Terms of Service

Last updated: May 2, 2026

1. About This Application

Leasify Trust ("the Portal", "the Service") is an internal Information Security Management System (ISMS) portal operated by Leasify AB ("Leasify", "we", "us"). The Portal provides a centralized platform for managing compliance controls, risk assessments, incident response, audit evidence, security policies, secrets management, and related information security activities in alignment with ISO 27001.

The Portal is intended for use by authorized Leasify employees, contractors, auditors, and approved third-party users who have been granted access through the account application process.

2. Purpose

The purpose of the Portal is to:

  • Manage and track security controls mapped to ISO 27001 Annex A
  • Maintain a risk register with impact/likelihood assessments and treatment plans
  • Handle incident management with structured lifecycle tracking (open, investigating, resolved, closed)
  • Store and manage version-controlled security policies, procedures, and standards
  • Provide encrypted secrets vault with envelope encryption using AWS KMS
  • Track compliance activities through a recurring calendar (arshjul)
  • Maintain supplier registers with DPA status and periodic reviews
  • Conduct and record audits with findings linked to controls
  • Provide integration with external monitoring services (Oh Dear for uptime, GitHub for releases)
  • Offer AI-assisted analysis and reusable Q&A knowledge base for security questionnaires

3. Account Access

Access to the Portal is not self-service. All users must apply for access and be approved by an administrator. The approval process includes identity verification. Only identity-verified users may access non-public areas of the Portal.

Certain email domains (e.g., @leasify.se) may be auto-approved for specific roles. All other applicants are subject to manual review.

4. Authentication

The Portal uses one-time password (OTP) authentication exclusively. No passwords are stored. When you sign in, a six-digit code is sent to your registered email address. This code is valid for 10 minutes and may be used only once. A maximum of 5 verification attempts are permitted per code. Rate limiting is applied per email address and IP address to prevent abuse.

5. Data We Collect and Store

In connection with providing the Service, we collect and store the following data:

5.1 User Account Data

  • Full name and email address
  • Company affiliation (if provided)
  • Assigned roles and permissions
  • Identity verification status and method
  • Last login timestamp and IP address

5.2 Authentication Data

  • Hashed OTP tokens (plaintext codes are never stored)
  • OTP request timestamps and expiration
  • IP addresses and user agent strings for authentication events
  • Authentication attempt counts

5.3 Audit Trail Data

  • Activity logs for all significant actions (authentication, data changes, role modifications, vault access, document approvals, incident lifecycle changes, impersonation events)
  • IP address, user agent, route, and role at time of action
  • Old and new values for data changes
  • Timestamps for all logged events

5.4 ISMS Content Data

  • Security controls, risks, and treatment plans
  • Incident reports, actions, and evidence files
  • Policy and procedure documents (versioned)
  • Audit records and findings
  • Supplier information and review records
  • Compliance calendar activities and completion records
  • Evidence files (uploaded documents, checksums, metadata)

5.5 Vault Data

  • Encrypted secrets using AES-256-GCM envelope encryption
  • Encrypted data encryption keys (via AWS KMS)
  • Vault access event logs (view, reveal, copy, export, rotate, revoke)
  • Rotation policy metadata and schedules

Plaintext secrets are never stored in the database or application logs.

5.6 AI-Related Data

  • AI run logs (purpose, input summary, output, model used, token counts)
  • Questions and approved answers for the Q&A knowledge base
  • Vector embeddings for semantic search (generated via OpenAI API)

5.7 Integration Data

  • Uptime snapshots from Oh Dear (daily uptime percentages, downtime durations)
  • Release information from GitHub (tag names, descriptions, authors, timestamps)

6. Third-Party Services

The Portal integrates with the following third-party services to deliver its functionality:

  • AWS KMS — Key management for envelope encryption of vault secrets
  • Resend — Transactional email delivery (OTP codes, notifications)
  • Oh Dear — Uptime monitoring data retrieval
  • GitHub API — Software release tracking
  • OpenAI API — AI text generation and embedding computation for the Q&A knowledge base
  • Laravel Cloud — Application hosting infrastructure
  • PostgreSQL — Primary database (with pgvector extension for embeddings)

7. Data Security

We implement the following security measures to protect your data:

  • All vault secrets are encrypted at rest using AES-256-GCM with AWS KMS-managed keys
  • OTP codes are hashed before storage; plaintext codes are never persisted
  • Step-up re-authentication is required for sensitive vault operations (reveal, copy)
  • Role-based access control enforces least-privilege access to all resources
  • Comprehensive audit logging tracks all significant actions and data access
  • Rate limiting protects authentication endpoints from brute-force attacks
  • Session management with configurable timeouts and secure cookie settings
  • All communication is encrypted in transit via HTTPS/TLS

8. Data Retention

Audit logs and activity records are retained indefinitely to support compliance and forensic requirements. User account data is retained for the duration of the account's active status. Upon account deactivation, data may be retained as required by applicable regulations and internal policies. Vault secrets are retained until explicitly revoked or rotated by authorized users.

9. User Responsibilities

By using the Portal, you agree to:

  • Keep your email account secure, as it is the sole authentication factor
  • Not share OTP codes or attempt to bypass authentication mechanisms
  • Report any suspected security incidents or unauthorized access promptly
  • Use the Portal only for its intended purpose of information security management
  • Not attempt to access data or functionality beyond your assigned role and permissions
  • Comply with all applicable information security policies managed within the Portal

10. Impersonation

Authorized administrators may impersonate other user accounts for support and troubleshooting purposes. All impersonation sessions are logged with full audit trail including the impersonator's identity, the impersonated user, IP address, user agent, and timestamps for both start and end of the session.

11. Modifications

We reserve the right to modify these terms at any time. Continued use of the Portal after changes constitutes acceptance of the updated terms. Material changes will be communicated to active users via the email address associated with their account.

12. Contact

For questions regarding these terms, your data, or the Portal, contact us at [email protected].

Leasify AB, Sweden. All rights reserved.