Lead Partners, LLC
Effective Date: July 18, 2025
Last Updated: July 18, 2025
Lead Partners, LLC, a South Carolina limited liability company (“Company,” “we,” “us,” or “our”), is committed to maintaining the highest standards of security for our Intelligent Attraction platform and protecting the confidentiality, integrity, and availability of our users’ data and our systems.
This Security Policy outlines our comprehensive approach to information security, including the technical, administrative, and physical safeguards we implement to protect your information and our Service. This policy applies to all users of our Service, our employees, contractors, and third-party service providers.
Our security program is built on industry-recognized frameworks and standards to ensure comprehensive protection:
We align our security practices with established industry standards and frameworks, including:
ISO 27001 Principles: We follow the principles of the International Organization for Standardization’s information security management standards to establish, implement, maintain, and continually improve our information security management system.
NIST Cybersecurity Framework: We utilize the National Institute of Standards and Technology Cybersecurity Framework to identify, protect, detect, respond to, and recover from cybersecurity threats.
SOC 2 Type II Controls: We implement controls consistent with Service Organization Control 2 Type II standards for security, availability, processing integrity, confidentiality, and privacy.
GDPR and Privacy Regulations: Our security measures support compliance with the General Data Protection Regulation and other applicable privacy regulations.
Security Leadership: Our security program is overseen by designated security leadership who are responsible for establishing security policies, procedures, and standards across the organization.
Risk Management: We conduct regular risk assessments to identify, evaluate, and mitigate security risks to our systems and data.
Policy Management: We maintain comprehensive security policies and procedures that are regularly reviewed and updated to address evolving threats and business requirements.
Compliance Monitoring: We continuously monitor our compliance with security policies and regulatory requirements through regular audits and assessments.
We classify data based on its sensitivity and implement appropriate protection measures:
Public Data: Information that can be freely shared without risk to the organization or individuals.
Internal Data: Information intended for use within the organization that could cause minor harm if disclosed.
Confidential Data: Sensitive information that could cause significant harm if disclosed, including customer data and business-critical information.
Restricted Data: Highly sensitive information that could cause severe harm if disclosed, including payment information and personal identification data.
Data in Transit: All data transmitted between your device and our servers is protected using Transport Layer Security (TLS) 1.2 or higher encryption protocols. This includes all web traffic, API communications, and data transfers.
Data at Rest: All sensitive data stored in our databases and file systems is encrypted using Advanced Encryption Standard (AES) 256-bit encryption or equivalent strong encryption algorithms.
Key Management: We implement robust cryptographic key management practices, including secure key generation, storage, rotation, and destruction procedures.
Database Encryption: Our databases use transparent data encryption (TDE) to protect data at the storage level, ensuring that data files, backups, and transaction logs are encrypted.
Data Minimization: We collect and retain only the minimum amount of data necessary to provide our Service and fulfill our business obligations.
Data Segregation: Customer data is logically segregated to prevent unauthorized access between different customer accounts and environments.
Secure Data Transfer: When data must be transferred between systems or to third parties, we use secure protocols and verify the integrity of transferred data.
Data Destruction: When data is no longer needed, we securely delete or destroy it using industry-standard methods to prevent recovery.
Multi-Factor Authentication (MFA): We require multi-factor authentication for administrative access to our systems and strongly recommend MFA for user accounts.
Strong Password Requirements: We enforce strong password policies requiring complex passwords with minimum length, character diversity, and regular updates.
Account Lockout Protection: Our systems implement account lockout mechanisms to prevent brute force attacks and unauthorized access attempts.
Session Management: We implement secure session management practices, including session timeouts, secure session tokens, and protection against session hijacking.
Principle of Least Privilege: Users and systems are granted only the minimum access necessary to perform their authorized functions.
Role-Based Access Control (RBAC): We implement role-based access controls to ensure that access permissions are aligned with job responsibilities and business requirements.
Regular Access Reviews: We conduct regular reviews of user access rights to ensure they remain appropriate and remove unnecessary permissions.
Segregation of Duties: Critical functions are divided among multiple individuals to prevent fraud and errors.
Privileged Account Management: Administrative accounts are subject to enhanced security controls, including additional authentication requirements and monitoring.
Just-in-Time Access: Where possible, we implement just-in-time access provisioning to limit the duration of elevated privileges.
Administrative Activity Logging: All administrative activities are logged and monitored for security and compliance purposes.
Emergency Access Procedures: We maintain documented procedures for emergency access to systems while maintaining security and audit controls.
Network Segmentation: Our network is segmented into security zones with appropriate controls between zones to limit the impact of potential security incidents.
Firewall Protection: We deploy enterprise-grade firewalls to control network traffic and prevent unauthorized access to our systems.
Intrusion Detection and Prevention: We implement intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and detect potential security threats.
Virtual Private Networks (VPN): Remote access to our systems is secured through encrypted VPN connections with strong authentication requirements.
Secure Cloud Hosting: Our Service is hosted on reputable cloud platforms that maintain industry-leading security certifications and compliance standards.
Infrastructure as Code: We use infrastructure as code practices to ensure consistent and secure deployment of our systems.
Container Security: Where we use containerized applications, we implement container security best practices including image scanning and runtime protection.
API Security: Our application programming interfaces (APIs) are secured with authentication, authorization, rate limiting, and input validation controls.
Endpoint Protection: All company devices are protected with enterprise-grade endpoint protection software including anti-malware, anti-virus, and behavioral analysis.
Device Management: Company devices are managed through mobile device management (MDM) or endpoint management solutions to ensure security policy compliance.
Patch Management: We maintain a comprehensive patch management program to ensure that all systems and software are kept up-to-date with security patches.
Asset Management: We maintain an inventory of all IT assets and monitor them for security compliance and lifecycle management.
Security by Design: Security considerations are integrated into every phase of our software development lifecycle, from design through deployment and maintenance.
Code Review: All code changes undergo security-focused code reviews to identify and remediate potential vulnerabilities before deployment.
Static Application Security Testing (SAST): We use automated tools to analyze our source code for security vulnerabilities during the development process.
Dynamic Application Security Testing (DAST): We conduct dynamic security testing of our applications to identify runtime vulnerabilities and security issues.
Input Validation: All user inputs are validated and sanitized to prevent injection attacks and other input-based vulnerabilities.
Output Encoding: Data output is properly encoded to prevent cross-site scripting (XSS) and other output-based attacks.
SQL Injection Prevention: We use parameterized queries and prepared statements to prevent SQL injection attacks.
Cross-Site Request Forgery (CSRF) Protection: Our applications implement CSRF tokens and other protections against cross-site request forgery attacks.
Vendor Security Assessment: We conduct security assessments of third-party vendors and service providers before integration.
Supply Chain Security: We implement controls to ensure the security of our software supply chain, including dependency scanning and verification.
Third-Party Monitoring: We continuously monitor third-party services and dependencies for security vulnerabilities and updates.
Contractual Security Requirements: Our contracts with third-party providers include specific security requirements and compliance obligations.
24/7 Monitoring: We maintain continuous monitoring of our systems and networks to detect potential security threats and anomalies.
Security Information and Event Management (SIEM): We use SIEM systems to collect, analyze, and correlate security events from across our infrastructure.
Threat Intelligence: We leverage threat intelligence feeds and services to stay informed about emerging threats and attack patterns.
Behavioral Analytics: We implement user and entity behavior analytics (UEBA) to detect unusual activities that may indicate security incidents.
Incident Response Team: We maintain a dedicated incident response team trained to handle security incidents effectively and efficiently.
Incident Response Plan: We have a comprehensive incident response plan that defines roles, responsibilities, and procedures for responding to security incidents.
Incident Classification: Security incidents are classified based on severity and impact to ensure appropriate response prioritization and resource allocation.
Communication Procedures: We have established procedures for communicating about security incidents with stakeholders, customers, and regulatory authorities as required.
Business Continuity Planning: We maintain comprehensive business continuity plans to ensure the continued operation of critical business functions during disruptions.
Disaster Recovery: Our disaster recovery procedures ensure that we can restore systems and data in the event of a significant incident or disaster.
Backup and Recovery: We implement regular backup procedures and test recovery processes to ensure data can be restored when needed.
High Availability: Our systems are designed with redundancy and failover capabilities to minimize downtime and ensure service availability.
Security Training Program: All employees receive comprehensive security awareness training covering topics such as phishing, social engineering, password security, and incident reporting.
Regular Updates: Security training is updated regularly to address new threats and evolving security best practices.
Role-Specific Training: Employees in security-sensitive roles receive additional specialized training relevant to their responsibilities.
Testing and Assessment: We conduct regular testing and assessment of employee security awareness through simulated phishing exercises and other methods.
Background Checks: We conduct appropriate background checks for employees in security-sensitive positions in accordance with applicable laws and regulations.
Security Clearance: Employees are granted security clearances and access rights based on their job responsibilities and the principle of least privilege.
Termination Procedures: We have established procedures for promptly revoking access and recovering company assets when employees leave the organization.
Confidentiality Agreements: All employees sign confidentiality agreements that include specific obligations regarding the protection of sensitive information.
Secure Facilities: Our offices and data centers implement appropriate physical security controls including access controls, surveillance, and environmental protections.
Access Control Systems: Physical access to sensitive areas is controlled through card readers, biometric systems, and other access control technologies.
Visitor Management: We maintain visitor management procedures to ensure that non-employees are properly escorted and monitored while on our premises.
Environmental Controls: Our facilities include environmental controls such as fire suppression, temperature and humidity monitoring, and power backup systems.
Asset Tracking: All company equipment is tracked and inventoried to ensure proper accountability and security.
Secure Disposal: Equipment containing sensitive data is securely wiped or destroyed before disposal or redeployment.
Mobile Device Security: Company mobile devices are secured with encryption, remote wipe capabilities, and mobile device management controls.
Clean Desk Policy: We enforce clean desk policies to ensure that sensitive information is not left unattended or accessible to unauthorized individuals.
Privacy Regulations: We maintain compliance with applicable privacy regulations including GDPR, CCPA, and other regional privacy laws.
Industry Standards: We align our security practices with relevant industry standards and frameworks applicable to our business and customers.
Financial Regulations: Where applicable, we comply with financial regulations and standards such as PCI DSS for payment card data protection.
Regular Assessments: We conduct regular compliance assessments to ensure ongoing adherence to regulatory requirements and industry standards.
Internal Audits: We conduct regular internal security audits to assess the effectiveness of our security controls and identify areas for improvement.
External Audits: We engage qualified third-party auditors to conduct independent assessments of our security program and controls.
Penetration Testing: We conduct regular penetration testing to identify vulnerabilities and validate the effectiveness of our security defenses.
Vulnerability Assessments: We perform regular vulnerability assessments of our systems and applications to identify and remediate security weaknesses.
Detection Capabilities: We maintain advanced detection capabilities to identify potential data breaches and security incidents quickly.
Impact Assessment: When a potential breach is detected, we conduct immediate impact assessments to determine the scope and severity of the incident.
Containment Measures: We implement immediate containment measures to prevent further unauthorized access or data exposure.
Evidence Preservation: We preserve evidence related to security incidents for investigation and potential legal proceedings.
Customer Notification: We will notify affected customers of security incidents that may impact their data in accordance with applicable laws and contractual obligations.
Regulatory Notification: We will notify relevant regulatory authorities of data breaches as required by applicable laws and regulations.
Timeline Requirements: We strive to provide notifications within the timeframes required by applicable laws, typically within 72 hours of discovery.
Communication Content: Breach notifications include information about the nature of the incident, affected data types, steps taken to address the breach, and recommendations for affected individuals.
Regular Reviews: We conduct regular reviews of our security program to ensure it remains effective and aligned with evolving threats and business requirements.
Metrics and Measurement: We maintain security metrics and key performance indicators to measure the effectiveness of our security controls and identify areas for improvement.
Lessons Learned: We conduct post-incident reviews to identify lessons learned and implement improvements to prevent similar incidents.
Industry Engagement: We actively participate in industry security communities and forums to stay informed about emerging threats and best practices.
Security Technology Refresh: We regularly evaluate and update our security technologies to ensure they remain effective against current threats.
Emerging Threats: We monitor emerging threats and attack vectors to ensure our defenses are prepared for new types of attacks.
Innovation Integration: We evaluate and integrate new security technologies and approaches that can enhance our security posture.
Performance Optimization: We continuously optimize our security controls to balance security effectiveness with system performance and user experience.
If you have questions about our security practices or need to report a security concern, please contact us at:
Lead Partners, LLC
Email: support@intelligentattraction.ai
Website: intelligentattraction.ai
For security-specific inquiries or to report security incidents, please contact us with “Security” in the subject line for priority handling.
Security Incident Reporting: If you discover a security vulnerability or incident related to our Service, please report it immediately to our security team. We appreciate responsible disclosure and will work with you to address any legitimate security concerns.
This Security Policy is effective as of the date first written above and applies to all users of the Intelligent Attraction services operated by Lead Partners, LLC. This policy is reviewed and updated regularly to ensure it remains current with our security practices and industry standards.
