Security & Compliance

Last updated: May 22, 2026

What Compliance Certifications Does RansomLeak Hold?

We align with major security frameworks and meet the regulatory requirements our customers need.

Regulatory & legal frameworks

Frameworks that govern how RansomLeak handles personal data and operates in regulated markets.

NIST Framework

Aligned with NIST Cybersecurity Framework controls across identify, protect, detect, respond, and recover functions.

General Data Protection Regulation Compliant

GDPR Compliant

Implements technical and organizational measures required by EU General Data Protection Regulation for data privacy.

California Consumer Privacy Act Compliant

CCPA Compliant

Supports California Consumer Privacy Act requirements including data access, deletion, and portability rights.

Network and Information Security Directive 2

NIS2 Directive

Implements security measures aligned with EU Network and Information Security Directive for essential services.

DORA

Supports EU Digital Operational Resilience Act requirements for operational resilience and ICT risk management.

Infrastructure, posture & accessibility

Vendor and platform-level certifications that underpin the service — held by AWS, completed at the company level, or required for accessibility conformance.

AWS Security Best Practices

Built on AWS infrastructure following Well-Architected Framework and inheriting AWS certifications including SOC 2 and ISO 27001.

CSA STAR Level 1

Cloud Security Alliance STAR Level 1 self-assessment demonstrating cloud security best practices and transparency.

Web Content Accessibility Guidelines 2.1 Level AA

WCAG 2.1 Level AA

Meets Web Content Accessibility Guidelines ensuring the platform is accessible to users with disabilities.

Infrastructure Compliance Features

Encryption: AES-256 encryption at rest, TLS 1.2+/1.3 encryption in transit, using AWS-managed encryption keys
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), least-privilege IAM policies
Regular Audits: Internal security audits, DAST scanning (OWASP ZAP), vulnerability scanning, and continuous dependency monitoring
AWS Compliance: Built on AWS infrastructure certified for SOC 2, ISO 27001, FedRAMP, and other standards

Active compliance program

Beyond the framework alignments above, RansomLeak runs a continuous compliance program covering adjacent obligations.

UK GDPR & Swiss FADP: The same technical and contractual safeguards as EU GDPR apply automatically when serving UK residents (Data Protection Act 2018) and Swiss data subjects (revised Federal Act on Data Protection / nFADP).
EU AI Act readiness: AI-generated content from deepfake drills is labelled and disclosed to participants in line with Article 50 transparency requirements; provider obligations for the platform’s general-purpose AI usage are tracked as the act phases in.
Vanta integration for tenants: Tenants on Vanta can receive completion evidence from RansomLeak directly into their own Vanta workspace via our outbound integration, helping satisfy security-awareness training control objectives without manual evidence collection.

What Data Does RansomLeak Collect?

We collect the minimum data needed to deliver and audit security training. We deliberately keep entire categories of sensitive data outside our perimeter.

Data we collect

Customer admin information: Names, business emails, job titles, and roles of users provisioned by your administrators
Learner records: Names, work emails, optional department or location tags, and training assignment history
Training activity: Module starts and completions, time on task, choices made inside simulations, and assessment results
Security and audit data: Authentication events, session IP addresses, and API token usage retained for audit logs and incident response

Optional deepfake drills: When a tenant administrator enables the deepfake drills feature, they upload voice samples of consenting individuals (typically internal actors). This biometric data is processed by our feature-conditional subprocessor (ElevenLabs) listed below. Learners do not provide this data themselves.

Data we never collect

Payment card data: All billing routes through a PCI DSS Level 1 payment processor. Card numbers never reach our infrastructure
Personal health information: The platform is not a HIPAA covered service. Do not upload PHI through training records or uploads
Workforce surveillance data: No keystroke logs, screen recordings, browser history, or behavioral telemetry of learners outside the training modules themselves
Government identifiers: Social security numbers, passport numbers, and national ID numbers are not requested in any field or form

Which Subprocessors Does RansomLeak Use?

We use a small number of vetted third-party processors to operate the platform. Each subprocessor is bound by a Data Processing Agreement and reviewed annually.

Core product subprocessors

Always engaged when you use the platform. These processors handle data on behalf of RansomLeak customers.

Provider Purpose Data residency

Amazon Web Services

Infrastructure hosting (compute, database, object storage, CDN) us-east-1, United States

Twilio SendGrid

Transactional email delivery (notifications, password resets, audit digests) United States

PostHog

Anonymized product analytics European Union

Sentry

Application error monitoring (events tagged with pseudonymous user and tenant identifiers) United States

Slack

Internal security and operations alerting (error events and security alarms tagged with pseudonymous tenant identifiers, delivered to RansomLeak engineering channels) United States

Feature-conditional subprocessors

Engaged only when a tenant administrator turns on the corresponding feature inside the platform. Where these handle biometric or special-category data, they do so under explicit instruction from the tenant.

Provider Purpose Data residency

ElevenLabs

Voice synthesis for deepfake drill exercises. Tenant administrators upload voice samples used to generate the simulation audio (biometric / special-category data) United States

Marketing-site tools: Tools that operate only on our public marketing pages, such as Calendly for demo scheduling, do not process platform or learner data. These are itemized in our Privacy Policy rather than counted as platform subprocessors.

Subprocessor changes: We notify customers at least 30 days before adding or replacing a core subprocessor, in line with our Data Processing Agreement. Customers on an active subscription are emailed directly when material changes occur.

Security and Compliance Documents

Use these resources to evaluate RansomLeak in procurement, vendor assessment, and DPIA workflows. Gated documents are released under a mutual NDA on request.

Publicly available

Available on request

Data Processing Agreement (DPA)

GDPR-aligned DPA covering personal data processing, subprocessors, Standard Contractual Clauses, and international transfers
Security overview whitepaper

Architecture, control mapping, and risk treatment summary written for security review teams
Penetration test executive summary

Most recent third-party penetration test summary with findings status, redacted of exploit detail
AWS compliance evidence

AWS Artifact reports covering the infrastructure we run on, including SOC 2, ISO 27001, and FedRAMP
Vendor security questionnaire

Pre-completed CAIQ-Lite and SIG Lite responses to accelerate procurement reviews

Request access: Email us with your company name, role, and the documents you need. We typically respond within one business day. security@ransomleak.com.

How Does RansomLeak Encrypt Data?

Your data is encrypted at every stage:

Encryption at Rest: All stored data is encrypted using AES-256 encryption, including your database (RDS PostgreSQL), file storage (Amazon S3), cache (ElastiCache Redis), and application secrets
Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+/1.3 with HTTPS-only enforcement, HSTS with preload (1-year max-age, includeSubDomains), and in-transit encryption on all internal services including cache replication
Key Management: Encryption uses AWS-managed keys (SSE-S3 for object storage, RDS-managed keys for databases) with automatic rotation handled by AWS

How Does RansomLeak Isolate Tenant Data?

Each customer's data is fully isolated. No organization can access another's data:

Schema-Based Separation: Each organization's data is logically isolated using dedicated database schemas
Query-Level Filtering: All database queries include mandatory tenant identification
Access Control Validation: Application-level security controls prevent cross-tenant data access
Audit Trail: All data access is logged with tenant context for complete visibility
Token Isolation: API and identity-provider tokens are tenant-bound and validated only against the requesting tenant's data — tokens cannot be reused across organizations
Continuous Validation: An automated integration test suite validates tenant isolation on every code change, covering cross-tenant data prevention, SQL injection protection, and schema-level isolation

What Network Security Architecture Does RansomLeak Use?

Multiple layers of network security protect the platform:

Private Subnet Isolation: All application servers, databases, and caching layers operate within private subnets with no direct internet access
Network Segmentation: Amazon VPC creates isolated network environments across multiple availability zones
Firewall Configuration: Security groups act as stateful firewalls with least-privilege network access
Web Application Firewall: AWS WAF protects against common web exploits, SQL injection, and malicious requests with IP-based rate limiting
DDoS Protection: AWS Shield Standard provides automatic protection against common DDoS attacks
Network Traffic Logging: VPC Flow Logs capture all network traffic for analysis, audit logging, and incident investigation

How Does RansomLeak Handle Access Controls and Identity?

Only the right people and systems can access your data:

Least-Privilege Principle: All system components and users operate with the minimum permissions necessary
Role-Based Access Control (RBAC): User permissions are assigned based on roles and responsibilities
Multi-Factor Authentication (MFA): MFA is available for all users (TOTP and email), mandatory for superadmin access
Temporary Credentials: Infrastructure access credentials are temporary and rotate automatically every 6-12 hours
Quarterly Access Reviews: Automated per-tenant access reviews with anomaly detection for inactive accounts and excessive privileges
SAML Single Sign-On: SAML 2.0 integration with identity providers for enterprise single sign-on
SCIM 2.0 Provisioning: Automated user and group provisioning from identity providers such as Entra ID and Okta
Account Lockout: Automatic account lockout after 5 failed login attempts with a 15-minute cooldown period
Password History: Last 12 passwords tracked per user to prevent password reuse
Compromised Password Detection: Passwords are checked against known breaches via the HaveIBeenPwned k-anonymity API

How Does RansomLeak Monitor and Audit Systems?

We monitor systems around the clock and log every action:

Security Event Log & SIEM Export: Application-level audit trail captures authentication events, user management, and API token activity with IP and metadata. Exportable via REST API for SIEM integration or CSV download
Continuous Security Monitoring: AWS GuardDuty, CloudWatch, and Security Hub continuously monitor for anomalies with automated alerting
Application Logging: All application activities are logged to Amazon CloudWatch Logs
API Auditing: AWS CloudTrail logs all API calls for an immutable record of administrative actions
Privileged Access Controls: All production shell sessions are fully transcribed and logged, with real-time alerts on every privileged access event. Database audit logging tracks schema and permission changes
Centralized Security Findings: AWS Security Hub aggregates findings from GuardDuty, Macie, Inspector, and Config into a unified dashboard
Configuration Compliance: AWS Config monitors infrastructure with managed rules to detect configuration drift and enforce compliance
Data Loss Prevention: AWS Macie performs monthly S3 scans to detect PII and sensitive data exposure. VPC endpoint policies restrict data writes to own-account resources only, and IAM boundary policies block data export services

How Does RansomLeak Handle Security Incidents?

We have clear steps for handling security events:

Breach Notification: We will notify affected parties within 72 hours of becoming aware of any personal data breach (GDPR Article 33)
Incident Detection: Our monitoring systems continuously watch for security anomalies and potential threats
Response Procedures: We maintain documented incident response procedures for consistent, effective handling

Security Contact: For security concerns or to report a vulnerability, please contact us at security@ransomleak.com.

What Is RansomLeak's Secure Development Lifecycle?

Security is part of every step in how we build software:

Secure SDLC Practices: Security considerations from initial design through deployment and maintenance
Code Reviews: Every code change undergoes peer review before being merged
Automated Code Quality: CI/CD pipeline enforces linting, strict type checking, CodeQL static analysis, dependency vulnerability scanning, container image scanning, and OWASP ZAP DAST scanning on every change
Dependency Scanning: All third-party dependencies are automatically scanned for known vulnerabilities

What Service Level Agreements Does RansomLeak Offer?

Our uptime and response time targets:

Incident Response SLAs: Critical (1 business day), High (3 business days), Medium (7 business days), Low (14 business days)
Uptime Guarantee: We target 99.95% uptime availability, backed by Multi-AZ RDS with synchronous standby and proactive monitoring
Zero-Downtime Deployments: Rolling deployments with health checks ensure zero-downtime releases

Catalogue

Product

Legal