Security at LeaveStream

We take security seriously. Here’s how we protect team data across leave, attendance, holidays, and approvals.

How We Protect Your Data

We protect data in transit using HTTPS. Sensitive secrets stay server-side and are never exposed to the browser.

We run on modern managed infrastructure and keep dependencies updated to reduce risk.

Role-based access control (employee/manager/admin) helps ensure people only see what they’re allowed to.

We minimize data collection and keep audit-friendly records like leave approvals, status changes, and timestamps.

Secure login with server-signed sessions and access controls across organizations.

We monitor for errors and unexpected behavior so issues can be fixed quickly.

Roles and permissions are enforced in the app

We avoid exposing secrets to the client

We’ll communicate incidents clearly

We prioritize fixes and updates

Sessions are signed server-side, and we keep authentication logic on the server so tokens aren’t exposed in local storage.

Admins, managers, and employees have different capabilities (e.g., approving leave, inviting teammates, managing org settings).

Approval actions are recorded and verified on the server. Email approve/reject links use signed, short‑lived tokens.

We retain operational data needed for your organization and provide exports for reporting. Retention controls may vary by plan.

Contact our security team for questions, concerns, or to report vulnerabilities.