Security & Trust at The Leadership Circle

At The Leadership Circle, trust is foundational to the work we do with leaders, practitioners, and organizations around the world. We protect the data entrusted to us through strong security practices, ongoing monitoring, and independent assessments designed to support confidentiality, integrity, and transparency.

4

Frameworks

An overview of Leadership Circle's compliance status across common frameworks.

ISO/IEC 27001 Certified by Aprio

ISO 27001

Compliant
GDPR

GDPR

Compliant
CCPA Privacy Options

CCPA

Compliant
SOC TYPE II IN PROGRESS

SOC Type II

In progress
80

Controls

Security controls implemented by Leadership Circle, aligned to ISO 27001:2022 Annex A.

8 Access & Identity

Controls governing user access, authentication, and identity lifecycle management to ensure only authorized individuals can access systems and data.

  • Access control
  • Access rights
  • Access to source code
  • Authentication information
  • Identity management
  • Privileged access rights
  • Secure authentication
  • Segregation of duties
6 Asset Management

Controls for identifying, classifying, and managing information assets throughout their lifecycle, including proper handling and return procedures.

  • Acceptable use of information and other associated assets
  • Classification of information
  • Inventory of information and other associated assets
  • Labelling of information
  • Return of assets
  • Storage media
4 Business Continuity

Controls ensuring critical business functions can continue during and after disruptions, including backup, recovery, and redundancy measures.

  • ICT readiness for business continuity
  • Information backup
  • Information security during disruption
  • Redundancy of information processing facilities
5 Compliance & Legal

Controls addressing legal, regulatory, and contractual obligations, including independent security reviews and protection of intellectual property.

  • Compliance with policies, rules and standards for information security
  • Independent review of information security
  • Intellectual property rights
  • Legal, statutory, regulatory and contractual requirements
  • Protection of records
6 Data Protection

Controls safeguarding data confidentiality and integrity through encryption, masking, secure transfer, and deletion practices.

  • Data leakage prevention
  • Data masking
  • Information deletion
  • Information transfer
  • Privacy and protection of PII
  • Use of cryptography
5 Endpoint & Malware Protection

Controls protecting end-user devices and workstations from malware, unauthorized access, and data exposure.

  • Clear desk and clear screen
  • Protection against malware
  • Security of assets off-premises
  • User endpoint devices
  • Web filtering
8 Governance & Policy

Controls establishing the organizational framework for information security, including roles, responsibilities, policies, and external engagement.

  • Contact with authorities
  • Contact with special interest groups
  • Documented operating procedures
  • Information security in project management
  • Information security roles and responsibilities
  • Management responsibilities
  • Policies for information security
  • Threat intelligence
7 Human Resources Security

Controls managing security throughout the employee lifecycle, from hiring through termination, including training and disciplinary processes.

  • Confidentiality or non-disclosure agreements
  • Disciplinary process
  • Information security awareness, education and training
  • Remote working
  • Responsibilities after termination or change of employment
  • Screening
  • Terms and conditions of employment
6 Incident Management

Controls for detecting, reporting, responding to, and learning from security incidents, including evidence collection for investigations.

  • Assessment and decision on information security events
  • Collection of evidence
  • Information security event reporting
  • Information security incident management planning and preparation
  • Learning from information security incidents
  • Response to information security incidents
3 Logging & Monitoring

Controls capturing and analyzing system activities to detect anomalies, support investigations, and maintain audit trails.

  • Clock synchronization
  • Logging
  • Monitoring activities
3 Network Security

Controls protecting network infrastructure through segmentation, secure configurations, and defense-in-depth strategies.

  • Network security
  • Security of network services
  • Segregation of networks
9 Secure Development

Controls embedding security into the software development lifecycle, including secure coding practices, testing, and environment separation.

  • Application security requirements
  • Outsourced development
  • Protection of information systems during audit testing
  • Secure coding
  • Secure development life cycle
  • Secure system architecture and engineering principles
  • Security testing in development and acceptance
  • Separation of development, testing and production environments
  • Test information
6 System Operations

Controls managing day-to-day IT operations, including capacity planning, change management, and vulnerability remediation.

  • Capacity management
  • Change management
  • Configuration management
  • Installation of software on operational systems
  • Management of technical vulnerabilities
  • Use of utility programs
5 Supplier & Third-Party Management

Controls ensuring vendors, suppliers, and cloud providers meet security requirements and are monitored throughout the relationship.

  • Addressing information security within supplier agreements
  • Information security for use of cloud services
  • Information security in supplier relationships
  • Managing information security in the ICT supply chain
  • Monitoring, review and change management of supplier services
26

Policies

Governing policies published and maintained by Leadership Circle.

6 Governance & Risk

Foundational policies establishing the security governance framework, risk management approach, and organizational accountability.

  • Code of Business Conduct
  • Compliance & Regulatory Monitoring
  • Information Security & Privacy Governance
  • Policy Management & Exception Handling
  • Risk Management
  • Sanctions & Disciplinary
3 Access & Authentication

Policies defining requirements for user access provisioning, authentication standards, and secure remote connectivity.

  • Access Control & Least Privilege
  • Authentication & Password
  • Remote Access & BYOD
5 Data Protection & Privacy

Policies governing how data is classified, handled, protected, shared, and disposed of throughout its lifecycle.

  • Data Classification & Handling
  • Encryption & Crypto Controls
  • Information Sharing & Transfer
  • Privacy & Data-Subject Rights
  • Retention & Secure Disposal
3 Human Resources & Training

Policies addressing personnel security, including acceptable behavior, background checks, and ongoing security awareness.

  • Acceptable Use & Workstation Security
  • Background Screening & On/Off-boarding
  • Security & Privacy Awareness Training
6 Operations & Infrastructure

Policies governing IT operations, including system hardening, change management, monitoring, and business continuity.

  • Backup, Business Continuity & Disaster Recovery
  • Change & Release Management
  • Logging, Monitoring & Audit
  • Physical Security & Environmental
  • Secure Configuration & Hardening
  • Vulnerability & Patch Management
3 Development & Third Parties

Policies covering secure software development practices, incident response procedures, and third-party risk management.

  • Incident Response & Breach Notification
  • Secure Software Development Lifecycle
  • Vendor & Third-Party Risk

Third-Party Vendors

Subprocessors

The following third-party services process personal data on our behalf, organized by the user groups they apply to. Updated April 2025.

Project Center users

Applies to anyone accessing our platform (project-center.theleadershipcircle.com).

Vendor Purpose Location Contact
AlphaGraphics Printing services Sandy, Utah, United States contactus@alphagraphics.com
Amazon Web Services Storage and hosting for Project Center and related services Seattle, Washington, United States dataprivacyframework@amazon.com
Auth0 Cloud identity provider for user authentication San Francisco, California, United States privacy@okta.com
Cloudflare DNS, caching and intrusion prevention options San Francisco, California, United States sar@cloudflare.com
HubSpot Opt-in electronic correspondence Cambridge, Massachusetts, United States nknoop@hubspot.com
Mailgun Account management and electronic correspondence San Antonio, Texas, United States privacy@mailgun.com
Twilio Optional two-factor authentication San Francisco, California, United States privacy@twilio.com

People who request support

Applies to anyone who requests support from our Customer Success team.

Vendor Purpose Location Contact
Asana Task management system San Francisco, California, United States privacy@asana.com, dpo@asana.com
Atlassian Internal service desk San Francisco, California, United States privacy@atlassian.com
Auth0 Cloud identity provider for user authentication San Francisco, California, United States privacy@okta.com
Celigo Systems integration Redwood City, California, United States dpo@celigo.com
Cloudflare DNS, caching and intrusion prevention options San Francisco, California, United States sar@cloudflare.com
Druva Cloud backup solution Mountain View, California, United States privacy@druva.com
Hire Horatio Customer service outsourcing group New York, New York, United States jared@hirehoratio.com
HubSpot Opt-in electronic correspondence Cambridge, Massachusetts, United States nknoop@hubspot.com
Microsoft Profile report storage for presentation to Leader during debrief Redmond, Washington, United States privacy@microsoft.com
NetSuite Financial transactions and accounts, case management Austin, Texas, United States privacy_us@oracle.com
SurveyMonkey Survey gathering platform San Mateo, California, United States privacy@surveymonkey.com
WordPress Online forms for customer enquiries San Francisco, California, United States privacy@automattic.com

People for whom we facilitate coaching and/or debriefs

Applies to anyone for whom we manage coaching, debriefing, or internal projects.

Vendor Purpose Location Contact
Asana Task management system San Francisco, California, United States privacy@asana.com, dpo@asana.com
Calendly Optional meeting scheduling Buford, Georgia, United States legal@calendly.com
Celigo Systems integration Redwood City, California, United States dpo@celigo.com
Druva Cloud backup solution Mountain View, California, United States privacy@druva.com
Microsoft Profile report storage for presentation to Leader during debrief Redmond, Washington, United States privacy@microsoft.com
Mural Online whiteboard San Francisco, California, United States privacy@mural.co
NetSuite Financial transactions and accounts, case management Austin, Texas, United States privacy_us@oracle.com
SurveyMonkey Survey gathering platform San Mateo, California, United States privacy@surveymonkey.com
Zoom Online meetings and analysis San Jose, California, United States privacy@zoom.us
WordPress Online forms for customer enquiries San Francisco, California, United States privacy@automattic.com

Certified Practitioners or undergoing certification

Applies to anyone who is certified or anyone who is undergoing, or has undergone, certification.

Vendor Purpose Location Contact
Asana Task management system San Francisco, California, United States privacy@asana.com, dpo@asana.com
Celigo Systems integration Redwood City, California, United States dpo@celigo.com
Druva Cloud backup solution Mountain View, California, United States privacy@druva.com
LearnUpon Learning management system Dublin, Ireland privacy@learnupon.com
Microsoft Profile report storage for presentation to Leader during debrief Redmond, Washington, United States privacy@microsoft.com
Mural Online whiteboard San Francisco, California, United States privacy@mural.co
NetSuite Financial transactions and accounts, case management Austin, Texas, United States privacy_us@oracle.com
Outgrow Survey gathering platform New York, New York, United States questions@outgrow.co
Shopify Online store Ottawa, Ontario, Canada privacy@shopify.com
SurveyMonkey Survey gathering platform San Mateo, California, United States privacy@surveymonkey.com
WordPress Online forms for customer enquiries San Francisco, California, United States privacy@automattic.com
Zoom Online meetings and analysis San Jose, California, United States privacy@zoom.us

People who purchase on our online store

Applies to anyone who has purchased using our online store.

Vendor Purpose Location Contact
Auth0 Cloud identity provider for user authentication San Francisco, California, United States privacy@okta.com
Celigo Systems integration Redwood City, California, United States dpo@celigo.com
Cloudflare DNS, caching and intrusion prevention options San Francisco, California, United States sar@cloudflare.com
Druva Cloud backup solution Mountain View, California, United States privacy@druva.com
HubSpot Opt-in electronic correspondence Cambridge, Massachusetts, United States nknoop@hubspot.com
NetSuite Financial transactions and accounts, case management Austin, Texas, United States privacy_us@oracle.com
Shopify Online store Ottawa, Ontario, Canada privacy@shopify.com

People collaborating with our R&D team

Applies to anyone who has collaborated with our R&D team.

Vendor Purpose Location Contact
Amazon Web Services Storage and hosting for Project Center and related services Seattle, Washington, United States dataprivacyframework@amazon.com
Asana Task management system San Francisco, California, United States privacy@asana.com, dpo@asana.com
BTI Transcribes interviews and can conduct basic aggregation and analyses Boston, Massachusetts, United States privacy@btinsights.ai
Druva Cloud backup solution Mountain View, California, United States privacy@druva.com
Hogan Assessments Assessments and reports Tulsa, Oklahoma, United States privacy@hoganassessments.com
Make Integration middleware for BRITE New York, New York, United States privacy@celonis.com
Microsoft Profile report storage for presentation to Leader during debrief Redmond, Washington, United States privacy@microsoft.com
Mural Online whiteboard San Francisco, California, United States privacy@mural.co
Notion Form fields for BRITE San Francisco, California, United States privacy@makenotion.com
Outgrow Survey gathering platform New York, New York, United States questions@outgrow.co
Shopify Online store Ottawa, Ontario, Canada privacy@shopify.com
SPSS Data analytics Armonk, New York, United States privacy@ibm.com
SurveyMonkey Survey gathering platform San Mateo, California, United States privacy@surveymonkey.com
Tableau Data analytics Seattle, Washington, United States privacy@tableau.com
WordPress Online forms for customer enquiries San Francisco, California, United States privacy@automattic.com
Zoom Online meetings and analysis San Jose, California, United States privacy@zoom.us




Frequently Asked Questions

Common Security Questions

Answers to the questions we hear most from customers and prospects during security reviews.

Do you encrypt data at rest and in transit?

Yes. Leadership Circle encrypts data at rest and in transit using strong cryptographic controls. Restricted and confidential data is protected with AES-256 encryption, and all sensitive transmissions use secure protocols including TLS 1.3, and HTTPS. Encryption is applied across files, databases, and communications, with key management procedures in place to safeguard cryptographic keys.

Where is customer data hosted?

Customer data is primarily hosted on Amazon Web Services (AWS) in the EU-West region (Dublin, Ireland). For disaster recovery and resilience, continuous backups are maintained in the AWS US-East-2 (Ohio) region.

What is your incident response process?

Leadership Circle maintains a documented incident response process covering identification, escalation, investigation, containment, eradication, recovery, and post-incident review. Incidents are classified by severity, with defined responsibilities across IT, Engineering, Legal, and Communications. The process includes notification procedures for affected parties and regulatory authorities when applicable.

Do you perform regular security testing?

Yes. Leadership Circle conducts regular vulnerability scans, internal security reviews, and annual independent penetration testing by external providers. Security controls are further evaluated through bi-annual internal audits and periodic compliance reviews. Findings are tracked and remediated through documented procedures.

How do you handle data deletion requests?

Leadership Circle fully supports data subject rights under GDPR, including the right to erasure (Article 17). When we receive a deletion request, we acknowledge it within 72 hours and fulfill it within 30 days, in line with GDPR’s required response timelines.

Do employees complete security training?

Yes. All personnel complete security awareness training within 30 days of hire and annually thereafter, covering social engineering, phishing, data protection, and incident reporting. Employees in sensitive roles receive additional training, and phishing simulations are conducted to reinforce awareness.

What is your business continuity and disaster recovery approach?

Leadership Circle maintains documented business continuity and disaster recovery plans for critical services and operations. These plans are reviewed and tested at least annually and include defined RTO and RPO targets by incident severity.





Have questions about our security posture?

Our security team is available to discuss our practices, provide documentation, and support your vendor review process. We’re committed to transparency and to helping you make informed decisions about working with The Leadership Circle.

Contact Security Team


Need something specific?

If you’re completing a security questionnaire or vendor assessment, reach out directly and we’ll fast-track your request.

security@leadershipcircle.com