Privacy Policy
Plain English Summary: LeapScan runs entirely in your own environment — all scan data stays on your infrastructure. We only collect contact information needed to deliver your license. We never store your AWS or M365 scan data.
1. Who We Are
LeapScan is an AWS security auditing service operated by Leaptrix Solutions, a technology consulting firm. Our registered point of contact is support@leaptrix.com.
When we reference "LeapScan," "we," "our," or "us," we mean Leaptrix Solutions and any contracted personnel involved in delivering the AWS audit service.
2. What Data We Collect & Why
| Data Type | What It Is | Why We Collect It | Legal Basis |
|---|---|---|---|
| Contact Email | Your work email address | To deliver your audit report and communicate findings | Contract performance |
| AWS Account ID | Your 12-digit AWS account identifier | To assume the read-only cross-account role and run audit checks | Contract performance |
| Audit Findings | Configuration metadata (not actual data) — e.g. "S3 bucket X has public access enabled" | To compile and deliver your security report | Contract performance |
| Form Submission Data | Data submitted through our web form (relayed via Formspree) | To initiate and scope your audit engagement | Consent / Contract |
We do NOT collect:
- Your AWS root credentials or any IAM access keys
- The actual content of your S3 buckets, databases, or application data
- Personally Identifiable Information (PII) of your customers or users
- Payment card data (we use no on-site payment processing)
3. AWS Access Model & Permissions
We access your AWS environment exclusively through a cross-account IAM role that you create using our CloudFormation template. This role:
- Grants read-only permissions only (equivalent to AWS SecurityAudit managed policy)
- Is exclusively trusted by our consultant AWS account ID
154770582167— no other account can assume it - Cannot create, modify, or delete any AWS resource in your account
- Cannot access the content of your databases, S3 objects, or application code
- You can delete the CloudFormation stack at any time to immediately revoke all access, in under 60 seconds
You can independently verify the exact permissions granted by reviewing our open-source CloudFormation template at: github.com/manju4k/leapscan-role-template
3a. License Validation
License validation sends only your license ID and machine fingerprint to leapscan.io — no scan data, AWS credentials, or M365 tokens are transmitted. This is solely used to verify your license entitlement.
4. Data Retention & Deletion
Self-Hosted Model: All data remains in your environment. LeapScan does not store your scan data. License validation sends only your license ID and machine fingerprint to leapscan.io — no scan data is transmitted.
| Data | Retention Period | How to Request Early Deletion |
|---|---|---|
| License request form data (Formspree) | 30 days from submission | Email us at support@leaptrix.com |
| Audit findings & report artefacts | All data remains in your environment. LeapScan does not store your scan data. | N/A — data is stored on your infrastructure only |
| License validation data | License ID and machine fingerprint only — retained for license management | Email us at support@leaptrix.com |
All deletion requests are honoured within 72 business hours. We will confirm deletion in writing by email.
5. Subprocessors
We use the following third-party services to deliver the LeapScan service:
| Subprocessor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Formspree | Form-to-email relay (license request contact form only — no scan data) | United States | formspree.io/legal/privacy-policy |
| Google Fonts | Web font delivery (no personal data processed) | United States | policies.google.com/privacy |
6. Data Sharing & Disclosure
We do not sell, rent, or trade your data. We will only share your information:
- With the subprocessors listed in Section 5, strictly for service delivery
- If required by applicable law, court order, or regulatory authority
- In the event of a merger or acquisition (you will be notified 30 days in advance)
7. Your Rights (GDPR / CCPA)
Depending on your jurisdiction, you may have the right to:
- Access — Request a copy of all data we hold about you
- Rectification — Correct inaccurate data
- Erasure ("Right to be Forgotten") — Request deletion of all your data
- Portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interests
- Withdraw Consent — Withdraw consent at any time where processing is based on consent
To exercise any right, contact us at support@leaptrix.com. We will respond within 30 calendar days.
8. Security
We implement industry-standard security practices in our own operations, including:
- AWS IAM least-privilege access for our consultant account
- No permanent storage of client account credentials or metadata
- Encrypted communication (HTTPS/TLS) for all data in transit
- Audit findings transmitted only to the verified email address provided at intake
Ironically, we subject our own AWS infrastructure to the same LeapScan audit on a monthly basis.
9. Cookies & Tracking
Our website does not use tracking cookies, advertising pixels, or analytics beacons. We do not use Google Analytics or any third-party tracking script. The only external resources loaded are Google Fonts (typography) and Font Awesome (icons), neither of which track individual users.
10. Changes to This Policy
We may update this Privacy Policy as our service evolves. Material changes will be communicated by email to active clients at least 14 days before taking effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.
11. Contact & Complaints
For any privacy concern or data request, contact our Data Controller at:
Leaptrix Solutions
Email: support@leaptrix.com
Response time: Within 72 business hours for urgent requests, 30 calendar days for formal GDPR requests.