Security & Trust
LeakJar is built on the principle that security tools should themselves be secure, transparent, and responsibly operated. Here is how we approach that.
Our security principles
We don't collect plaintext passwords.
LeakJar's Password Protect API uses k-Anonymity range queries. You send only a short hash prefix. We never see, store, or have access to your users' full password hashes or plaintext credentials.
We minimize what we store and redact sensitive fields.
Our systems are designed around data minimization. Logs are redacted, retention periods are enforced, and sensitive fields are stripped before storage. We retain only what is operationally necessary.
We apply rate limits and abuse monitoring.
All API endpoints are protected by rate limiting and anomaly detection. Unusual query patterns are flagged and reviewed. Abuse results in immediate access suspension pending investigation.
We restrict high-risk capabilities to vetted enterprise contracts.
Capabilities with elevated risk profiles — such as enterprise investigations and raw exposure data access — are available only to vetted organizations under contractual controls and acceptable use agreements.
Acceptable use: No offensive use, no credential stuffing, no unauthorized access.
LeakJar is built for defensive security. Our Acceptable Use Policy explicitly prohibits using the platform for credential stuffing, unauthorized access attempts, or any offensive security activity.
Certifications & Compliance
We are actively pursuing industry-standard certifications to formalize our security commitments.
SOC 2 Type II
Service Organization Controls for security, availability, and confidentiality.
In ProgressISO 27001
International standard for information security management systems.
In ProgressGDPR
EU General Data Protection Regulation compliance for data processing.
In ProgressAcceptable Use Policy
Our AUP defines what constitutes acceptable and prohibited use of the LeakJar platform. All customers are bound by these terms.