Security & Trust

We ask you to trust us with your security. Here's how we earn that trust.

🔒

Your Data Stays Yours

We never sell, share, or use your data for anything except delivering your results.

🛡️

Encrypted Everything

TLS 1.3 in transit, AES-256 at rest. Your findings are protected end-to-end.

🗑️

Auto-Delete

Results are automatically purged after 90 days. You control your data lifecycle.

How We Handle Your Data

What We Collect

  • Account info: Email, hashed password, billing details (stored by Stripe)
  • Scan targets: URLs, IPs, or domains you ask us to test
  • Scan results: Vulnerabilities, findings, and AI-generated reports
  • Scope queries: Locations, names, or companies you research

What We Don't Do

  • Sell or share your data with third parties
  • Use your scan results to train AI models
  • Report your vulnerabilities to anyone (we're not a bug bounty platform)
  • Retain data longer than necessary
  • Access your results without your explicit permission

Data Retention

  • Scan results: 90 days, then auto-deleted
  • Account data: Until you delete your account
  • Payment records: As required by law (typically 7 years)
  • Subscription users: Extended retention while subscription is active

🛸What the Pentest Agent Does (and Doesn't Do)

When you run a penetration test, here's exactly what happens:

What It Does

  • Port scanning and service enumeration
  • Vulnerability detection using known CVE databases
  • Web application testing (OWASP Top 10)
  • SSL/TLS configuration analysis
  • Safe exploitation attempts (proof-of-concept only)
  • Directory and file enumeration
  • Authentication testing

What It Won't Do

  • Denial of Service (DoS) attacks
  • Destructive exploits that damage systems
  • Data exfiltration or theft
  • Attacking systems beyond your specified scope
  • Social engineering or phishing
  • Physical security testing
  • Persistent backdoors or malware installation

Isolated Execution: Each scan runs in an ephemeral Kali Linux container that's destroyed after completion. No data persists in the scanning environment. Tools run in isolated networks with no access to other customer scans.

Infrastructure Security

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • Passwords hashed with bcrypt (cost factor 12)
  • API keys and secrets stored in secure vaults

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication available
  • Session timeout and secure cookies
  • Audit logging for sensitive operations

Network Security

  • WAF protection against common attacks
  • DDoS mitigation
  • Network segmentation between components
  • Regular penetration testing (yes, we test ourselves)

Operational Security

  • Principle of least privilege for all staff
  • Background checks for employees
  • Incident response procedures
  • Regular security training

Compliance & Certifications

SOC 2 Type II

In progress. Expected completion Q2 2025.

GDPR Compliant

We respect data subject rights and process data lawfully.

CCPA Compliant

California residents have full data access and deletion rights.

PCI DSS

Payment processing handled by Stripe (PCI Level 1 certified).

Need compliance documentation for your procurement process?Contact us and we'll provide what you need.

For Enterprise Customers

We understand that letting a third party scan your systems is a big decision. Here's what enterprise customers typically want to know:

Can I get a security assessment of Prober itself?

Yes. We can provide our latest penetration test results and security questionnaire responses. Contact us for access.

Do you have cyber insurance?

Yes. We maintain errors & omissions and cyber liability insurance. Certificate of insurance available upon request.

Can we sign a custom agreement?

Yes. We can accommodate custom MSAs, DPAs, and BAAs for enterprise customers. Contact us to discuss your requirements.

What happens if there's a breach?

We have a documented incident response plan. In the unlikely event of a breach affecting your data, we commit to notifying you within 72 hours with full details of what was affected and our remediation steps.

Responsible Disclosure

Found a security vulnerability in Prober? We'd love to hear from you.

  • Email security issues to: security@prober.app
  • We respond to all reports within 48 hours
  • We won't take legal action against good-faith security researchers
  • We'll credit you in our security acknowledgments (if you want)

Please give us reasonable time to address issues before public disclosure.

Questions About Security?

We're happy to discuss our security practices in more detail. Reach out and we'll set up a call with our security team.

View FAQContact Us
Prober Security Suite - AI-Powered Security Intelligence | Prober