Legal

Privacy Policy

Version 2026-04-26

Privacy Policy

Effective: 2026-04-26

1. Who we are

We provide a hosted security-testing platform. The data controller is the operator of this deployment (your contracting party); we are the data processor.

2. What we collect

Account data (kept while your account exists, deleted on request):

  • email, display name, hashed password (bcrypt, never reversible)
  • IP address and user-agent of every authenticated request (audit log)
  • two-factor secret (TOTP), if you enable it

Operational data (kept 90 days then purged unless you renew the scan):

  • targets you submit and the verification artifact you placed
  • scan output: phase status, findings, evidence snippets, response captures
  • AI agent transcripts (prompts + tool calls + tool outputs)
  • generated reports (executive PDF, technical PDF, JSON)

Telemetry (aggregated, no PII):

  • counts of scans / findings / API calls per organisation
  • per-mission AI token usage and cost

3. What we don't collect

  • We do not train models on your scan output. The AI agent uses Anthropic's

API; the bring-your-own-key option lets you sever even that link.

  • We do not sell or share data with third parties for marketing.
  • We do not deploy third-party tracking scripts on the dashboard.
  • We do not store the plaintext of secrets you upload (Anthropic key,

Slack webhook, etc.) — only AES-256-GCM ciphertext + a short hint.

4. Sub-processors

By using the hosted version you accept the following sub-processors:

  • Anthropic (claude.ai) — AI agent inference, only when you trigger an AI

mission. Bring-your-own-key lets you bypass.

  • Cloudflare R2 — encrypted artifact storage (PDF reports, JSON exports).
  • Resend — transactional email (scan-complete notifications, alerts).
  • Stripe / NowPayments — payment processing (only if you upgrade beyond trial).

If you self-host, you control all sub-processors directly.

5. Where data lives

  • Hosted (default): EU data residency (Cloudflare R2 EU jurisdiction; primary

Postgres in EU; Anthropic processes in the US under their DPA).

  • Self-hosted: you control everything.

6. Your rights (GDPR / CCPA)

  • Access / portability: download a complete export of your data from

Settings → Account → "Download my data". Returned as a zip of JSON files.

  • Erasure: delete your account from Settings → Account → "Delete account".

Solo-owned organizations (and their entire history, including artifact blobs) are removed immediately.

  • Rectification: edit your name / email from Settings.
  • Objection / restriction: email privacy@ to request a hold.

7. Retention

  • Operational scan data: 90 days from scan completion (matches TOS §3).
  • Audit log: 12 months (compliance need).
  • Account data: until deletion.
  • Aggregated telemetry: indefinite (already de-identified).

8. Security

  • TLS 1.2+ in transit (HSTS preload, no plaintext fallback).
  • Postgres row-level security enforces per-tenant isolation; cross-tenant

reads are physically impossible at the database layer.

  • Sandbox containers are network-isolated to your verified target IPs only

(egress firewall via iptables) — they cannot accidentally reach unrelated systems.

  • Encryption at rest for secrets (AES-256-GCM with platform-derived key).
  • Daily Postgres backups, 14-day retention.

9. Breach notification

Material breaches are notified by email within 72 hours of confirmation, per GDPR Article 33. We publish an incident page during active incidents.

10. Changes

We notify in-app and by email at least 14 days before changes to this policy take effect.

Contact

privacy@ — substitute the brand domain configured for this deployment.