AuditLease

Security

How we protect your data and what to do if you find a security concern.

UK data residency

All AuditLease data is stored and processed within the United Kingdom. We use Microsoft Azure infrastructure in the UK South region. We do not transfer personal data or lease data outside the UK or EEA without appropriate safeguards.

Encryption

  • In transit: all data in transit between your browser and AuditLease is encrypted using TLS 1.2 or higher.
  • At rest: all data stored in our database and blob storage is encrypted at rest using Azure-managed encryption keys.
  • Passwords: user passwords are never stored in plain text. They are hashed using a strong one-way hashing algorithm before storage.
  • Secrets: application secrets, connection strings, and API keys are stored in Azure Key Vault, not in application configuration files or source code.

Access controls

  • Tenant isolation: all data is isolated at the tenant level. One customer cannot access another customer's data under any circumstances.
  • Entity-level access: within a tenant, access to individual legal entities can be restricted by user role. Auditors can be granted read-only access to specific entities.
  • Authentication: users authenticate with email and password. Tokens are short-lived and stored securely.
  • Least privilege: application components are granted only the permissions they need. Database access, storage access, and Key Vault access each use separate, scoped credentials.

Audit logging

AuditLease maintains an audit log of significant actions, including lease creation, modification, calculation runs, journal posting, and user management changes. Audit logs are immutable and cannot be edited or deleted by application users.

Responsible disclosure

If you believe you have found a security vulnerability in AuditLease, please contact us at security@auditlease.co.uk.

Please include a description of the issue, the steps to reproduce it, and the potential impact. We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities promptly.

We ask that you do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.

Beta notice

AuditLease is currently in beta. While we take security seriously and have implemented the controls described above, the product has not yet undergone a formal third-party security audit. We recommend not storing highly sensitive personal data beyond what is required for lease accounting purposes during the beta period.