Security

Where your scan data lives.

AttackEdge is built by people who break into things for a living. We take custody of your data seriously. Sydney hosting, passive scanning only, plain commitments. No legal filler.

security@attackedge.io Privacy policy
Trust pillars

Four things we hold ourselves to.

These are commitments we can keep with the stack we run today, not aspirations.

Hosting and storage
  • Customer accounts, targets, scan results, and report metadata in Fly.io Postgres
  • Primary app, database, and scanner workers run in Sydney
  • Report artifacts stored in Cloudflare R2
  • Backups managed by the infrastructure providers
  • Operational logs retained only as needed for security and debugging
Authentication and access
  • Clerk handles sign-in and session management
  • Workspace isolation in the application and database model
  • Only the founder has production access today
  • All production access is logged
  • Least-privilege as the team grows
How we scan
  • Ownership verified before any active probe
  • Passive observation, no exploitation, no brute force
  • No login testing, no DOS testing
  • Rate-limited so it cannot affect your operations
  • ProjectDiscovery toolchain on infrastructure we control
Data lifecycle
  • Data in transit uses TLS 1.2+
  • Data at rest encrypted by the storage provider (AES-256)
  • Secrets in environment-level vaults, never in source
  • Delete on request: written confirmation within 7 days
  • Notifiable Data Breach scheme: notify within 72 hours
Subprocessors

Who processes your data on our behalf.

These are the services that touch customer data. We review each annually and update this list when it changes.

VendorWhat they doRegion
Fly.ioApplication hosting, Postgres database, scanner workersSydney, AU for primary runtime and database
StripePayments, billing portal, subscription managementGlobal, PCI-compliant
ClerkAuthentication and session managementUSA
ResendTransactional email (account and report delivery)USA
AnthropicClaude API for finding prioritisation. Training disabled.USA
CloudflareDNS, edge protection, CDN, report object storageGlobal
What we collect

Plainly: just enough to do the job.

Account data
  • Your email, the domains and IPs you add
  • Scan results and report notes
  • Card details handled by Stripe. We never see them.
AI usage
  • Claude ranks findings and writes plain-English summaries
  • Training disabled at the API level
  • Prompts include scan findings and industry context only
Compliance posture
  • Building toward ISO 27001 and SOC 2 Type 1
  • We publish progress honestly, no claimed certifications
  • Notifiable Data Breach scheme: 72-hour notice
Talk to us

Security questions, or a responsible-disclosure report?

Email security@attackedge.io for security matters, or hello@attackedge.io for anything else. We respond within one business day.

Start a scan Back to home