Trust & Security

Trust Center

Security, compliance, and transparency — how we protect your data

Security Architecture

How we engineer security into every layer of the platform.

  • Encryption everywhere

    Data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3).

  • Hardened infrastructure

    Infrastructure hosted on isolated, hardened servers with minimal attack surface.

  • Access control

    Role-based access control with multi-factor authentication (MFA) support.

  • Continuous vulnerability scanning

    Automated vulnerability scanning of our own infrastructure on a recurring schedule.

  • Third-party penetration testing

    Regular third-party penetration testing to validate our security controls.

  • 24/7 monitoring

    Around-the-clock infrastructure monitoring, logging, and alerting.

Compliance Frameworks

Frameworks and standards our scanning methodology maps to.

OWASP Top 10

Methodology alignment

PTES

Penetration Testing Execution Standard

NIST CSF

Cybersecurity Framework readiness scanning

CIS Controls

Gap assessment mapping

PCI DSS

Readiness assessment scanning

HIPAA

Technical safeguard scanning

SOC 2

Trust criteria readiness scanning

ISO 27001

Annex A control readiness scanning

GDPR

Data protection compliance support

MITRE ATT&CK

Threat-informed defense mapping

Disclaimer: FindTheBreach scans map findings to listed compliance frameworks for gap assessment purposes. Displaying these frameworks indicates our scanning coverage, not that FindTheBreach holds these certifications. Formal compliance certification requires independent audit.

Certification Roadmap

Our path to formal security certifications — transparently shared.

Q3 2026 — SOC 2 Type I Readiness

Gap assessment complete. Implementing remaining controls for Trust Service Criteria (Security, Availability, Confidentiality). Engaging auditor selection process.

Q4 2026 — SOC 2 Type I Audit

Target: SOC 2 Type I report covering Security and Availability Trust Service Criteria. Third-party audit by AICPA-accredited firm.

Q2 2027 — SOC 2 Type II + ISO 27001

SOC 2 Type II observation period (6+ months). Begin ISO 27001 ISMS implementation and certification preparation. PCI ASV qualification exploration for payment-processing clients.

Note: Dates are targets subject to change. We will update this roadmap transparently as milestones are reached. Contact compliance@findthebreach.com for questions.

Data Handling

Your data, your rules. Here is how we handle it.

  • Customer data ownership

    You retain full ownership of all scan data, reports, and findings generated through the platform.

  • Data retention

    Scan data is retained for the duration of your active subscription plus 30 days after cancellation.

  • Data deletion on request

    Request deletion of your data at any time. We will process deletion requests within 30 days.

  • No selling or sharing

    We never sell, share, or disclose customer data to third parties for marketing or commercial purposes.

  • Anonymized analytics only

    We use only anonymized and aggregated data for platform improvement analytics. No individual customer data is used.

Incident Response

Our commitment to rapid detection, response, and transparency.

24-Hour Response

Incident detection and initial response within 24 hours of identification.

72-Hour Notification

Breach notification within 72 hours in compliance with GDPR requirements.

Dedicated Security Team

A dedicated internal security team manages all incident detection, triage, and coordination.

Post-Incident Review

Every incident concludes with a thorough review, root-cause analysis, and remediation plan.

Security & Legal Documentation

Review our policies and legal documentation.

Formal Security Policies

Information Security Policy

SOC 2 CC1, ISO 27001 A.5

Change Management Policy

SOC 2 CC8, ISO 27001 A.12

Data Classification Policy

SOC 2 CC6, GDPR Art 32

Incident Response Plan

NIST SP 800-61, SOC 2 CC7

Code of Conduct

SOC 2 CC1, ISO 27001 A.5

Legal Documentation

Privacy Policy

/privacy

Terms of Service

/terms

Data Processing Agreement

/dpa

GDPR Compliance

/gdpr

Acceptable Use Policy

/acceptable-use

Service Level Agreement

/sla

Responsible Disclosure

/responsible-disclosure

security.txt

/.well-known/security.txt
🌍

Data Residency

Primary Infrastructure

FindTheBreach's primary infrastructure is hosted on dedicated servers in the United States with strict physical and logical access controls.

Data Processing Locations

All scan processing, vulnerability analysis, and data storage occurs within our primary infrastructure unless otherwise specified in your Enterprise agreement.

CDN & Edge

Static assets and the public website may be served via Cloudflare's global CDN. No customer scan data, vulnerability findings, or credentials traverse CDN infrastructure.

Enterprise Data Residency

Enterprise customers may request dedicated data residency in specific regions (EU, US, APAC). Contact sales@findthebreach.com for regional deployment options.

For detailed information about international data transfers, see our GDPR Compliance page including our EU-US Data Privacy Framework (DPF) participation and Standard Contractual Clauses.

Questions About Our Security Practices?

Our security team is available to answer questions, provide additional documentation, or discuss our security posture in detail.

security@findthebreach.com