1. Feature Overview
LeadSquared is ISO 27001:2013 certified and HIPAA compliant. LeadSquared was built to deliver a robust and secure experience. In addition to our process and infrastructure-level safeguards, the LeadSquared application itself has a number of security-related features. This article summarizes the list of available features and describes how you can use them to protect your account.
Note: You can also download a pdf version of our security features.
2. Prerequisites
- All security-related features (except user-level two-factor authentication) must be set up by the LeadSquared administrator user.
- Some features listed in the article are not available on all plans. Please contact us at support@leadsquared.com for more details.
3. User Access
These features let you configure the level of access available to your users.
Feature | Description | Help Documentation |
User Roles | Each LeadSquared user role comes with its own set of restrictions for accessing features and data. Assigning roles based on how you want users to access your account. | User Roles and Access Rights |
Sales Groups | By default, sales users can only view their own leads. However, you can give certain sales users (team leads, managers, etc.) special privileges through sales groups. | Managing Lead and Account Access to Sales Users – Sales Groups |
Permission Templates | Permission templates give you granular level control over leads, activities and tasks. In addition, they let you control access to features like imports, exports, API, dashboards and reports. | |
IP Whitelisting | You can whitelist the IP addresses that can access LeadSquared. Logins through suspect IPs (tors/anonymous proxies) will be automatically disabled. | Restrict User Access to LeadSquared using IP Whitelisting |
4. Login and Session Security
These features help secure your account by providing additional security capabilities.
Feature | Description | Help Documentation |
Password Encryption | When enabled, passwords will be encrypted and sent from the browser to the server. Users will not be able to ‘Remember Password’ and the password won’t be stored anywhere in the browser cache. | LeadSquared Login Security Settings |
Enable Dynamic Token for Mobile App | Lets you enable an additional layer of security for communicating between the app and server. | |
Two Factor Authentication | Two-factor authentication can be mandated for all users or configured at the individual user level. | LeadSquared Security Settings – Two Factor Authentication |
Authentication Provider | As an alternative to logging in with your LeadSquared credentials, you can configure your account to enable log-in through the following third-party authentication providers –
| LeadSquared Security Settings – Authentication Provider |
Trusted Device | Users can log into their LeadSquared account without verifying themselves through Two-Factor Authentication (2FA) each time | Authentication – Trusted Device |
Session Management | Login Expiration Time – When enabled, users will be required to log in again, after the configured time elapses. Session Timeout – When enabled, a user who remains idle for the configured time will be automatically logged out. | LeadSquared Security Settings – Session Management |
Force Logout All Users | You may want to force logout users from your account for a number of possible reasons –
| LeadSquared Security Settings – Login Settings |
Set Password Policy for users | Customize the password policy of your LeadSquared account (e.g., minimum password length allowed, minimum special characters allowed, etc.) to comply with your organization’s policies. | LeadSquared Security Settings – Set password Policy |
5. Landing Page Security
The following security feature help secure landing pages you create using LeadSquared –
- Google reCAPTCHA
reCAPTCHA protects your landing pages against malicious software and spam. To learn how to embed them in your landing page forms, see Google reCAPTCHA on Landing Pages. - Allow submissions from registered domains only
You can restrict the domains on which form submissions will be accepted.- First, register the accepted domains.
- While creating a landing page, on the Actions tab (step 3), select the Any Registered Domain option.
6. Audit Logs
Audit logs provide numerous benefits including better transparency, record integrity and accuracy, and security of sensitive or vital information. A weekly review of audit log reports in LeadSquared will keep you on top of any activity in your account.
- Audit Log Reports
List of reports that help you track changes made to users, leads, automations, etc. - Request History
Monitor all bulk requests such as import, export and delete, and also the history of support access requests.
7. API Security
- Keep your API keys secret
We use access keys and secret keys (unique for each user) for authentication. These keys give you access to LeadSquared functionality and data, so they should always be kept secret. - IP Whitelisting
With IP whitelisting, only requests made from specified IPs will be accepted. Whitelist the IPs you’ll be making API calls from. To learn more, see Restrict User Access to LeadSquared using IP Whitelisting. - Restricting API access through permission templates
For users who don’t need access to API, we recommend disabling API access through permission templates. To learn more, see How to Create a Permission Template. - Reviewing API Logs
View your API logs to check for unauthorized access. For details, see API Logs.
8. Data Protection and Privacy
These features were created with GDPR in mind. They enable you to provide transparency to your leads in relation to their data and privacy.
Feature | Description | Help Documentation |
Cookie Consent | As part of the privacy settings, you can allow end-users to control whether or not they would like to enable cookies on your website (where the LeadSquared Tracking Script has been installed) | Data Protection and Privacy Settings |
Email Opt-in | By using the email opt-in setting together with the email opt-in automation action, you can let your leads decide whether or not they want to receive emails from your organization. | |
Personal Data Protection | When enabled, it automatically creates a landing page in your account, that you can publish to existing leads and present them with the following options –
|
Any Questions?
We hope this article was helpful. Please leave us a comment below if you have more questions.