Everything procurement asks for, in one place.
Last updated: 17 May 2026
LeanOS is a B2B SaaS platform that holds defect photos, kaizen savings, A3 cases, and other operational data that may include trade secrets. We treat your data the way you would.
status.getleanos.comReal-time uptime + incident history powered by Better Stack. Subscribe via email or webhook to get notified the moment anything degrades. Linked from every runbook in our ops response chain.
Verify these yourself
We don’t expect you to take our word for anything. Every link below runs an independent third-party scan against getleanos.com — no LeanOS involvement required.
Public documents
DPDP Act 2023 (India) + GDPR-compliant. Includes data fiduciary identification, lawful basis, AI use disclosure, retention schedule, breach notification, data subject rights.
AI-output advisory clause, no-safety-guarantees waiver, mutual indemnification, 12-month-fees liability cap, governing law India, arbitration Mumbai.
Multi-tenant isolation by RLS, encryption in transit + rest, RBAC, audit logging (7yr retention), incident response (72h notification), backup RTO/RPO, compliance roadmap.
Public list of every vendor that touches Customer Data (Supabase, Vercel, Anthropic, Resend, Zoho), with purpose, region, and DPA links.
Coordinated disclosure policy for security researchers. Contact, scope, our commitments (5-day acknowledgment, 30-day P0/P1 fix), safe harbor, hall of fame. Machine-readable contact at /.well-known/security.txt (RFC 9116).
Operational runbooks
The procedures we follow during incidents, backups, and recovery. Each card opens the customer-facing commitments (what we’d sign into the MSA / DPA anyway). The full playbook is pre-prepared and available under NDA — typical turnaround 3 business days.
Customer notification within 24h (DPA). P0/P1 ack within 1h on Enterprise. 6-phase response framework + annual tabletop. Per-phase detail available under NDA.
Commitments + how to request →Supabase PITR (7-day window) + nightly snapshots (30-day retention). AES-256 at rest. Quarterly restoration tests. Specific restore procedures available under NDA.
Commitments + how to request →RPO ≤ 1 hour / RTO ≤ 4 hours, contractual on Enterprise. Annual DR drill. 7 disaster scenarios planned. Per-scenario response available under NDA.
Commitments + how to request →1-2 day onboarding (30 min ops + 24h DNS) to a customer's own Supabase project in their chosen AWS region. Full 7-step SOP available under NDA.
Commitments + how to request →Available on request — email founder@getleanos.com
We respond to security and contract diligence requests within 3 business days.
Our standard MSA template for paid Pro / Enterprise subscriptions. Customer-redlines reviewed case-by-case.
Request via emailOur standard 30-day free Pilot Agreement. Suitable for evaluation in one plant, up to 25 seats.
Request via emailDPDP Act + GDPR-aware DPA covering processing roles, security measures (Annex B), subprocessors (Annex C), cross-border transfer mechanisms.
Request via emailPricing + scope template for Pro / Enterprise subscriptions. Annual prepaid; auto-renewing.
Request via emailOur company information, GST, PAN, bank details, and tax info for your vendor master / procurement system.
Request via emailPre-filled answers to 50+ standard security questions covering architecture, access control, incident response, AI use, third-party risk, and compliance.
Request via emailDetailed technical architecture overview: authentication, RLS isolation, encryption, backup, audit logging, AI use, subprocessors, incident response.
Request via emailSOC 2 Type I — initiated upon enterprise contract signature. SOC 2 Type II + ISO 27001 on roadmap.
Request via emailThings we explicitly don't do
- No advertising or marketing tracking. No Google Ads, Meta Pixel, LinkedIn Insight Tag, behavioural analytics (GA, Mixpanel, etc.).
- No Customer Data for AI training. Anthropic does not train on API data; we do not train any in-house model on Customer Data.
- No data enrichment against third-party data brokers (Clearbit, ZoomInfo, etc.).
- No automatic actions on AI output. Every AI suggestion requires human review by an authorized Customer user before any action.
- No marketing use of Customer defect photos without separate, photo-by-photo, written consent.
- No pre-filled cookie consent. We use only strictly-necessary authentication cookies; no banner needed because we don't set any non-essential cookies.
Inbound security or contract review?
Email founder@getleanos.com with the subject “Security review” or “Contract review” and your typical procurement turnaround. We respond within 3 business days with the relevant documents and an offer to schedule a 30-minute architecture / contract Q&A call with the founder.