Security

Last updated: April 6, 2026

As a platform that analyzes code for security compliance, we hold ourselves to the same standards we help you achieve. Here's how we protect your data and code.

Infrastructure

• Encryption in transit: All connections use TLS 1.2+ with modern cipher suites. HSTS is enforced on all domains.
• Encryption at rest: Uploaded files and analysis data are stored on encrypted volumes.
• Network security: Application servers are behind Cloudflare with WAF rules. Internal services are not exposed to the public internet.
• Server hardening: Debian-based servers with automated security updates, fail2ban, and restricted SSH access.

Code Handling

• Isolation: Uploaded plugins are analyzed in isolated environments. Analysis processes cannot access other users' data.
• Virus scanning: All uploaded files are scanned for malware before analysis.
• No code sharing: Your uploaded code is never shared with third parties, used for training, or accessed by other users.
• Retention limits: Files are automatically purged according to your plan's retention policy. Deleted data is not recoverable.

Authentication

• Password security: Passwords are hashed with bcrypt. We enforce minimum complexity requirements (8+ characters, mixed case, numbers, special characters).
• Two-factor authentication: TOTP-based 2FA is available for all accounts. We recommend enabling it.
• Session management: JWT tokens with 7-day expiration. Refresh tokens with 30-day expiration. Token blacklisting on logout.
• Brute-force protection: Accounts are temporarily locked after repeated failed login attempts.

Payment Security

Payment processing is handled entirely by Square, a PCI-DSS Level 1 certified payment processor. We never see, store, or have access to your full credit card number. All payment data is handled directly between your browser and Square's servers.

API Security

• Rate limiting: All API endpoints are rate-limited to prevent abuse.
• CORS: API access is restricted to authorized domains only.
• Input validation: All user input is validated and sanitized. Parameterized queries are used for all database operations.
• Security headers: Helmet.js enforces Content-Security-Policy, X-Frame-Options, and other protective headers.

Vulnerability Disclosure

If you discover a security vulnerability in our platform, we want to hear about it. Please report it responsibly:

• Email support@cra-compliance.store with "Security" in the subject line
• Include a description of the vulnerability and steps to reproduce
• Allow us reasonable time to investigate and fix the issue before public disclosure

We will acknowledge receipt within 48 hours and keep you informed of our progress. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Compliance

• GDPR-aware: We respect EU data protection rights including data access, portability, and deletion. See our Privacy Policy for details.
• Data residency: All data is stored on servers in the United States.
• Audit logging: Administrative actions are logged for accountability and incident investigation.

Questions?

For security-related inquiries, contact support@cra-compliance.store.