Security

1. Security overview

• The frontend is served on Firebase App Hosting.
• The backend uses Firebase Functions and Firestore.
• Authentication is handled by Firebase Authentication with Email and Google sign-in support.
• Users can configure two-factor authentication with TOTP or SMS from account settings.
• Payments are processed by Stripe. We do not directly store card numbers or similar payment credentials.

2. Data protection and operations

• All communication is encrypted with TLS.
• API keys are stored as hashes, and the secret is shown only once at creation.
• Prompts, target URLs, and portions of collected public web information needed for report generation may be sent to external AI providers.
• Webhook, email notification, and API key settings are managed per contracted tenant.
• Data that is no longer needed for operations is deleted or anonymized, and retention is managed under thePrivacy Policy.

3. Retention policy

• Account information: while subscribed and for 30 days after cancellation
• Job settings, run history, and reports: retained while subscribed and deleted within 30 days after cancellation
• Access logs: up to 90 days for security purposes
• Payment records: retained for the period required by law

4. Main subprocessors

For details, see thePrivacy PolicyandDPA / Contract page.

5. Contact

Security questionnaires, vendor registration, DPA requests, and vulnerability reports are accepted through thecontact form. For urgent issues, include[Security]at the beginning of the subject.