How we keep your data safe

Authorization is non-negotiable

Every registered asset requires a signed authorization-of-record before any scan can run. Scans re-verify scope, rate limits, and tenant-wide emergency stop at every adapter boundary, not just at submission time. An admin can engage emergency stop from settings; in-flight scans abort at the next safe checkpoint.

Safe adapters only

The scanner is restricted to a fixed allow-list of non-destructive adapters: DNS lookups, HTTP availability, TLS certificate inspection, response-header analysis, robots.txt / sitemap reading, OWASP ZAP baseline (passive), and Nuclei restricted to non-destructive tags. No payloads, no exploitation, no credential-stuffing.

Authentication & access control

• BCrypt password hashing with per-user salt.
• JWT bearer tokens with configurable TTL.
• RFC 6238 TOTP two-factor authentication, with a QR-code-friendly setup flow.
• Google SSO (OAuth 2.0 Authorization Code) with optional hosted-domain restriction.
• Three role tiers (Admin / User / Auditor) plus a separate cross-tenant operator role for our staff.
• Plan-enforced team-seat caps prevent over-invitation.

Defense in depth

• HMAC-SHA256 signed webhooks so receivers can verify origin.
• Stripe webhook signature verification (we verify every event before processing).
• Idempotent webhook handling — duplicate Stripe deliveries are dropped via a stored event-id table.
• SSRF guards on outbound tenant-controlled URLs (Jira integration rejects loopback, RFC1918, link-local, and cloud-metadata addresses).
• HtmlEncoded output everywhere user-supplied data lands in a rendered document.
• CSP-injection-safe watermarks on shared reports — input is stripped of backslashes and control characters before being put into a CSS string.
• Atomic credit deduction via row-locked UPDATE so concurrent over-quota scans can't drive the balance negative.

Audit logging

Every action that mutates state — asset approval, scan submission, emergency stop, plan upgrade, credit grant, operator override — writes an immutable row to the audit log with actor, target, and detail. The log is exportable as CSV from the audit page; admins can search or filter it directly.

GDPR and data retention

• Right to data portability (Art. 20): one-click JSON export of every record we hold for your tenant.
• Right to erasure (Art. 17): scheduled tenant deletion with a 14-day grace period during which the tenant is read-only and auto-engaged emergency-stop. Cancellable.
• Retention windows are plan-driven: 30 / 180 / 730 days. Beyond retention, scan history is automatically purged.

Operational transparency

• Public /status page with subsystem health and queue depth.
• Status page polls every 15 seconds; an external uptime monitor can hit the same endpoint.
• Cross-tenant operator metrics expose scan failures, blocked scans, and review-order backlog so we can act on issues before customers see them.

What we don't do (yet)

We hold ourselves to publishing what's not in scope so you aren't surprised:

• SOC 2 Type II audit — in progress.
• SCIM / SAML SSO — Google OAuth is supported today.
• Bring-your-own-key (BYOK) at-rest encryption — talk to us if you need this.