Protecting your data

As a cloud service, the security of your data is our top priority. We’ve outlined important measures to keep your data private below. We employ a broad range of additional safeguards and protective measures that would be either (i) too complicated to explain or (ii) unwise to share with the public. Please do get in touch if you have any questions.

ISO 27001 certified

Leapsome is certified as compliant with ISO/IEC 27001:2013, which is globally recognized as the leading information security management system (ISMS) standard.


Our application is hosted on servers provided by Amazon Web Services in its European data centers. Amazon Web Services is a leading “platform as a service” provider that allows customers (including Siemens, Novartis, Nasdaq, Vodafone, and others) to develop, run, and manage applications without the complexity of building and maintaining the infrastructure associated with it. It provides best-in-class security infrastructure and takes care of backups, logging, auditing, and other infrastructure-related services.

Amazon Web Services is constantly auditing its services and has proved to be compliant with the following standards, among others:

  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 2
  • SOC 3

Other subcontractors used by Leapsome to provision its service include similarly renowned and certified companies such as

  • MongoDB, Inc.
  • Zendesk, Inc.
  • Twilio, Inc.
  • Rocket Science Group, LLC (Mailchimp)

Any transfer of data to a state that is not a member state of either the European Union or the European Economic Area will only occur in compliance with the GDPR and if the specific requirements of Article 44 et seq. of the General Data Protection Regulation (GDPR) have been fulfilled. Specifically, a transfer requires a clear contractual agreement between Leapsome and any subcontractor that guarantees at least the same level of data protection under standard contractual clauses (SCCs) as stipulated by the European Commission.


Your passwords are always encrypted (hashed, with salts) and never saved in plain text. When a user tries to log in, their password is encrypted in the same way, and the platform compares the encrypted versions to check if they match. This also means that we cannot recover a password for you (we only hold the encrypted version), and you have to reset your password if you lose it. For additional security, we enforce a minimum password length when a user signs up.

If your company uses GSuite for internal communication, you can also Sign in with Google, Okta, Active Directory, or other SSO providers via a secure connection. In that case, your passwords are not stored on our servers at all. Instead, your users are redirected to a page where they authenticate Leapsome as a trusted service, and a token is generated (which we can use to identify your users). You can revoke that token at any time via your Google account settings.

Cookies and Tokens

Our platform uses cookies and tokens to authenticate users across sessions. Tokens never contain your actual password or other sensitive information. All that gets saved is a randomly created token that allows you to access basic functionality. To access critical functionality — like changing your password — you have to re-enter your password.

Data Encryption

All communication between your users and our servers is SSL-encrypted. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

Additionally, we employ encryption-at-rest to encrypt all data in our database with the industry-standard AES-256 algorithm. This means that your data is encrypted before and after accessing the database and never lies there in plain text.

Secure Frameworks

In addition to a secure hosting environment, we’re building on established software libraries to guarantee that your data is secure and your users are not exposed to vulnerabilities.

Our frontend framework Vue, combined with the use of unique user tokens, protects your users against common threats such as cross-site scripting (CSS / XSS) and cross-site request forgery (CSRF / XSRF).

We're using MongoDB as a data store, meaning that our application is not vulnerable to SQL injections. The use of an established middleware and input sanitation of all input adds further protection.

As mentioned above, our application runs on AWS servers. AWS keeps the server software up to date at all times and fixes any new security vulnerabilities immediately.

Preventing access from within

Even an authenticated (logged in) user may try to exploit vulnerabilities — someone could, for example, register for a demo account and try to access other clients’ information.

While the software frameworks listed above already protect the system from that threat, the application code additionally checks each request and verifies that the database object’s company ID matches the company ID of the user. Each database object is tagged with a company ID, and any potential attempts to breach those trigger immediate notifications to our administrators.

We also apply a strict role-based model to all requests and views of the platform. This prevents employees from accessing functionality (like modifying user data, editing billing information, etc.) that should be reserved to administrators only.

Access restrictions to code and database

Our application and database are hosted in a securely guarded data center where professional staff takes care of the physical security of servers.

Remote access is strictly limited, too. Within our team, each deployment of new code has to be approved by one of two people that have access. The same access limitation applies to our databases and internal administration area. Access to the databases, our central code repository, and our hosting environment is furthermore protected by two-factor-authentication. We regularly update passwords and security tokens.

In our internal administration data, we only display aggregated statistics and company-level data (such as invoicing information), not the content of actual feedback, reviews, etc. We do not look into raw customer data unless we have been granted permission to do so to fix a bug. That said, most bugs can be fixed by analyzing server logs and reproducing the problem with dummy data.

Data processing agreement (DPA)

Once you start using Leapsome, you will sign a data processing agreement with us. It lays out how we may handle your data, explains the security measures deployed, states your rights, and is needed to be fully compliant with the GDPR.

Internal security policies

Our team is highly security-aware. To avoid falling prey to outside tricksters, we regularly hold internal security briefings, only deploy up-to-date and modern browsers, use password managers and different passwords for all sites, regularly update passwords, and encrypt the hard drives of our devices.

Availability and disaster recovery

Our application and databases are distributed and replicated across various servers. In the event that one of those servers goes down, another instance would take over the job of serving the application, usually without the end-user actually noticing.

Databases are backed up on a continuous basis and can be restored should the software or server ever fail in a significant way. Backups are stored in different availability zones for additional security.


We closely monitor the performance of our application and databases via AWS’ in-built monitoring tools and NewRelic. Any internal errors or potential failures of our various integrations are logged and trigger notifications to our development team, usually allowing us to identify the problem within a few minutes and swiftly remedy the situation.

User requests and bug reports

Having said the above, sometimes it’s users who notice a glitch or stumble across a bug in the software. We encourage you to get in touch via the platform’s help bot or the help widget in our Success Center (both accessible in the bottom-right corner of the screen) — we greatly appreciate any hints or feedback. If you can, please include a screenshot and an exact description of the situation you encountered. Critical issues receive immediate attention and are usually fixed within two hours; we strive to deal with non-critical requests within 24 hours.

Found a security threat?

We run regular external penetration tests/audits with industry-leading security specialists to detect potential vulnerabilities and protect your data.

If you still think you have found a security threat in our system, please contact us immediately via or +49 160 9798 2209. Your information will remain confidential, and we will deal with your request immediately.

Full-disclosure policy

If anything serious ever happens and your data is affected, we will provide full disclosure to enable you to take precautions and minimize the damage. Our previous experience at companies such as Funding Circle has taught us that transparency is paramount in earning and keeping your trust, if security should ever be threatened.


What you can do with Leapsome

Purple and transparent inverted box icon with checkmark.

Performance &
360° Reviews

Run impactful and painless performance, 360°, project, or leadership reviews that are easy to set up and complete — and highly beneficial.

Learn more
One purple line and two shorter transparent lines centered and underneath one another.

Goals & OKR Management

Track, collaborate, and align on company, team, and individual goals to boost accountability and transparency across your organization.

Learn more
Three purple and transparent dots icon.


Easily measure the pulse of your company culture with employee engagement surveys and use powerful insights to inform actions.

Learn more
Purple inverted notification/lightning icon.

Instant Feedback

Promote a culture of rapid development and learning through sharing instant feedback and praise with anyone in the organization.

Learn more
Purple and inverted chat messages icon.

1:1 and team Meetings

Conduct productive and effective 1:1s and team meetings with anyone in your organization, driven by a well-structured agenda and talking points.

Learn more
Light purple and inverted light bulb icon.

Learning & Onboarding

Develop and engage your talent with a highly personalized, scalable, and automated learning and onboarding experience.

Learn more