FAQ

At rest: All stored data is encrypted using AES-256, the industry standard for data encryption. This includes your documents in S3, data in our PostgreSQL databases, and email content in MongoDB.

In transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher. We enforce HTTPS on all connections and implement HSTS headers to prevent downgrade attacks.

Key management: Encryption keys are managed through AWS KMS with strict rotation policies. Keys are never stored alongside the data they protect.

Your data is stored in Amazon Web Services (AWS) data centers in the United States:

• Primary region: us-east-1 (N. Virginia)
• Disaster recovery: us-west-1 (N. California)

We do not currently offer data residency in other regions.

Within your organization: Access is controlled by your organization's admin. Role-based permissions determine what each user can see.

Within Lev: Our team may access customer data only as needed for support and to maintain the Service. Access is tightly controlled and logged.

Third parties: Data is shared with subprocessors (AWS, OpenAI, etc.) as necessary to provide the service. See our Subprocessors page for the complete list.

We have a documented Incident Response Plan. If a security incident affects your data:

1. We will notify you without unreasonable delay after confirming the incident (and we aim to do so within 24 hours in most cases)
2. Notification will be sent via email to your account contacts
3. We will provide details about what data was affected
4. We will explain what we're doing to address it

We have $5M in cyber insurance coverage (per incident) and have had no significant security incidents in company history.

Yes, we are SOC 2 Type II certified. This means an independent auditor has verified that our security controls work effectively over time (not just at a single point in time). Our audit covers Security, Availability, and Confidentiality.

You can access our SOC 2 report by signing in.

Quarterly. Every three months, an independent security firm (Penti) performs comprehensive penetration testing of our infrastructure, web applications, APIs, and authentication systems.

Most recent results: 0 critical, 0 high severity findings.

Executive summaries are available to customers upon request.

No. Your data is not used to train or fine-tune AI models. We use API endpoints from OpenAI, Anthropic, and Google that explicitly exclude customer data from training.

When your document is processed by AI, it's analyzed and the results are returned—the content doesn't become part of the model's training data.

Yes. For quality assurance and debugging purposes, we maintain internal logs of AI interactions (prompts and responses). These logs are:

• Stored in our secure infrastructure
• Protected with the same controls as all customer data
• Used only for operational purposes
• Not shared externally

No. AI is integral to how Lev works. The features that make Lev valuable—automatic document extraction, intelligent email tracking, deal analytics—are powered by AI processing.

If you have specific concerns about AI processing certain types of data, contact us to discuss your requirements.

Sent: Document content, email text, names (when needed for context), your questions to Lev AI.

Never sent: Account credentials, other customers' data, payment information, full contact lists.

See AI & Data Handling for complete details.

Email trust@lev.com with your request. Include your account email and what you'd like deleted (entire account, specific data, etc.). We process deletion requests within 30 days.

When data is deleted:

• It's removed from active systems immediately
• Cached copies expire within 24 hours
• Backup copies are removed when backups rotate (30 days)

Yes. Contact trust@lev.com to request a data export. We'll respond within 14 days and provide your data in a standard format.

Note: Self-serve export is not currently available in the platform.

No. We do not sell personal information to third parties.

Lev provides market intelligence features that use aggregated, anonymized data:

• Lender profiles are updated with general feedback from interactions
• Market comps use redacted terms without identifying information
• Pulse items share general lender behavior patterns

Your specific deal details, identity, and terms are protected. This is covered in our Terms and Conditions.

GDPR applies to EU residents and companies processing EU data. We do not currently have EU customers or process EU personal data, so GDPR requirements are not directly applicable to our operations.

If your organization has EU data protection requirements, contact us to discuss.

Not currently. We are SOC 2 Type II certified, which covers similar security controls. ISO 27001 may be pursued in the future based on customer requirements.