Jawapan ringkas dan jujur to the questions your keselamatan team will ask.

1. Privasi-first analitik

Per ADR-0004, the scan pipeline never logs an IP address or a raw User-Agent. At ingest we read CF-IPCountry (country) and pass the UA through a device-class regex (mobile / tablet / desktop / unknown), then discard the raw string. City-level data is an aggregated rollup populated from request.cf.city, no baris per imbasan, no pengecam boleh diintegrasi. Agregat negara under 5 scans fold into "Other" to mengatasi pengecaman semula.

2. Sandaran terenkripsi

Every night at 03:00 UTC a separate Worker snapshots D1 to R2. Backups are AES-GCM encrypted with a diputar-KDF kunci data wrapped by BACKUP_ENCRYPTION_KEY. Every bundle carries a SHA-256 digest + manifest for pengesanan gangguan (see the backups table). Retention: 7 tahun for Pro tenants. The encryption key is held in three independent copies (Worker secret, 1Password vault, sealed offline), losing all three would make historical backups unrecoverable, so we treat it as a titik tunggal of kebenaran operasi.

3. API Shield + strict CSP

Our public OpenAPI 3.1 spec is uploaded to Cloudflare API Shield and every request to /api/* is validated against it. Schema drift is eliminated by a post_deploy hook that re-uploads the spec on every production deploy. On the front end, a strict Content Keselamatan Policy forbids skrip dalam baris everywhere, every page references its JS via <script src>, and our pra-guna make check refuses to ship a page that violates the rule.

4. Log audit + lejar GDPR

Every mutation (code create/patch/delete, team invite, key issue, plan change, webhook edit) writes an tambah sahaja row to audit_log with actor, skop, and timestamp, retained 180 days and sweeper-pruned. The lejar permintaan GDPR (gdpr_requests) tracks every export / delete / restore; rows survive pemadaman akaun (FK ON DELETE SET NULL, email preserved) so we can prove on-time honor of every permintaan berkanun years after the account is gone.

5. Pengesahan protections

Auth is delegated to the shared abundera.ai lapisan identiti (EdDSA JWT via JWKS). Available to Pro customers:

• 2FA (TOTP), RFC 6238 kata laluan sekali guna berasaskan masa, any standard authenticator app, kod sandaran dikeluarkan semasa pendaftaran.
• SAML 2.0 SSO, Okta, Entra ID, JumpCloud, Google Workspace, custom IdPs. Available on Team+ (bundled on Agency/Enterprise).
• SCIM 2.0 provisioning, RFC 7643/7644 user + group lifecycle, rate-limited per token, audit-logged. Off by default; enabled per customer.
• API keys, Business+, stored as sha256(raw); raw abnd_qrpro_... value is only returned at creation and never again.

6. Pemproses sub

The short list: Cloudflare (hosting, D1, KV, R2, API Shield), Stripe (payments), Zoho / ZeptoMail (transactional email), Twilio (phone verification + SMS). See /kepercayaan/subprocessors/ for the senarai kanonik with regions, data categories, and our komitmen pemberitahuan perubahan 30 hari.

7. Perjanjian Pemprosesan Data

Our GDPR-aligned DPA (EU SCCs, UK addendum, Swiss FADP addendum) is downloadable at abundera.ai/legal/dpa/. It applies to all peringkat berbayar automatically, tiada tandatangan balas berasingan required unless your procurement process needs one (we'll sign atas permintaan at legal@abundera.ai).

8. SOC 2

SOC 2 Jenis II, sedang berjalan, sasaran Q3 2026. We are in scoping / observation-window planning with a Big-4-adjacent firma audit. Until the report is issued we will not display a SOC 2 badge. If SOC 2 completion is a hard procurement requirement for you today, email enterprise@abundera.ai, we can share bukti kawalan semasa, our penerangan sistem draf, and the tarikh pengesahan dijangka atas NDA.

9. Tiada piksel pihak ketiga, ever

This is a janji yang menentukan and a sempadan produk, not a default we could ubah secara senyap. We do not inject Google Analitik, Google Tag Manager, Meta Piksel, TikTok Piksel, LinkedIn Insight, Hotjar, FullStory, or any other third-party penjejak, not into our ubah hala responses, not into our halaman pendaratan yang dihoskan, not into permukaan papan pemuka your pengimbass see. Your pengimbass are never re-sasaraned. If you need piksel-based atribusi on your own destination, tambah sendiri UTM (or piksel) parameters to the URL destinasi; we tidak campur tangan. The ubah hala itself is a 302 from our worker to your URL, tiada yang lain berjalan.

10. Pendedahan bertanggungjawab

Jumpa sesuatu? Start at /.well-known/keselamatan.txt for the kenalan semasa, kunci PGP, and skop. Email keselamatan@abundera.ai, we akui dalam masa 24h (business days), triage dalam masa 72h, and koordinasi pembetulan + disclosure with you. Researchers who report in good faith get kredit awam at abundera.ai/keselamatan/thanks/ setelah pembetulan dihantar.

11. Status + masa beroperasi

Live status, kesihatan komponen, and sejarah insiden are at /status/. The ubah hala hot path is monitored every 5 minutes by an external Worker; degraded or down components are reflected on the status page within one kitaran penamkulan.