How we handle your data, plainly.
AttackEdge is built by people who spend their days breaking into things for a living. We take custody of your data seriously. This page is what we do, in plain words, with no legal filler.
We only scan what you own
Before any scan runs, we verify ownership of every domain and IP using the same DNS TXT or file-based methods Google and Microsoft use. Unverified targets are refused. No exceptions.
Scans are passive and throttled
Our scanning engine observes what is externally visible. It does not exploit vulnerabilities, brute-force credentials, inject payloads, or test availability limits. If a check could affect your operations, we do not run it.
Your data lives in Australia
Customer accounts, scan results, and reports are stored in Supabase hosted in Sydney (ap-southeast-2). Data does not leave Australian infrastructure for storage.
We do not sell or share your data
Your scan results, domains, and findings are visible only to you and to the AttackEdge operator handling your report. We do not share, sell, resell, or aggregate your data for any purpose outside delivering your service.
You can delete everything
Email hello@attackedge.io and we will delete your account, scan history, and reports within 7 days. You get a written confirmation when it is done.
We will tell you if something goes wrong
If any customer data is exposed in a security incident, we will notify affected customers within 72 hours with what happened, what was affected, and what we are doing about it. Australian Notifiable Data Breach obligations apply.
Practices and posture.
- What we collect
- Your account email, the domains and IPs you add, scan results, and any report notes. Payments are handled by Stripe and we never see your card details.
- Where it is stored
- Supabase Postgres and Storage in Sydney, Australia (AWS ap-southeast-2). Logs and application telemetry stay in the same region.
- Retention
- Active while you are a customer. Scan history is retained for your own historical access. Delete anything on request via hello@attackedge.io.
- Access control
- Only the founder has production access today. All access is logged. As the team grows, access will remain least-privilege with background-checked operators only.
- How we scan
- Open-source scanners from the ProjectDiscovery suite, run from infrastructure we control. Results are analysed by AI for prioritisation. No third-party scanning service ever sees your data.
- AI usage
- We use AI to rank findings and write plain-English explanations. Prompts include scan findings and your industry context. We do not train models on your data and we use vendor API settings that disable training.
- Encryption
- Data in transit uses TLS 1.2+. Data at rest is encrypted by the storage provider (AES-256). Secrets are held in environment-level vaults, never in source control.
- Backups
- Automated daily backups with 7-day retention, restricted to the same Australian region.
- Compliance posture
- We are building toward ISO 27001 and SOC 2 Type 1. We will publish progress honestly as we get there, rather than claim certifications we do not yet hold.
Subprocessors.
These are the services that process customer data on our behalf. We review each annually and update this list when it changes.
| Service | Purpose | Region |
|---|---|---|
| Supabase | Hosting, Postgres database, authentication, object storage. | Sydney, Australia (AWS ap-southeast-2) |
| Stripe | Payments, billing portal, subscription management. | Global (PCI-compliant; AttackEdge never sees card data) |
| Resend | Transactional email (account + report delivery). | USA |
| Anthropic | Claude API for finding prioritisation and plain-English explanations. Training disabled. | USA |
| Cloudflare | Edge CDN, DNS, bot protection. | Global |
| Vercel | Marketing site hosting (static pages only; no customer scan data). | Global |
Questions, concerns, or a responsible-disclosure report?
Email security@attackedge.io for security matters, or hello@attackedge.io for anything else. We respond within one business day.