Security

We take security seriously and are transparent about our practices. Here's what we've implemented.

This page accurately reflects our current security implementation. We believe in transparency and will update this page as we add new security features.

What We've Implemented

Data Encryption

  • TLS encryption for all data in transit
  • Encryption at rest via infrastructure provider
  • Encrypted database backups
  • Secure password hashing (bcrypt)

Infrastructure Security

  • Hosted on SOC 2 compliant infrastructure
  • DDoS protection
  • Geographically distributed infrastructure
  • Automated backups
  • Automated dependency scanning

Access Controls

  • Role-based access control (RBAC)
  • Row-level security (RLS) for data isolation
  • Organization-based tenancy
  • Secure session management
  • Multi-factor authentication (MFA) support
  • Comprehensive audit logging of all actions

Application Security

  • Rate limiting on public endpoints
  • Input validation and sanitization
  • CSRF protection
  • SQL injection prevention

Certifications & Compliance

Infrastructure: SOC 2

Compliant

Our hosting providers are SOC 2 certified

GDPR Compliant

Compliant

Full compliance with EU data protection regulations

CCPA Compliant

Compliant

California Consumer Privacy Act compliance

SOC 2 Type II

In Progress

Independent audit of our application security (Q2 2026)

Our Security Practices

Secure Development

We follow secure coding practices, use TypeScript for type safety, and validate all user inputs using Zod schemas.

Data Backup

Automated backups are performed by our infrastructure provider with encryption and geographic redundancy.

Incident Response

In the event of a security incident, we commit to notifying affected users within 72 hours and taking immediate action to contain the issue.

Compliance

We comply with GDPR and CCPA regulations, follow OWASP security best practices, and are working toward SOC 2 certification.

Responsible Disclosure

We appreciate security researchers who help us maintain the security of our platform.

If you discover a security vulnerability:

  1. Email us at security@appscanai.com with details
  2. Do not publicly disclose the vulnerability until we've addressed it
  3. Provide reasonable time for us to respond and fix the issue
  4. Do not exploit the vulnerability beyond demonstrating the issue

We commit to acknowledging your report within 48 hours and providing regular updates on our progress.

Data Protection Measures

Data Isolation

Each organization's data is logically isolated using row-level security (RLS). Your data is never accessible to other users or organizations.

Secure Deletion

When you delete data, it is permanently removed from our systems within 30 days, including all backups.

Data Residency

Your data is stored in secure data centers with redundancy across multiple availability zones.

Data Portability

You can export your data at any time in standard formats (JSON, CSV) through your account dashboard.

Our Commitment to Transparency

We believe in being honest about our security posture. This page accurately reflects what we've implemented and what we're working on. We will update this page as we add new security features.

Security is an ongoing journey, not a destination. We're committed to continuously improving our security practices and being transparent with our users.

Questions About Security?

We're happy to answer any questions about our security practices.

Security Team: security@appscanai.com

General Support: support@appscanai.com