weaveleads

Security

Security posture for teams embedding weaveleads

weaveleads handles lead data, embedded tools, and MCP API access, so security is part of the product surface. This page explains the controls we use today and the areas we are actively improving.

Transport security

weaveleads is served over HTTPS, with HSTS enabled for production traffic.

Data separation

Customer data lives in the production database and private object storage, not in public client code.

API key handling

MCP API keys are stored as hashes, can be revoked, and are checked against suspended users.

Embed posture

The public embed runs inside an iframe, validates message origins, and ships with an SRI-ready snippet.

What data we store

  • Account profile data such as name, email, plan, and authentication metadata.
  • Interactive tool configuration, questions, AI instructions, themes, and publish state.
  • Lead submissions, answers, contact fields, scoring output, and conversion analytics.
  • Billing identifiers and subscription status from the payment provider.
  • Operational logs needed for abuse prevention, support, debugging, and security review.

Protection model

Passwords are hashed, verification codes are short-lived and hashed, API keys are stored as hashes, and production secrets are expected to live in Dokploy environment variables. PostgreSQL and Redis should stay internal to the VPS/project network, while public uploads are served from the configured R2 public URL.

The embed surface is intentionally split from the dashboard: dashboard pages deny framing, while public tool routes allow customer embedding and keep the interactive experience isolated in an iframe.

Subprocessors

  • Hostinger / Dokploy for VPS hosting and application deployment.
  • Cloudflare R2 for private object storage and public file delivery when enabled.
  • Resend for transactional emails such as verification and password reset.
  • Polar and its payment processor for paid subscriptions.
  • PostHog for product analytics when analytics is enabled.
  • Google OAuth for optional Google sign-in.
  • OpenRouter for AI result generation.

Compliance roadmap

weaveleads is not SOC 2 certified today. The current focus is practical startup-grade security: strong headers, least-privilege access, secure key storage, rate limits, backups, and clear incident contact. A SOC 2 readiness process can be added as enterprise demand grows.

To report a vulnerability, email support@weaveleads.app. Please include affected URLs, reproduction steps, impact, and a safe proof of concept.