Trust Center

How we handle your data.

For procurement reviews, GDPR audits, and CTOs who need to brief their team before adopting another vendor.

All systems operational

Public health endpoint: /api/v1/health

Last 90 days uptime: target 99.5%

Operating entity

Legal name

Valer Krystian Szozda

Form

Sole proprietor (Poland)

NIP / VAT

6912545436

Country

Poland 🇵🇱 (EU)

Sales contact

[email protected]

Privacy contact

[email protected]

Security posture

Encryption in transit

•TLS 1.3 enforced at the edge (Cloudflare)
•HSTS with includeSubDomains + preload
•Internal traffic between services on isolated Docker network — no external exposure

Encryption at rest

•PostgreSQL on encrypted disk (LUKS)
•User-supplied scan credentials encrypted with Fernet/AES-256
•Scan reports stored on local disk; not synced to third-party storage

Access control

•Firebase Auth (Google + email/password) for users
•API keys (ac_live_ prefix, SHA-256 hashed) for CI/CD
•Admin actions (e.g. founder/admin grants) logged to admin_audit_log

Infrastructure

•Self-hosted on dedicated home server (PL) — no shared cloud tenancy
•PostgreSQL 16, Redis 7, Caddy reverse proxy, Cloudflare Tunnel ingress
•Daily database backups (pg_dump), 30-day retention

Sub-processors

All act as data processors under GDPR. EU/UK transfers covered by Standard Contractual Clauses + provider-specific safeguards.

Processor	Purpose	Data shared	Region
Stripe, Inc.	Payment processing	Name, email, billing details, payment data	USA
Google Firebase	Authentication (Google sign-in, email/password)	Email, password hash, profile data	USA
Resend	Transactional email (scan results, receipts, verification)	Email address, scan summary	USA
Anthropic, PBC	AI Fix Generator (Claude API), AI triage, generative agent payloads	Vulnerability metadata for selected findings (title, description, evidence). Inputs not used for model training under API terms.	USA
Cloudflare	DNS, CDN, DDoS protection, Tunnel (frontend ingress)	IP addresses, request metadata	USA
Sentry (optional, off by default)	Error monitoring	Anonymized stack traces — no PII unless included in error context	USA

Compliance frameworks we map findings to

Every finding in your scan report carries references to the controls it may violate. This is mapping, not certification — AuditCore itself is not ISO/SOC 2 certified (we're a sole proprietorship and that's out of scope today).

OWASP Top 10 2021

Categorical map (A01–A10)

PCI DSS 4.0

Payment-relevant controls

ISO 27001:2022

Annex A controls (A.5–A.8)

NIS2 Directive

EU, effective Oct 2024

GDPR Art. 32

Confidentiality of processing

SOC 2

Common Criteria (CC6, CC7)

Data handling

Scan results: retained indefinitely so you can access historical reports. Delete on request via [email protected].

Uploaded files (APK/IPA): deleted within 24h after scan completion.

Test credentials: encrypted at rest (Fernet/AES-256), permanently deleted after scan completion. Never accessed by AuditCore staff.

DPA (Data Processing Agreement): available on request for B2B customers. Email [email protected] with your company name + use case.

Incident log

No reportable incidents to date.

We commit to publishing material incidents (data breach, prolonged outage, vendor compromise) here within 72 hours of confirmation, with scope, root cause, and mitigation steps.

Questions about trust or compliance?

Procurement / DPA / GDPR / security review — direct line.

[email protected]