Security & Trust

All scan data is encrypted in transit with TLS 1.3 and at rest with AES-256.

Default data retention is 30 days. Scan results and findings are automatically purged after the retention window. You can request immediate deletion at any time by contacting us.

We never share your data with third parties. Scan results are only accessible to authenticated users who initiated the scan.

All traffic routes through Cloudflare, providing DDoS protection, web application firewall (WAF), and DNSSEC validation before reaching our infrastructure.

Our backend runs in isolated Docker containers with no published ports — all ingress flows through encrypted Cloudflare Tunnels. Database and cache services run on internal-only networks with no internet access.

Every container runs with cap_drop ALL (no Linux capabilities), no-new-privileges, and enforced resource limits. Health checks run on all services.

Authentication uses industry-standard JWT tokens with bcrypt(12) password hashing. Session tokens are cryptographically signed and verified on every request.

Pro tier scan data is isolated per user — domain ownership is verified via DNS TXT records before any scan is initiated. Cross-user data access is architecturally impossible.

Administrative access follows the principle of least privilege. No employee has standing access to customer scan data.

We monitor all infrastructure with automated health checks, uptime monitoring, and alerting. Anomalous behavior triggers immediate investigation.

In the event of a security incident affecting customer data, we commit to notifying affected users within 72 hours with a detailed incident report and remediation steps.

Our incident response process includes containment, evidence preservation, root cause analysis, remediation, and post-incident review.