Compatibility: Our interface is compatible with popular screen readers including JAWS, NVDA, and VoiceOver, with proper semantic HTML and ARIA labels.
• Color Contrast Standards: All text and interactive elements meet WCAG color contrast requirements, ensuring readability for users with visual impairments.
• Ongoing Accessibility Testing: Regular accessibility testing and validation ensure continued compliance and identify areas for improvement.

Service Level Agreements & Enterprise Commitments

We provide enterprise-grade service commitments to ensure reliability and support:

• Incident Response SLAs: We maintain clear response time commitments based on severity: Critical incidents (1 business day), High priority (3 business days), Medium priority (7 business days), Low priority (14 business days).
• Uptime Guarantee: We target 99.5% uptime availability, with proactive monitoring and rapid response to any service interruptions.
• Zero-Downtime Deployments: Our deployment practices use blue-green deployment strategies and rolling updates to minimize service disruption during updates.
• Enterprise-Grade Data Handling: All customer data is handled with enterprise-level security controls, access restrictions, and handling procedures.
• Remediation Procedures: Clear escalation paths and remediation procedures ensure rapid resolution of security issues and service problems.
• Support Availability: Our support team is available during business hours to assist with technical issues, security questions, and compliance inquiries.
• B2B Data Protection Guarantees: We provide appropriate data processing agreements, security commitments, and compliance documentation required for B2B customers.
• Change Management: All infrastructure and application changes follow documented change management procedures with appropriate review, testing, and rollback capabilities.

Continuous Improvement

Security and compliance are not one-time achievements but ongoing commitments. We continuously review and enhance our security measures, stay informed about emerging threats and regulatory changes, and update our practices to maintain the highest standards of data protection and regulatory compliance. We regularly evaluate additional security enhancements such as AWS GuardDuty for threat detection, AWS Security Hub for centralized security monitoring, and other advanced security services to strengthen our security posture.

Questions?

We believe transparency builds trust. If you have questions about our security practices, compliance standards, or would like more detailed information about any aspect of our security and compliance program, please don't hesitate to reach out: