Enterprise-grade security

Your DM data. Your business. Fully protected.

LeadsBox connects to your social channels through official APIs only. Your conversations, lead data, and business revenue are encrypted, isolated, and never shared.

AES-256-GCM

Encryption at rest

TLS 1.3

Encryption in transit

GDPR

EU compliant

NDPR

Nigeria compliant

Security OverviewAll systems secure

Data encryption at rest

AES-256-GCM

Transport encryption

TLS 1.3

Social credentials stored

Never — API tokens only

GDPR compliance

Data deletion + DPA available

NDPR compliance

Nigeria Data Protection Act

OAuth 2.0 state validation

CSRF attack prevention

Official APIs only:

Security features

Built secure from the ground up

AES-256-GCM encryption

All DM data, lead records, and settings are encrypted at rest using AES-256-GCM — the same standard used by banks. Unique keys per organisation.

TLS 1.3 in transit

Every request between your device and LeadsBox servers is encrypted with TLS 1.3. No data travels in plaintext — ever.

No social credentials stored

LeadsBox connects via official OAuth APIs. Your Instagram, WhatsApp, Facebook, and Telegram passwords are never sent to or stored by LeadsBox.

bcrypt password hashing

User passwords are hashed with bcrypt at cost factor 12. We never store plaintext passwords and cannot recover them — only reset them.

OAuth CSRF protection

State parameters in all OAuth flows are cryptographically signed and verified server-side, preventing CSRF attacks during social account connection.

Organisation-level data isolation

Every organisation gets a scoped data namespace. Multi-tenancy isolation means your data is structurally separated from all other LeadsBox accounts.

Audit log

LeadsBox logs all team member actions — logins, lead updates, invoice sends, and setting changes — with timestamps. Pro plan feature.

Rate limiting & abuse prevention

API rate limits, failed login protection, and automated suspicious activity detection prevent brute-force attacks and credential stuffing.

Official APIs only

We never scrape, never store your passwords

LeadsBox connects to Instagram, WhatsApp, Facebook, and Telegram through their official developer APIs. We use OAuth 2.0 for authentication — your passwords are never sent to LeadsBox and we cannot access your account beyond what you explicitly grant.

Meta Messaging API — Instagram + Facebook

WhatsApp Business API (Cloud)

Telegram Bot API

Revoke access anytime from social settings

Connection flow

You click "Connect Instagram"

LeadsBox redirects to Instagram's OAuth page

You log in on Instagram

Your credentials go to Instagram — never to LeadsBox

Instagram grants a token

Scoped access token sent to LeadsBox. No password ever touches our server.

LeadsBox uses the token

Read-only access to DMs. Token encrypted with your org key.

Compliance

Privacy regulations we comply with

🇪🇺

GDPR

EU General Data Protection Regulation

Right to data deletion (handled in <72h)

Data Processing Agreement (DPA) available

Cookie consent required before tracking

Data minimisation — only what is needed

🇳🇬

NDPR

Nigeria Data Protection Regulation

Nigerian user data stored with appropriate safeguards

Data breach notification policy in place

Data subject access requests honoured

Third-party data processor agreements maintained

Need a Data Processing Agreement? Download our DPA here · Questions? Contact us

Responsible disclosure

Found a security vulnerability? We take all reports seriously and commit to responding within 48 hours. Please do not publish vulnerabilities before giving us time to fix them.

security@leadsboxapp.com

Secure DM CRM. Try it free.

7-day free trial. No credit card. Your data stays yours.