Security & trust

Security & Trust

How we handle data, scope scanning, and run the service — written to pre-answer your vendor questionnaire.

We sell to security and fraud teams who run vendor reviews before they ever take a call. This page documents how we handle data and run the service so your review can start now, in parallel with any conversation. It reflects our current practices as an early-stage company and will expand as we formalize.

Scanning scope

Our detection is passive: we inspect public certificate-transparency logs, DNS, and domain registrations. We do not scan, probe, or send traffic to your systems to produce findings. Active scanning runs only against assets you have explicitly attested you own — and only at your direction. This boundary is a core design principle, not a setting.

What data we process

  • Brand identifiers you provide — your domains, brand names, and keywords to monitor.
  • Public threat signals — certificate, DNS, and registration data about candidate lookalike domains, which is already public.
  • Account and contact data — the people on your account and routine product/usage logs.

We don't need, and don't ask for, access to your internal systems, source code, or customer data to do detection.

Where data lives and how it's handled

  • Application data is stored with reputable cloud providers; data in transit is encrypted with TLS, and the marketing site is served over HTTPS with HSTS and a strict content-security policy.
  • Evidence artifacts (screenshots, DOM, certificates) for a finding are stored per-account and tied to that finding.
  • Secrets and API keys are never committed to source control; they live in managed environment configuration.

Sub-processors

We use a small set of established infrastructure providers (for example, cloud hosting/CDN and email delivery) to run the service. We maintain an internal list of sub-processors and will share the current list, along with a DPA, on request for a security review.

Access, retention & deletion

  • Access to customer data is limited to the people who operate your account, on a need-to-know basis.
  • We retain findings and evidence for the life of your account so the audit trail stays intact; on termination, account data is deleted on request within a defined window.
  • You can request export or deletion of your account data at any time.

Takedown safeguards

Takedown notices carry legal weight, so every notice is reviewed and signed by a human before it is sent, with the supporting evidence packaged. We don't auto-fire notices. This protects you from the §512(f) liability that comes with a careless or automated takedown.

Compliance posture

We're an early-stage company building toward formal attestation. SOC 2 Type II readiness is on our roadmap, and we operate with security policies, encrypted transport, least-privilege access, and the passive-by-default scanning boundary above. We're transparent about where we are rather than displaying badges we haven't earned — if a control matters for your review, ask and we'll tell you exactly where it stands.

Reporting a vulnerability

Found a security issue in our service or site? Email [email protected] with details and we'll respond promptly. We appreciate responsible disclosure and won't pursue good-faith research.

Free exposure report

See what's impersonating your brand

Send us a domain. We run a passive sweep — permutations, certificate logs, DNS — and send back what we find, free. No signup, no sales call to start.

Get a free exposure report