How we protect your floor data.
Last updated: 3 May 2026
LeanOS holds defect photos, kaizen savings, A3 cases, and other operational data that may include trade secrets (production lines, tooling, layouts). We treat it the way you would — structurally isolated, encrypted, audit-logged, and minimally shared.
Multi-tenant isolation by RLS
Every database table that holds Customer Data carries an org_id discriminator. Postgres row-level security (RLS) policies are enforced on every read and write — a user authenticated to organization A cannot read or modify any row belonging to organization B. Cross-tenant access is structurally impossible at the database layer, not just the application layer.
Encryption in transit and at rest
All traffic between client and server is encrypted with TLS 1.2 or higher. Customer Data, photos, and database backups at rest are encrypted by Supabase using AES-256. Authenticated session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies.
Authentication & access control
Authentication is handled by Supabase Auth (bcrypt password hashing, optional magic links, OAuth providers on enterprise plans). Role-based access control (RBAC) inside the workspace: Owner, Admin, Member, Auditor (read-only). Optional SSO / SAML / SCIM available on enterprise plans.
Audit logging
Every change to a defect, kaizen, A3 case, score, member, or zone is recorded in an immutable audit log: who, what, when, before-value, after-value. Retained for 7 years from the event date. Audit logs are exportable on request and visible to workspace Owners and Admins.
AI is advisory — never automatic
All AI-generated suggestions (defect categorization, A3 root causes, fix plans, Plant Coach insights, scoring breakdowns) are presented for human review. No AI output ever triggers an action that affects Customer operations, products, equipment, or personnel without an authorized user explicitly accepting it.
Infrastructure
LeanOS runs on Vercel (application hosting + edge serving) and Supabase (Postgres + file storage + auth). Both providers are SOC 2 Type II certified. The full subprocessor list is published at /subprocessors. We use no other third-party services that touch Customer Data.
Incident response
On detection of a personal data breach, we follow a documented runbook: detect → contain → notify affected Customer admins (target 72 hours, per DPDP Act and GDPR) → root-cause → remediate → publish post-mortem. Customers are notified by email to the workspace administrator on file.
Backup & restore
Supabase performs daily automated backups of the production database with point-in-time recovery (PITR) for the most recent 7 days on standard plans, 30 days on enterprise plans. Backups are encrypted at rest. Restore objective: RTO 4 hours, RPO 24 hours on standard, RPO 1 hour on enterprise.
Compliance roadmap
| Standard / framework | Status |
|---|---|
| DPDP Act 2023 (India) | Self-assessed compliant; Grievance Officer designated. |
| GDPR (EU) | Self-assessed compliant via Standard Contractual Clauses with subprocessors. |
| IT Act 2000 §43A (India) | Reasonable security practices implemented. |
| SOC 2 Type I | On request — initiated upon enterprise contract signature. |
| SOC 2 Type II | Planned 12 months after Type I completion. |
| ISO 27001 | Roadmap; targeted alongside SOC 2 Type II. |
| IATF 16949 (auto Tier-2) | We support Customer compliance via traceable audit logs; LeanOS is not itself an IATF-certified QMS. |
| GMP (food / pharma) | Same as above — we support, not replace, Customer's QMS. |
Shared responsibility — what the Customer does
Security is shared. The Customer is responsible for:
- Provisioning Authorized Users (creating, assigning roles, deactivating leavers).
- Maintaining strong passwords, enabling MFA when available, and not sharing credentials.
- Not uploading data the Customer does not have lawful authority to upload (e.g., photos of identifiable individuals without consent).
- Reviewing AI Output before acting on it. AI Output is advisory only — see Section 8 of the Terms of Service.
- Maintaining the Customer's own safety-management system, quality-management system, and regulatory compliance posture. LeanOS is a tool, not a substitute.
Data export & deletion
Customers may export all Customer Data in JSON / CSV format at any time during the subscription. On termination, primary data is deleted within 30 days of the cancellation date and backups are purged within 90 days. Confirmation of deletion is provided in writing on request.
Vulnerability disclosure
If you believe you've found a security vulnerability in LeanOS, please email founder@getleanos.com with subject line “Security disclosure”. Please do not test against production data belonging to other Customers. We acknowledge reports within 3 business days and will work with you on a timeline for fix and disclosure. We do not currently run a paid bug-bounty program but credit reporters publicly with their permission.
Security architecture inquiries
For procurement security questionnaires, audit assistance, or custom diligence, email founder@getleanos.com with subject “Security review”. We typically respond within 3 business days with a written architecture brief that covers authentication, RLS isolation, encryption, backup, audit logging, AI use, subprocessors, and incident response.