Security
Every LEAPWare product treats security as a structural property — enforced at the infrastructure layer, not bolted on after the features work. If governance can be bypassed, it does not exist. This document describes the security architecture, operational controls, and compliance posture that protect every tenant, every agent, and every knowledge object in the LEAPWare platform.
Core Security Architecture
LEAPWare's security model is not a checklist applied to a finished product. It is four structural pillars that constrain the architecture itself — every feature, every integration, every deployment must satisfy all four before it ships.
Every knowledge access, every agent action, every API call is evaluated against declarative Cedar policies before execution. Attribute-Based Access Control evaluating agent identity, data classification, organizational hierarchy, task context, and resolution level. Sub-10ms evaluation on every request. Full audit log on every authorization decision — allow and deny. Cedar was chosen because policies are declarative, auditable, and formally verifiable — not embedded in application code where they can be silently bypassed. Policies are versioned, reviewed through governance workflows, and tested against golden datasets before promotion to production. No code path exists that bypasses the policy evaluation layer.
Dedicated database schemas per tenant. Scoped API keys with tenant binding at the cryptographic layer. Tenant-aware middleware at every layer of the stack — not a WHERE clause, a structural boundary. No shared tables, no shared indexes, no cross-tenant query path. A compromised tenant cannot access, enumerate, or infer the existence of another tenant's data. Isolation is verified by automated penetration tests in the CI/CD pipeline. Tenant boundaries are enforced at the network, application, and data layers simultaneously — a defense-in-depth model where no single layer's failure exposes cross-tenant data.
Every VIRT operates in its own container with scoped filesystem access, metered compute, network restrictions, and LeapNerve policy enforcement at the container boundary. Agents cannot see another agent's workspace, access another agent's knowledge scope, or exceed resource allocation. Container lifecycle is managed by the VIRT Execution Engine — containers are created at instantiation, monitored during operation, and destroyed at stand-down. No persistent state outside the governed knowledge graph. Resource limits are enforced by the container runtime — CPU, memory, network bandwidth, and ephemeral storage are all capped per VIRT charter specification. Containers run as non-root with read-only root filesystems.
TLS 1.3 in transit — no fallback to older protocols. AES-256-GCM at rest with tenant-scoped encryption keys derived via HKDF with tenant identity as input. Secrets managed in a cloud KMS with HSM-backed key storage and automatic rotation every 90 days. No plaintext credentials in configuration files, environment variables, container images, or application logs. Key derivation uses tenant identity as a binding parameter — one tenant's key material cannot decrypt another tenant's data even if storage-layer access were compromised. Certificate pinning enforced on all internal service-to-service communication.
Cryptographic Standards
LEAPWare maintains a single, non-negotiable cryptographic standard across the entire platform. There are no "legacy compatibility modes," no customer-configurable cipher suites, and no exceptions for internal services. Every data path — external API, internal service mesh, database connection, backup stream — adheres to the same standard.
Data at Rest: AES-256-GCM — All persistent data is encrypted using AES-256 in Galois/Counter Mode, which provides both confidentiality and authenticated integrity. Each tenant's data is encrypted with a unique Data Encryption Key (DEK) that is itself wrapped by a Key Encryption Key (KEK) stored in cloud KMS with HSM backing. This envelope encryption model means that even a full database export without the KMS yields only ciphertext. DEKs are derived using HKDF (HMAC-based Key Derivation Function) with the tenant's unique identity as a context parameter — ensuring cryptographic separation between tenants at the key material level, not just the access control level.
Data in Transit: TLS 1.3 Exclusively — All external connections require TLS 1.3. There is no fallback to TLS 1.2 or any earlier protocol version. Internal service-to-service communication uses mutual TLS (mTLS) with short-lived certificates rotated automatically. Cipher suites are restricted to AEAD constructions — AES-256-GCM and ChaCha20-Poly1305. No CBC mode. No RSA key exchange. Forward secrecy is mandatory on every connection.
Key Rotation — Encryption keys are rotated on a 90-day schedule, enforced by automated policy. Rotation is non-disruptive: new data is encrypted with the current key, and existing data is re-encrypted during scheduled maintenance windows. Key rotation events are logged, alerted on failure, and auditable. Emergency rotation can be triggered within minutes for incident response.
Credential Management — No plaintext credentials exist anywhere in the LEAPWare infrastructure. API keys, database credentials, service tokens, and signing keys are stored exclusively in cloud KMS or secret management vaults. Credentials are injected into containers at runtime via secure sidecar patterns — never baked into images, never written to environment variables that could appear in process listings or crash dumps. Credential access is logged and subject to Cedar policy evaluation.
Data Protection
LEAPWare processes three categories of data, each with distinct protection requirements and controls calibrated to the sensitivity and value of the information:
Knowledge Objects — the nine typed objects (Specification, Decision, Procedure, Event Record, Metric Definition, Entity, Thread, Template, Experiential Knowledge) that form the organizational mind. Protected by: tenant isolation at the schema level, Cedar ABAC on every access evaluating requestor identity, data classification, and organizational context, bi-temporal versioning with immutable audit trail ensuring no knowledge state is ever lost, and encrypted at rest with tenant-scoped keys derived via HKDF. Knowledge objects are the highest-value data in the system and receive the strongest protection. Every read, write, and delete operation is individually authorized and logged. Soft-delete with configurable retention ensures recoverability. Backup encryption uses separate key material from primary storage.
Agent Interaction Data — the actions taken by VIRTs, including tool calls, knowledge mutations, inter-agent communications via LeapNerve, and A2A protocol exchanges. Protected by: container isolation ensuring agents operate in sandboxed environments, charter enforcement validating every action against the VIRT's authority boundaries before execution, full audit logging with actor attribution linking every action to the specific agent, policy version, and human authorization chain, and governance-as-context serialization ensuring policy constraints travel with every A2A task delegation. Agent interaction data is retained for the full audit window and cannot be modified after creation.
Operational Metadata — system telemetry, performance metrics, health probes, and platform operational data. Protected by: anonymization at collection with no tenant-identifying information in telemetry streams, encrypted transport to the observability stack via mTLS, retention limits enforced by automated policy with configurable windows per data type, and access restricted to platform operations personnel with dedicated access reviews. Operational metadata never contains knowledge content, user input, or agent reasoning — only structural performance data.
Network Security
LEAPWare's network architecture is designed on the principle that no single control prevents all attacks — every layer must independently resist compromise, and the failure of any one layer must not expose the layers beneath it.
DDoS Mitigation — All public-facing traffic routes through Cloudflare's global network, providing automatic DDoS mitigation at layers 3, 4, and 7. Volumetric attacks are absorbed at the edge before they reach origin infrastructure. Application-layer attacks are filtered by behavioral analysis and challenge mechanisms. Origin IP addresses are never exposed in DNS records, headers, or error messages.
Web Application Firewall — A WAF evaluates every inbound HTTP request against OWASP Core Rule Set signatures, custom rules tailored to the LEAPWare API surface, and behavioral anomaly detection. Requests matching known attack patterns — SQL injection, XSS, path traversal, command injection, SSRF — are blocked at the edge with full logging for forensic analysis. WAF rules are reviewed and updated on a weekly cadence.
Rate Limiting — API endpoints enforce per-tenant, per-endpoint rate limits calibrated to legitimate usage patterns. Authentication endpoints have aggressive rate limits with exponential backoff to prevent credential stuffing. Rate limit violations are logged and trigger automated alerting when patterns indicate coordinated abuse.
Egress Filtering — Outbound network traffic from application containers is restricted to an explicit allowlist of destinations. Containers cannot initiate connections to arbitrary internet hosts. VIRT containers have the most restrictive egress rules — only the destinations specified in their charter are permitted. All egress traffic is logged and subject to anomaly detection.
VPC Isolation — All LEAPWare infrastructure operates within Virtual Private Cloud boundaries. Databases, caches, and internal services are not accessible from the public internet — there is no direct database access path from any public network. Service-to-service communication occurs over private network interfaces with security group rules enforcing least-privilege connectivity. Bastion access for operations personnel requires MFA and is logged with session recording.
Application Security
Application security at LEAPWare is not a review gate applied before release — it is a set of structural constraints enforced by the framework, the CI/CD pipeline, and the runtime environment. Developers cannot accidentally introduce common vulnerability classes because the architecture prevents them.
OWASP Top 10 Mitigation — Every vulnerability class in the OWASP Top 10 is addressed by structural controls, not developer discipline. Injection is prevented by parameterized queries enforced at the ORM layer with no raw SQL escape hatch. Broken authentication is mitigated by centralized identity services with mandatory MFA. Sensitive data exposure is prevented by encryption-by-default and the absence of plaintext credential storage. XML External Entity attacks are blocked by disabling external entity processing in all XML parsers. Security misconfiguration is managed by infrastructure-as-code with hardened base images and automated configuration drift detection.
HTTP Security Headers — Every response from LEAPWare services includes a strict security header set: Content-Security-Policy (CSP) restricting script sources, style sources, and connection targets to explicit allowlists. HTTP Strict Transport Security (HSTS) with a one-year max-age, includeSubDomains, and preload directives — LEAPWare domains are submitted to browser HSTS preload lists. X-Frame-Options set to DENY preventing clickjacking. X-Content-Type-Options set to nosniff. Referrer-Policy set to strict-origin-when-cross-origin. Permissions-Policy disabling access to camera, microphone, geolocation, and other sensitive browser APIs.
Email Security — All LEAPWare domains enforce DMARC with a reject policy (p=reject), meaning any email failing SPF or DKIM validation is rejected by the receiving server — not quarantined, rejected. SPF records are maintained with a strict allowlist of authorized sending infrastructure. DKIM signing uses 2048-bit RSA keys rotated annually. These controls prevent domain spoofing and protect customers from phishing attempts impersonating LEAPWare communications.
Input Validation and Output Encoding — All user input is validated against strict schemas at the API boundary before reaching application logic. Output encoding is applied context-appropriately — HTML entity encoding for web rendering, JSON encoding for API responses, URL encoding for redirect targets. Parameterized queries are the only supported database access pattern; string concatenation for query construction is blocked by static analysis in the CI pipeline.
Supply Chain Security
The software supply chain is the most underestimated attack surface in modern software. LEAPWare treats every external dependency as a trust decision that must be justified, monitored, and revocable.
Dependency Scanning — All project dependencies are continuously scanned by Dependabot and Snyk for known vulnerabilities. Scanning occurs on every pull request, on a daily schedule against the main branch, and against the National Vulnerability Database (NVD) as new CVEs are published. Vulnerabilities that meet severity thresholds automatically create issues with SLA-bound resolution timelines. No dependency with a known critical vulnerability ships to production.
SBOM Generation — A Software Bill of Materials is generated for every release, enumerating every direct and transitive dependency with exact version, license, and known vulnerability status. SBOMs are stored as release artifacts and are available to customers and auditors on request. The SBOM format follows CycloneDX specification for interoperability with enterprise vulnerability management tooling.
Container Image Security — All container images are built from minimal base images with no shell, no package manager, and no unnecessary utilities in production. Images are scanned for vulnerabilities before they enter the container registry. Only signed images from the LEAPWare build pipeline are accepted by the container orchestrator — unsigned or externally built images are rejected at admission. Image digests are pinned in deployment manifests; tags are never used as the sole reference.
Signed Builds — All release artifacts are cryptographically signed. Build provenance is recorded, linking every artifact to the specific source commit, build environment, and pipeline run that produced it. This allows customers and internal teams to verify that any deployed artifact was produced by the official LEAPWare build infrastructure and has not been tampered with in transit or storage.
Minimal Dependency Philosophy — LEAPWare maintains a deliberate bias toward fewer dependencies. Every new dependency requires a justification that the functionality cannot be reasonably implemented in-house, a license review confirming compatibility with LEAPWare's distribution model, a maintenance assessment evaluating the dependency's bus factor, release cadence, and security responsiveness, and an initial vulnerability scan. Dependencies that are abandoned, have unresponsive maintainers, or accumulate unpatched vulnerabilities are replaced proactively — not when an exploit appears.
Vulnerability Management
Vulnerabilities are triaged using the Common Vulnerability Scoring System (CVSS v3.1) and assigned resolution SLAs based on severity. These SLAs are non-negotiable — security patches are always prioritized over feature work.
Resolution SLA: 24 hours. Active exploitation possible or confirmed. All hands on deck. Feature work stops. Hotfix deployed to production within 24 hours of confirmed triage. Customer notification within 4 hours if data exposure is possible. Post-patch verification required before closing.
Resolution SLA: 72 hours. Significant impact with realistic exploitation path. Dedicated engineering resources assigned immediately. Mitigation deployed within 24 hours if a full fix requires longer development. Tracked in daily security standup until resolved.
Resolution SLA: 30 days. Moderate impact or limited exploitation conditions. Scheduled into the current or next sprint. Monitored for escalation if exploit conditions change. Regression tests added to prevent reintroduction.
Resolution SLA: Next release. Minimal impact under realistic conditions. Addressed in the normal development cycle. Tracked to closure. Low severity does not mean ignored — it means scheduled appropriately.
Continuous Vulnerability Discovery — LEAPWare does not rely solely on reactive vulnerability reports. Dependency scanning runs daily. Container images are re-scanned weekly against updated vulnerability databases. Annual third-party penetration testing by an independent security firm covers the full platform surface — API, web application, infrastructure, and social engineering vectors. Findings from penetration tests are tracked with the same CVSS-based SLA system and reported to the board.
Disaster Recovery & Business Continuity
Recovery Point Objective. Maximum one hour of data loss in a catastrophic failure scenario. Achieved through continuous replication of database state to geographically separate regions and point-in-time recovery capabilities with sub-hour granularity.
Recovery Time Objective. Full platform restoration within four hours. Achieved through automated failover to standby infrastructure, infrastructure-as-code enabling rapid reprovisioning, and pre-staged deployment artifacts in secondary regions.
Disaster recovery is not a document — it is a practiced capability. Full DR exercises are conducted quarterly, simulating region failures, database corruption, and infrastructure compromise. Results are documented, deficiencies are tracked to resolution, and recovery procedures are updated based on findings.
Multi-Region Architecture — LEAPWare infrastructure is deployed across multiple geographic regions with automated failover. Primary and secondary regions maintain synchronized state through asynchronous replication with conflict resolution. DNS-based traffic management automatically routes requests away from degraded regions without manual intervention.
Backup Encryption and Isolation — All backups are encrypted with key material separate from production encryption keys. Backup storage is in a different cloud account from production infrastructure, preventing a single account compromise from affecting both live data and backup data. Backup integrity is verified daily through automated restore testing against a verification environment.
Geographic Redundancy — No single geographic event — natural disaster, power grid failure, network partition — can render LEAPWare unavailable. Data sovereignty requirements are respected: tenant data is stored in regions consistent with the customer's contractual and regulatory requirements, and geographic redundancy does not replicate data outside approved jurisdictions without explicit authorization.
Personnel Security
Technical controls are necessary but not sufficient. The most sophisticated infrastructure is vulnerable if the people operating it are compromised, careless, or improperly offboarded. LEAPWare enforces personnel security controls that are structural, not advisory.
Background Checks — All employees and contractors with access to production systems, customer data, or source code undergo background verification before access is provisioned. Access is not granted during the verification period — there are no provisional access exceptions.
Security Awareness Training — Quarterly security training is mandatory for all employees, covering phishing recognition, social engineering resistance, secure development practices, and incident reporting procedures. Training is tracked by completion, not attendance — employees must pass assessments demonstrating comprehension. Training content is updated quarterly to address emerging threat patterns.
Least-Privilege Access — Every employee's access profile is scoped to the minimum required for their role. Production system access is restricted to operations personnel and requires MFA plus just-in-time access requests that are logged and time-bounded. Developers do not have standing access to production databases, customer data, or encryption key material. Elevated access for incident response is granted through a break-glass procedure that triggers immediate alerting and mandatory post-access review.
Multi-Factor Authentication — MFA is required for all employees on all systems — no exceptions for internal tools, development environments, or administrative interfaces. Phishing-resistant MFA (hardware security keys or platform authenticators) is required for production system access. SMS-based MFA is not accepted for any access tier.
Quarterly Access Reviews — Every employee's access across all systems is reviewed quarterly by their manager and the security team. Access that is no longer justified by role requirements is revoked immediately. Access reviews cover production systems, source code repositories, cloud console access, third-party SaaS tools, and administrative interfaces. Review completion is tracked and reported to leadership.
Offboarding Within 4 Hours — When an employee or contractor departs, all access is revoked within 4 hours of notification. This includes SSO sessions, API keys, VPN credentials, cloud console access, repository permissions, and physical access where applicable. Offboarding is triggered automatically by HR system events and verified by the security team. Credentials associated with the departing individual are rotated if they were shared or embedded (which the architecture prevents, but the process accounts for legacy edge cases).
Governance & Compliance
LEAPWare operates under 28 firm-level governance standards covering security, engineering, accessibility, AI ethics, privacy, financial operations, incident response, and more. Every standard exists because a specific operational failure demanded it. Every rule was born from a mistake that was analyzed, root-caused, and structurally prevented.
Multi-factor authentication required for all users. Session management with configurable timeouts. API key rotation on defined schedules. OAuth 2.1 for third-party integrations. No shared credentials. Phishing-resistant MFA for administrative access.
Cedar ABAC policies evaluated on every request. Role-based defaults with attribute-based overrides. Least-privilege by default — every VIRT's access profile is compiled from its charter at instantiation time. Policy changes require review and approval.
Every authorization decision logged — allow and deny. Every knowledge mutation logged with actor, timestamp, and before/after state. Audit logs are append-only and tamper-evident. Retention configurable with a minimum of 90 days. Logs are encrypted at rest and access-controlled.
SOC 2 Type II certification targeted for Q4 2026. Controls are already implemented and operating — the certification timeline reflects audit scheduling, not readiness. Trust service criteria for security, availability, and confidentiality are addressed by existing controls.
Privacy-by-design is structural, not a policy document. Data subject access requests are supported by the knowledge graph's query infrastructure. Right to deletion is implemented through cryptographic erasure — deleting the tenant's encryption key renders all data irrecoverable without touching individual records. Data processing agreements are available for enterprise customers.
ISO 27001 certification is under evaluation for 2027. The information security management system (ISMS) is established and operating. Gap analysis against ISO 27001:2022 controls is complete, with remediation tracked in the governance log.
Annual Third-Party Penetration Testing — An independent security firm conducts annual penetration testing covering the full LEAPWare attack surface: external APIs, web applications, infrastructure, cloud configuration, and social engineering vectors. The engagement scope includes authenticated and unauthenticated testing. Critical and high findings trigger immediate remediation under the vulnerability management SLA. The penetration testing report summary is available to enterprise customers under NDA.
Compliance Roadmap — LEAPWare maintains a public compliance roadmap reflecting certification targets and their status. Current trajectory: SOC 2 Type II (Q4 2026), ISO 27001 (evaluation for 2027), HIPAA (evaluated based on customer demand). Architecture decisions are made with future compliance requirements in mind — it is always cheaper to build compliant than to retrofit compliance.
Incident Response
LEAPWare maintains a governed incident response standard with severity classification, defined escalation procedures, and mandatory post-incident review. The goal is not to prevent all incidents — it is to ensure that every incident is detected quickly, contained decisively, communicated transparently, and permanently prevented from recurring.
Complete platform outage or confirmed data breach. All-hands response. Customer notification within 1 hour. Executive escalation immediate. External communication within 4 hours. Resolution target: hours, not days.
Major feature degradation affecting multiple tenants or security vulnerability under active exploitation. Dedicated incident team assembled within 30 minutes. Customer notification within 4 hours. Status updates every 2 hours until resolution.
Partial service degradation or security concern with no confirmed exploitation. On-call engineer response within 1 hour. Customer notification if impact is visible. Resolution tracked in daily standup.
Minor issue with workaround available. Addressed in normal business hours. No customer notification unless specifically relevant. Tracked to closure in the issue backlog.
Anomaly detected with no confirmed impact. Logged for pattern analysis. Reviewed in weekly security review. May trigger proactive hardening if patterns emerge.
Data Breach Notification — In the event of a confirmed data breach involving customer data, affected customers are notified within 72 hours as required by GDPR and consistent with emerging US state privacy laws. Notification includes a description of the breach, the categories of data affected, the measures taken to address the breach, and recommended actions for the customer. LEAPWare does not delay notification for legal positioning — transparency is the policy.
Post-Incident Review — Every P0 and P1 incident undergoes a mandatory post-incident review within 48 hours of resolution. The review produces a root cause analysis documenting what happened, why it happened, what controls failed, and what structural changes will prevent recurrence. Post-incident reviews are blameless — the goal is systemic improvement, not individual accountability. Action items from reviews are tracked to completion with assigned owners and deadlines. Patterns across incidents are analyzed quarterly to identify systemic weaknesses.
Security Monitoring
Security monitoring at LEAPWare is not a dashboard that someone checks during business hours. It is a continuous, automated system that ingests security-relevant events from every layer of the infrastructure and surfaces actionable alerts in real time.
24/7 Log Monitoring — All security-relevant events — authentication attempts, authorization decisions, configuration changes, network anomalies, and error conditions — are collected into a centralized logging infrastructure. Logs are immutable, encrypted, and retained for a minimum of 90 days. Log analysis runs continuously, not in batch windows.
Anomaly Detection — Behavioral baselines are established for authentication patterns, API usage patterns, knowledge access patterns, and agent activity patterns. Deviations from baseline trigger automated investigation workflows. Anomaly detection covers impossible-travel authentication, unusual data access volumes, privilege escalation attempts, and abnormal egress traffic patterns.
SIEM Integration — Security events are correlated across sources in a Security Information and Event Management system. Correlation rules detect multi-stage attack patterns that would not be visible in any single log stream. Alert fatigue is managed through tuning, deduplication, and severity-based routing — critical alerts page on-call personnel, informational alerts queue for daily review.
Intrusion Detection — Network-level and host-level intrusion detection systems monitor for known attack signatures and anomalous behavior patterns. Detection covers the full kill chain: reconnaissance, initial access, lateral movement, privilege escalation, and data exfiltration. Alerts from intrusion detection systems feed into the SIEM for correlation and are triaged under the incident response process.
Automated Alerting and Response — Critical security events trigger automated responses before human review: suspicious authentication patterns trigger account lockout, anomalous network traffic triggers traffic isolation, and configuration drift triggers automated remediation. Human review follows automated containment — the system buys time for the security team to investigate without allowing the threat to progress.
Responsible Disclosure Program
LEAPWare operates a responsible disclosure program for security researchers who discover vulnerabilities in our systems. We believe that the security community's participation makes our platform stronger, and we are committed to treating researchers with respect, transparency, and fairness.
Scope — The following assets are in scope for responsible disclosure: all *.leapware.ai domains and subdomains, the LEAPWare API surface, LEAPWare web applications, and publicly accessible LEAPWare infrastructure. Out of scope: third-party services hosted on separate infrastructure, social engineering of LEAPWare employees, physical security testing, and denial-of-service testing against production systems.
Severity Tiers — Reported vulnerabilities are triaged using CVSS v3.1 scoring and assigned resolution SLAs consistent with our vulnerability management program: Critical (CVSS 9.0+) resolved within 24 hours, High (CVSS 7.0-8.9) within 72 hours, Medium (CVSS 4.0-6.9) within 30 days, Low (CVSS below 4.0) in the next release cycle.
Response SLAs — We commit to the following timelines for every valid report: acknowledgment of receipt within 24 hours of submission, initial triage and severity assessment within 72 hours, remediation per the CVSS-based SLA described above, and notification to the reporter when the fix is deployed. We will keep reporters informed of progress throughout the remediation process.
Safe Harbor — LEAPWare will not pursue legal action against security researchers who act in good faith, follow responsible disclosure practices, do not access or modify data belonging to other users, do not degrade service availability, and report findings promptly. We consider good-faith security research to be authorized and will not initiate legal proceedings against researchers who comply with this policy.
Recognition — With the researcher's permission, LEAPWare will publicly acknowledge security researchers who report valid vulnerabilities. We maintain a security acknowledgments page recognizing contributions to the security of our platform. We are evaluating a formal bug bounty program — until that program is established, we offer recognition and our gratitude.
If you discover a security vulnerability in any LEAPWare system, please report it to security@leapware.ai. Include a description of the vulnerability, steps to reproduce, potential impact assessment, and any supporting evidence. We commit to acknowledging receipt within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of remediation progress. Encrypt sensitive reports using our PGP key available at leapware.ai/.well-known/security.txt.