Security

1. Security Overview

VueLeaf processes forum mention intelligence for cannabis companies operating in a highly regulated and reputation-sensitive industry. We understand that the data flowing through our platform directly impacts business decisions, competitive positioning, and customer relationships. Security is built into how we design, build, and operate the platform.

This page describes our security practices in plain language. If you have questions or need additional detail for a vendor security review, contact our team at security@vueleaf.com.

2. Infrastructure

VueLeaf runs on managed cloud infrastructure and hosted service providers selected for operational reliability and baseline security controls. Our infrastructure practices include:

• Separated environments. Production, staging, and development environments are operated separately to reduce spillover risk.
• Automated provisioning. Infrastructure changes are managed through repeatable deployment workflows to reduce manual configuration drift.
• Geographic redundancy. Data is replicated across multiple availability zones to maintain service continuity in the event of a localized outage.
• Regular patching. Operating systems, dependencies, and runtime environments are updated on a recurring cadence, with security fixes prioritized by severity.

3. Encryption

In Transit

All connections to VueLeaf are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints, including the dashboard, API, and webhook callbacks. We do not support unencrypted HTTP connections.

At Rest

Data stored in our databases and managed file systems is protected using cloud-provider encryption controls and key-management services. We do not operate plaintext production storage for customer application data.

Passwords

User passwords are hashed using application-layer password security controls. We never store plaintext passwords, and we do not log or display passwords in any system.

4. Access Controls

We follow the principle of least privilege across our organization:

• Role-based access. Team members are granted access only to the systems and data required for their role.
• Production access. Direct access to production systems is limited to a small number of operators, and operational changes are tracked internally.
• Customer data isolation. Brand-scoped application permissions are used to prevent one customer workspace from viewing another workspace's mention data, keywords, or analytics.
• Access removal. When a team member leaves or responsibilities change, credentials and access are removed through our internal offboarding process.

5. Authentication

VueLeaf supports secure authentication for both the dashboard and API:

• Dashboard. Email and password authentication backed by token-based sessions. Sessions are invalidated on logout.
• API. Authenticated application requests use the same account-based authentication model as the dashboard.
• Passwords. Passwords are never stored in plaintext and are handled through the application authentication stack.

6. Monitoring and Logging

We maintain logging and monitoring across the platform:

• Application logs. Authentication events, operational changes, and application errors are logged with timestamps and context for internal investigation.
• Infrastructure monitoring. Automated monitoring tracks system health, resource utilization, and anomalous behavior. Alerts are routed to the on-call engineering team.
• Operational audit trail. Administrative and operational events are retained internally for investigation and support workflows.
• Log handling. Logs are stored in controlled environments with access limited to authorized operators.

7. Forum Data Handling

Forum monitoring is a core function of VueLeaf and involves unique security and privacy considerations:

• Public content only. Our crawlers access only publicly available forum pages. We do not bypass authentication or intentionally collect content from protected areas.
• No user profiling. We do not build profiles of individual forum users, track their behavior across platforms, or attempt to determine their real-world identities.
• Data minimization. We collect only the data necessary to provide sentiment analysis and mention tracking: post content, username, timestamp, and forum source.
• Forum user requests. Forum users who wish to raise a content-handling concern can contact privacy@vueleaf.com for review.

8. Incident Response

We maintain a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident review. Our commitments include:

• Detection. Automated alerting for anomalous access patterns, failed authentication spikes, and data exfiltration indicators.
• Notification. If a security incident affects customer data, we notify affected customers in line with legal and contractual obligations after confirming scope and impact.
• Post-mortem. Every security incident results in a written post-mortem with root cause analysis and preventive measures. Material incidents are shared with affected customers.

9. Vendor Security

We review third-party vendors before integration and revisit that review as services change. Areas we evaluate include:

Our current service-provider footprint includes cloud hosting, payment processing, email delivery, and error tracking. A full list of subprocessors is available on request.

10. Data Retention and Deletion

We retain data only as long as necessary to provide the service or as required by law:

• Account data. Retained while your account is active and deleted or anonymized within 90 days of account closure.
• Forum mention data. Retention is managed as part of the operating service and support process rather than a self-service dashboard setting.
• Backups. Encrypted backups are retained for a limited recovery window and then permanently deleted on schedule.
• Deletion requests. You can request full data deletion at any time by contacting privacy@vueleaf.com.

11. Compliance and Review Support

VueLeaf can provide additional security detail for customer review, but this page is limited to currently supported product and operational practices:

• Privacy commitments. Data handling expectations are described in our Privacy Policy.
• Vendor review support. Security questions and due-diligence requests can be routed to security@vueleaf.com.
• Contract support. Additional security or processing documentation is handled through direct customer conversations rather than public self-serve downloads.

For vendor security questionnaires, compliance documentation, or data processing agreements, contact security@vueleaf.com.

12. Reporting a Vulnerability

If you discover a security vulnerability in VueLeaf, we want to hear about it. We appreciate responsible disclosure and will work with you to address the issue promptly.

• Email your findings to security@vueleaf.com
• Include a detailed description of the vulnerability and steps to reproduce
• Allow us reasonable time to investigate and resolve the issue before public disclosure
• Do not access, modify, or delete customer data during your research

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days. We do not pursue legal action against researchers who follow responsible disclosure practices.