Short, honest answers to the questions your security team will ask.

1. Privacy-first analytics

Per ADR-0004, the scan pipeline never logs an IP address or a raw User-Agent. At ingest we read CF-IPCountry (country) and pass the UA through a device-class regex (mobile / tablet / desktop / unknown), then discard the raw string. City-level data is an aggregated rollup populated from request.cf.city — no per-scan row, no joinable identifier. Country aggregates under 5 scans fold into "Other" to defeat re-identification.

2. Encrypted backups

Every night at 03:00 UTC a separate Worker snapshots D1 to R2. Backups are AES-GCM encrypted with a KDF-rotated data key wrapped by BACKUP_ENCRYPTION_KEY. Every bundle carries a SHA-256 digest + manifest for tamper detection (see the backups table). Retention: 7 years for Pro tenants. The encryption key is held in three independent copies (Worker secret, 1Password vault, sealed offline) — losing all three would make historical backups unrecoverable, so we treat it as a single point of operational truth.

3. API Shield + strict CSP

Our public OpenAPI 3.1 spec is uploaded to Cloudflare API Shield and every request to /api/* is validated against it. Schema drift is eliminated by a post_deploy hook that re-uploads the spec on every production deploy. On the front end, a strict Content Security Policy forbids inline scripts everywhere — every page references its JS via <script src>, and our pre-deploy make check refuses to ship a page that violates the rule.

4. Audit log + GDPR ledger

Every mutation (code create/patch/delete, team invite, key issue, plan change, webhook edit) writes an append-only row to audit_log with actor, scope, and timestamp — retained 180 days and sweeper-pruned. The GDPR request ledger (gdpr_requests) tracks every export / delete / restore; rows survive account deletion (FK ON DELETE SET NULL, email preserved) so we can prove on-time honor of every statutory request years after the account is gone.

5. Authentication protections

Auth is delegated to the shared abundera.ai identity layer (EdDSA JWT via JWKS). Available to Pro customers:

• 2FA (TOTP) — RFC 6238 time-based one-time passwords, any standard authenticator app, backup codes issued at enrollment.
• SAML 2.0 SSO — Okta, Entra ID, JumpCloud, Google Workspace, custom IdPs. Available on Team+ (bundled on Agency/Enterprise).
• SCIM 2.0 provisioning — RFC 7643/7644 user + group lifecycle, rate-limited per token, audit-logged. Off by default; enabled per customer.
• API keys — Business+, stored as sha256(raw); raw abnd_qrpro_... value is only returned at creation and never again.

6. Sub-processors

The short list: Cloudflare (hosting, D1, KV, R2, API Shield), Stripe (payments), Zoho / ZeptoMail (transactional email), Twilio (phone verification + SMS). See /trust/subprocessors/ for the canonical list with regions, data categories, and our 30-day change-notification commitment.

7. Data Processing Agreement

Our GDPR-aligned DPA (EU SCCs, UK addendum, Swiss FADP addendum) is downloadable at abundera.ai/legal/dpa/. It applies to all paying tiers automatically — no separate countersignature required unless your procurement process needs one (we'll sign on request at legal@abundera.ai).

8. SOC 2

SOC 2 Type II — in progress, target Q3 2026. We are in scoping / observation-window planning with a Big-4-adjacent audit firm. Until the report is issued we will not display a SOC 2 badge. If SOC 2 completion is a hard procurement requirement for you today, email enterprise@abundera.ai — we can share current control evidence, our draft system description, and the projected attest date on NDA.

9. No third-party pixels, ever

This is a load-bearing promise and a product boundary, not a default we could quietly change. We do not inject Google Analytics, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight, Hotjar, FullStory, or any other third-party tracker — not into our redirect responses, not into our hosted landing pages, not into dashboard surfaces your scanners see. Your scanners are never re-targeted. If you need pixel-based attribution on your own destination, append your own UTM (or pixel) parameters to the destination URL; we stay out of the loop. The redirect itself is a 302 from our worker to your URL — nothing else runs.

10. Responsible disclosure

Found something? Start at /.well-known/security.txt for the current contact, PGP key, and scope. Email security@abundera.ai — we acknowledge within 24h (business days), triage within 72h, and coordinate fix + disclosure with you. Researchers who report in good faith get public credit at abundera.ai/security/thanks/ once a fix ships.

11. Status + uptime

Live status, component health, and incident history are at /status/. The redirect hot path is monitored every 5 minutes by an external Worker; degraded or down components are reflected on the status page within one polling cycle.