セキュリティチームが聞く質問への、簡潔で正直な回答。

1. プライバシー優先のアナリティクス

ADR-0004 に従い、スキャンパイプラインは IP アドレスや生の User-Agent を記録しません。取り込み時に CF-IPCountry（国）を読み取り、UA をデバイスクラスの正規表現（mobile / tablet / desktop / unknown）に通した後、生の文字列を破棄します。都市レベルのデータは request.cf.city から集計されたロールアップです, スキャンごとの行なし、結合可能な識別子なし。5 スキャン未満の国集計は再識別防止のため「その他」に折りたたまれます。

2. 暗号化バックアップ

毎夜 03:00 UTC に別の Worker が D1 を R2 にスナップショットします。バックアップは BACKUP_ENCRYPTION_KEY でラップされた KDF ローテーションデータキーで AES-GCM 暗号化されています。すべてのバンドルに改ざん検知用の SHA-256 ダイジェスト + マニフェストが含まれています（backups テーブル参照）。保持期間: Pro テナントは 7 年。暗号化キーは 3 つの独立したコピーで保持されています（Worker シークレット、1Password ボールト、封印されたオフライン）, 3 つすべてを失うと過去のバックアップが復元不可能になるため、 it as a single point of operational truth.

3. API Shield + strict CSP

Our public OpenAPI 3.1 spec is uploaded to Cloudflare API Shield and every request to /api/* is validated against it. Schema drift is eliminated by a post_deploy hook that re-uploads the spec on every production deploy. On the front end, a strict Content Security Policy forbids inline scripts everywhere, every page references its JS via <script src>, and our pre-deploy make check refuses to ship a page that violates the rule.

4. 監査ログ + GDPR ledger

Every mutation (code create/patch/delete, team invite, key issue, plan change, webhook edit) writes an append-only row to audit_log with actor, scope, and timestamp, retained 180 days and sweeper-pruned. The GDPR request ledger (gdpr_requests) tracks every export / delete / restore; rows survive account deletion (FK ON DELETE SET NULL, email preserved) so we can prove on-time honor of every statutory request years after the account is gone.

5. Authentication protections

Auth is delegated to the shared abundera.ai identity layer (EdDSA JWT via JWKS). Available to Pro customers:

• 2FA (TOTP), RFC 6238 time-based one-time passwords, any standard authenticator app, backup codes issued at enrollment.
• SAML 2.0 SSO, Okta, Entra ID, JumpCloud, Google Workspace, custom IdPs. Available on Team+ (bundled on Agency/Enterprise).
• SCIM 2.0 provisioning, RFC 7643/7644 user + group lifecycle, rate-limited per token, audit-logged. Off by default; enabled per customer.
• API keys, Business+, stored as sha256(raw); raw abnd_qrpro_... value is only returned at creation and never again.

6. Sub-processors

The short list: Cloudflare (hosting, D1, KV, R2, API Shield), Stripe (payments), Zoho / ZeptoMail (transactional email), Twilio (phone verification + SMS). See /trust/subprocessors/ for the canonical list with regions, data categories, and our 30-day change-notification commitment.

7. Data Processing Agreement

Our GDPR-aligned DPA (EU SCCs, UK addendum, Swiss FADP addendum) is downloadable at abundera.ai/legal/dpa/. It applies to all paying tiers automatically, no separate countersignature required unless your procurement process needs one (we'll sign on request at legal@abundera.ai).

8. SOC 2

SOC 2 Type II, in progress, target Q3 2026. We are in scoping / observation-window planning with a Big-4-adjacent audit firm. Until the report is issued we will not display a SOC 2 badge. If SOC 2 completion is a hard procurement requirement for you today, email enterprise@abundera.ai, we can share current control evidence, our draft system description, and the projected attest date on NDA.

9. No third-party pixels, ever

This is a load-bearing promise and a product boundary, not a default we could quietly change. We do not inject Google Analytics, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight, Hotjar, FullStory, or any other third-party tracker, not into our redirect responses, not into our hosted landing pages, not into dashboard surfaces your scanners see. Your scanners are never re-targeted. If you need pixel-based attribution on your own destination, append your own UTM (or pixel) parameters to the destination URL; we stay out of the loop. The redirect itself is a 302 from our worker to your URL, nothing else runs.

10. Responsible disclosure

Found something? Start at /.well-known/security.txt for the current contact, PGP key, and scope. Email security@abundera.ai, we acknowledge within 24h (business days), triage within 72h, and coordinate fix + disclosure with you. Researchers who report in good faith get public credit at abundera.ai/security/thanks/ once a fix ships.

11. Status + uptime

Live status, component health, and incident history are at /status/. The redirect hot path is monitored every 5 minutes by an external Worker; degraded or down components are reflected on the status page within one polling cycle.