Last updated: June 8, 2026
This page summarises how RADAR FORGE (operating LeakRadar) protects the personal data it processes. The measures here are aligned with Article 32 GDPR and described in full in our Technical and Organisational Measures (PDF), which forms Annex 3 of our Data Processing Agreement.
Account and monitoring data central to the service is hosted exclusively within the EU/EEA, on dedicated bare-metal infrastructure operated under contract with Hetzner Online GmbH (Finland) and OVH SAS (France). There is no shared, multi-tenant database. Physical and environmental security is inherited from the providers’ EU/EEA Tier-III/IV data centres.
All connections to the service, its API, and between infrastructure components are encrypted using TLS 1.3.
All production backups are encrypted at rest with AES-256.
Login passwords are stored only as salted cryptographic hashes (bcrypt, cost 12); plaintext passwords are never written to disk and are not retained.
For transparency: the live production database is not subject to full-volume disk-level encryption at rest. We have assessed the residual risk under Article 32 GDPR and apply compensating controls, including EU/EEA-only dedicated hosting, strict network segmentation, least-privilege access, enforced multi-factor authentication, and centralised monitoring.
Access to personal data is restricted to authorised personnel on a need-to-know basis through role-based access control, with multi-factor authentication enforced on all administrative and infrastructure access (hosting consoles, code repositories, deployment tooling, email, payment and accounting). Access rights are reviewed periodically. RADAR FORGE is a single-operator company; no employees, contractors or interns currently have access to production data.
The production database is not exposed to the public internet and is reachable only from authorised application hosts on a private network. Edge protection (DDoS mitigation, WAF and DNS) is provided by Cloudflare. Production, staging and development environments are logically isolated. Changes reach production through a CI/CD pipeline with a separate staging environment, and dependency and supply-chain advisories are monitored.
Centralised logging captures access and application events with alerting on anomalous activity; logs are retained for up to 12 months and then purged. Your account data is kept separate from the public breach index. Search query content is not logged; only operational metadata is retained for billing reconciliation and abuse prevention.
Production data is backed up to encrypted off-cluster storage within the EU/EEA (AES-256, twelve-month rolling retention). Restoration is performed on a best-effort basis. Given our present scale and the absence of a 24/7 service level commitment, we do not currently commit to specific Recovery Time or Recovery Point Objectives (RTO/RPO).
Where we act as your processor, we notify you of any personal data breach affecting your data without undue delay and in any event within twenty-four (24) hours of becoming aware of it, followed by a substantive update with the information required under Article 33(3) GDPR within forty-eight (48) hours.
We welcome reports from security researchers. Our coordinated disclosure contact is published at /.well-known/security.txt; please email contact@leakradar.io. Please do not report low-severity or purely informational findings.
LeakRadar is GDPR-compliant and EU-hosted. We describe our practices against Article 32 GDPR rather than claiming a formal certification: we do not currently hold a SOC 2 or ISO 27001 certification. Customers can review our technical and organisational measures and request a Data Processing Agreement.