Security & Trust
A security product, held to its own standard.
A tool that protects credentials should be secure, transparent, and responsibly operated itself. Here is exactly how we hold ourselves to that.
Principles
Our security principles
We don't collect plaintext passwords.
LeakJar's Password Protect API uses k-Anonymity range queries. You send only a short hash prefix. We never see, store, or have access to your users' full password hashes or plaintext credentials.
We minimize what we store and redact sensitive fields.
Our systems are designed around data minimization. Logs are redacted, retention periods are enforced, and sensitive fields are stripped before storage. We retain only what is operationally necessary.
We apply rate limits and abuse monitoring.
All API endpoints are protected by rate limiting and anomaly detection. Unusual query patterns are flagged and reviewed. Abuse results in immediate access suspension pending investigation.
We restrict high-risk capabilities to vetted enterprise contracts.
Capabilities with elevated risk profiles — such as enterprise investigations and raw exposure data access — are available only to vetted organizations under contractual controls and acceptable use agreements.
Acceptable use: No offensive use, no credential stuffing, no unauthorized access.
LeakJar is built for defensive security. Our Acceptable Use Policy explicitly prohibits using the platform for credential stuffing, unauthorized access attempts, or any offensive security activity.
Security Practices
Tested and reviewed regularly
We back our security principles with independent, third-party testing and code review on a regular cadence.
Regular penetration testing
We commission independent third-party penetration tests on a regular schedule. Tests cover our API surface, authentication flows, and infrastructure. Findings are triaged, remediated, and tracked to closure.
Code and architecture audits
Our codebase undergoes periodic security-focused code reviews and architecture audits by external reviewers. Audit scope includes data handling, access control, cryptographic practices, and dependency risk.
Acceptable Use Policy
Our AUP defines what constitutes acceptable and prohibited use of the LeakJar platform. All customers are bound by these terms.
Security questions?
Our security team is available to discuss our practices, provide documentation, or address specific concerns.