Effective date: January 1, 2026 Last updated: May 1 2026
Our Commitment to Your Data
OKRs often contain some of the most sensitive information in your organization: strategic priorities, headcount plans, financial targets, product roadmaps, and the work your team is actually doing every quarter. We treat the data you trust us with the same way we’d want our own data treated.
This page describes the security practices and commitments at Moving Mountains Consulting Ltd. (“OKR Leader,” “we,” “us,” or “our”) for the OKR Leader website (okrleader.com), the OKR Leader software application (the “App”), and related Services. It is a companion to our Privacy Policy and Terms and Conditions.
We will keep this page current as our security posture evolves. Where a practice applies only to the App (which is not yet launched), we say so.
Infrastructure and Hosting
The Website and (when launched) the App are hosted on Amazon Web Services (AWS), one of the most rigorously audited cloud infrastructure providers in the world.
AWS data centers maintain certifications and compliance attestations including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS, among others. Physical security at AWS facilities includes 24/7 staffing, multi-factor access controls, video surveillance, and intrusion detection systems.
By default, our infrastructure is provisioned in AWS regions located in North America. We will publish the specific region(s) and any cross-region failover details on this page once the App is in production.
Encryption
In transit
All connections to the Website and (when launched) the App are encrypted using HTTPS with TLS 1.2 or higher. We use modern cipher suites and HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
At rest
When the App is launched, customer data stored in our databases and object storage will be encrypted at rest using industry-standard encryption (AES-256). Database backups will also be encrypted.
Access Controls
We follow the principle of least privilege. Access to production systems and customer data is restricted to a small number of authorized personnel who require it to perform their job functions, and is granted on a need-to-know basis.
When the App is launched, all administrative access to production systems will require:
- Multi-factor authentication (MFA).
- Strong, unique passwords managed through a password manager.
- Logging of all administrative actions.
Access is reviewed periodically and revoked promptly when no longer required.
Authentication (App)
When the App is launched, customer authentication will be supported via:
- Email and password (with strong password requirements and rate-limiting on login attempts).
- Optional multi-factor authentication for end users.
- Single sign-on (SSO) via SAML or OAuth providers (planned for the Enterprise plan).
Passwords are never stored in plain text. We hash passwords using a modern, salted, computationally expensive hashing algorithm (bcrypt, Argon2, or equivalent).
Backups and Disaster Recovery
When the App is launched, customer data will be backed up regularly to encrypted, geographically separated storage. We will publish our backup frequency, retention period, and recovery time objectives on this page once finalized.
We test our backup and restore procedures periodically to verify they work as intended.
Subprocessors
We use a small set of vetted third-party providers to operate the Services. Each subprocessor is selected for its security posture, contractually bound by a data processing agreement (DPA) where applicable, and reviewed periodically.
| Provider | Purpose | Security posture |
|---|---|---|
| Amazon Web Services (AWS) | Website and App hosting | SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, FedRAMP |
| Stripe (when App is launched) | Payment processing | PCI DSS Level 1, SOC 1/2 |
| SwipeOne | Email marketing and newsletter delivery | See SwipeOne security documentation |
| Airtable | Customer relationship management | SOC 2 Type II, ISO 27001, GDPR-compliant |
| Google Analytics | Website analytics | SOC 2/3, ISO 27001/27017/27018, GDPR-compliant configuration |
| TidyCal | Meeting scheduling | See TidyCal security documentation |
Compliance
We design our practices to comply with applicable privacy and data protection laws in the jurisdictions where our users live. This includes:
- PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada.
- GDPR (General Data Protection Regulation) and UK GDPR for users in the EEA, UK, and Switzerland.
- CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) for users in California.
- CASL (Canadian Anti-Spam Legislation) for marketing communications.
Canada has been recognized by the European Commission as providing an adequate level of data protection for personal data transferred from the EEA to Canadian commercial organizations subject to PIPEDA.
We do not currently hold an independent audit attestation such as SOC 2 or ISO 27001. As the App matures, we will evaluate whether to pursue formal certification, particularly for Enterprise customers who require it. Until then, our security posture is described in this page and supported by the certifications of the underlying infrastructure providers we use.
Vulnerability Management
We monitor our infrastructure and software dependencies for known vulnerabilities. When the App is launched, we will:
- Apply security patches promptly, with critical vulnerabilities addressed on an expedited basis.
- Use automated tooling to scan code dependencies for known vulnerabilities.
- Engage qualified third parties for periodic security review as the App grows.
Incident Response
If we become aware of a security incident that affects your personal information, we will:
- Investigate the incident promptly to determine its scope and impact.
- Take steps to contain the incident and prevent further unauthorized access.
- Notify affected users and applicable regulators as required by law (including PIPEDA’s mandatory breach notification requirements and GDPR’s 72-hour notification window where applicable).
- Provide a clear description of what happened, what data was affected, and what steps we are taking in response.
To report a suspected security issue or vulnerability, please contact us at privacy@okrleader.com. We appreciate responsible disclosure and will work in good faith with researchers to investigate and resolve any issues.
Personnel Security
Everyone with access to production systems or customer data, including employees and contractors, is required to:
- Sign confidentiality and data protection agreements.
- Use strong, unique passwords managed through a password manager.
- Enable multi-factor authentication on all accounts that touch production or customer data.
- Complete reasonable security awareness training appropriate to their role.
When personnel leave, their access to production systems and customer data is revoked promptly.
Customer Responsibilities
Security is a shared responsibility. To help protect your data when using the App (when launched), we ask that you:
- Use a strong, unique password and enable multi-factor authentication.
- Do not share account credentials with others.
- Keep your devices and browsers up to date with the latest security patches.
- Limit administrative access within your account to the people who genuinely need it.
- Notify us promptly at privacy@okrleader.com if you suspect your account has been compromised.
Data Location and International Transfers
Our infrastructure is provisioned primarily in North America via AWS. If you are located outside Canada or the United States, your data will be transferred to and processed in these regions. See our Privacy Policy for details on international data transfers and the safeguards we use.
Data Deletion
You may request deletion of your personal information at any time by emailing privacy@okrleader.com. When the App is launched, you will also be able to delete your account and Customer Content directly through your account settings.
We retain a limited set of records as required by law (for example, billing and tax records). See our Privacy Policy for full retention details.
Updates to This Page
We will update this page as our security practices evolve, particularly as the App is launched and as we add capabilities such as SSO, formal certifications, and additional regions. The “Last updated” date at the top of this page reflects the most recent revision.
Contact and Reporting
For questions about our security practices, or to report a suspected vulnerability or security incident:
Email: privacy@okrleader.com Mailing address: Moving Mountains Consulting Ltd., Attn: Privacy, PO Box 1741, D’Arcy, BC, V0N 1L0, Canada