You're trusting Lapseguard with insurance records and vendor contact details. Here is how that information is protected, in plain terms.
Every request runs over HTTPS, enforced with HSTS so browsers refuse to connect any other way. Certificates and vendor data never travel over an unencrypted connection.
Uploaded certificates are stored as private files, not public links. They're served back only to your authenticated admin session, streamed through an access check every time.
The admin app is password-gated, the session cookie stores a one-way hash rather than your password, and sign-in attempts are rate-limited to blunt brute-force guessing.
Data lives in a managed Postgres database and is served from a modern application platform, both operated by established providers with their own physical and network security. Email is sent from a verified, authenticated domain (SPF, DKIM, DMARC).
Uploads are limited by type and size, extraction and submission endpoints are rate-limited per vendor link, and the app is built on a framework that prevents SQL injection and cross-site scripting by construction.
You can export your full vendor and compliance history as CSV whenever you want, and we delete your account data on request. We do not sell it or share it with third parties.
Lapseguard is an early-stage product built by a small team. We follow the practices above, but we are not yet independently audited (for example, SOC 2), and we'll say so plainly rather than imply a certification we don't hold. Lapseguard is a tracking and reminder tool, not a substitute for legal or insurance advice. If security review is part of your buying process, book a call and we'll walk through specifics with you directly.
Ask us directly. We'd rather answer than have you guess.