Statement of Compliance with GDPR and Data Protection Standards

      To: Whom It May Concern

      Date: 01 Feb 2026

      1. Commitment to Data Privacy & GDPR

      Leading2Lean (L2L) is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable global privacy laws. We maintain rigorous technical and organizational measures to ensure the security, confidentiality, and integrity of the data we process on behalf of our customers.


      2. Data Residency & Hosting

      We utilize Amazon Web Services (AWS) as our primary infrastructure provider. To support data sovereignty requirements, we offer regionalized data storage options:

      • EU Customers: Data is hosted exclusively within the EU (AWS Regions: eu-central-1 / eu-west-1).

      • US Customers: Data is hosted within the US (AWS Regions: us-west-1, us-east-1, us-east-2).

      • Government/Federal Customers: Data is hosted in AWS GovCloud environments.


      3. Nature of Data Processing (PII)

      In the context of our services, [Company Name] acts as a Data Processor.

      • Processing Scope: Our processing of Personally Identifiable Information (PII) is strictly limited to storage for the purpose of service delivery. We do not use customer PII for independent profiling or data mining.

      • Data Types: PII is generally limited to business contact information (Name, Work Email, Phone Number).

      • Authentication: Sensitive login credentials are not stored directly; account access is marshaled via secure OAuth/SSO providers.

       

      4. Security Measures (Technical & Organizational)
      We employ industry-standard security controls to protect data, including:
      • Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256
        standard encryption.
      • Access Control: Access to production environments is restricted to authorized
        personnel based on the principle of least privilege.
      • Vendor Security: Our hosting provider (AWS) maintains ISO 27001, SOC 2 Type II, and FedRAMP certifications.
       
      5. Sub-processors
      We maintain a transparent list of authorized sub-processors (vendors) that assist in delivering our services (including Amazon, Google, Microsoft, Hubspot, and Zendesk).
      • We enter into Data Processing Agreements (DPAs) with all sub-processors to ensuring
        they meet equivalent security and privacy standards.
      • An up-to-date list of our sub-processors is publicly available at our Trust Center
       
      6. Data Retention & Subject Rights
      • Retention: Customer data retention is configurable based on customer requirements
        and contractual terms.
      • Right to Erasure: Upon request or contract termination, we support the deletion of PII, except where retention is required for critical audit trails or legal compliance.
       
      7. Data Transfers
      For transfers of personal data outside the European Economic Area (EEA), we rely on robust legal mechanisms, including Standard Contractual Clauses (SCCs), to ensure appropriate safeguards are in place.
       
      Sincerely,
      Phil Richards
      VP, IT and Security, L2L
      phil.richards@leading2lean.com

       

      Reviewed and Updated: February 5th, 2026