Security

Last Updated: December 31, 2025

1. Our Commitment to Security

At our core, we recognize that security is paramount when handling user data and providing web scraping services. We implement comprehensive security measures across all layers of our infrastructure to protect your information and ensure the integrity of our platform. This page outlines our security practices, policies, and your role in maintaining a secure environment.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your device and our servers is protected using:

TLS 1.3: Latest industry-standard encryption protocol for all web traffic
HTTPS Everywhere: Mandatory secure connections; HTTP requests are automatically redirected to HTTPS
Certificate Pinning: Prevents man-in-the-middle attacks by validating server certificates
Perfect Forward Secrecy: Session keys cannot be compromised even if long-term keys are exposed

2.2 Encryption at Rest

Data stored on our servers is encrypted using:

AES-256: Military-grade encryption for all stored user data
Database Encryption: Full database encryption with rotating encryption keys
Secure Key Management: Encryption keys stored in hardware security modules (HSMs) separate from encrypted data

3. Authentication and Access Control

3.1 User Authentication

We use industry-leading authentication practices:

Clerk Authentication: Enterprise-grade identity management with built-in security features
Multi-Factor Authentication (MFA): Optional MFA support for enhanced account security
Password Requirements: Minimum 8 characters with complexity requirements (uppercase, lowercase, numbers, special characters)
Password Hashing: Bcrypt with salting (never stored in plaintext)
Session Management: Secure session tokens with automatic expiration and rotation
Account Lockout: Temporary lockout after multiple failed login attempts to prevent brute force attacks

3.2 Access Control

We enforce strict access controls:

Principle of Least Privilege: Users and systems have only the minimum access necessary
Role-Based Access Control (RBAC): Permissions assigned based on user roles (Free, Premium, Admin)
API Authentication: Bearer token authentication for API access with rate limiting
Zero Trust Architecture: Continuous verification; no implicit trust based on network location

4. Infrastructure Security

4.1 Network Security

Firewalls: Advanced firewall rules restricting unauthorized network access
DDoS Protection: Distributed denial-of-service mitigation at the network edge
Intrusion Detection: Real-time monitoring for suspicious network activity
Network Segmentation: Isolated network zones separating public-facing services from backend systems

4.2 Server Security

Regular Patching: Automated security updates for operating systems and software
Hardened Servers: Minimal attack surface with unnecessary services disabled
Container Security: Isolated application containers with security scanning
Backup Systems: Encrypted daily backups stored in geographically distributed locations

4.3 Cloud Security

Our infrastructure is hosted on secure, enterprise-grade cloud platforms:

SOC 2 Type II certified hosting providers
ISO 27001 compliant data centers
Physical security controls (biometric access, surveillance, 24/7 monitoring)
Redundant power and network connectivity for high availability

5. Application Security

5.1 Secure Development Practices

Code Reviews: Peer review of all code changes for security vulnerabilities
Static Analysis: Automated scanning for common vulnerabilities (SQL injection, XSS, CSRF)
Dependency Scanning: Regular audits of third-party libraries for known vulnerabilities
Security Testing: Penetration testing and vulnerability assessments conducted annually

5.2 Common Vulnerability Protections

SQL Injection

Protection: Parameterized queries, ORM usage, input validation

Cross-Site Scripting (XSS)

Protection: Content Security Policy (CSP), output encoding, sanitization

Cross-Site Request Forgery (CSRF)

Protection: Anti-CSRF tokens, SameSite cookies, origin validation

Clickjacking

Protection: X-Frame-Options headers, frame-ancestors CSP directive

Server-Side Request Forgery (SSRF)

Protection: URL validation, allowlist restrictions, network isolation

6. Data Protection and Privacy

Our security measures support our privacy commitments:

Data Minimization: We collect only the data necessary to provide our services
Data Anonymization: Personal identifiers removed from analytics and logs where possible
Secure Deletion: Data securely wiped (not just marked as deleted) upon account deletion
GDPR & CCPA Compliance: Technical controls supporting user privacy rights (access, deletion, portability)
No Payment Data Storage: Cryptocurrency payments verified on-chain; no credit card or sensitive financial data stored

7. Monitoring and Incident Response

7.1 Security Monitoring

24/7 Monitoring: Automated systems continuously monitor for security threats
Log Management: Centralized logging with tamper-proof audit trails
Anomaly Detection: Machine learning models identify unusual patterns indicating potential breaches
Security Alerts: Immediate notification of critical security events

7.2 Incident Response Plan

In the event of a security incident, we follow a structured response process:

Detection: Incident identified through monitoring or reporting
Containment: Immediate action to prevent further damage
Investigation: Determine scope, cause, and affected systems/data
Remediation: Fix vulnerabilities and restore normal operations
Notification: Inform affected users and authorities within 72 hours (GDPR requirement)
Post-Incident Review: Analyze incident and improve security measures

7.3 Breach Notification

If a data breach affects your personal information, we will notify you via email within 72 hours of discovery, detailing:

Nature of the breach
Types of data potentially compromised
Actions we have taken
Steps you should take to protect yourself

8. Third-Party Security

We carefully vet all third-party services that access user data:

Vendor Assessment: Security audits before integration
Data Processing Agreements: Contractual obligations for GDPR compliance
Minimal Access: Third parties receive only the data necessary for their specific function
Regular Reviews: Ongoing monitoring of third-party security practices

Current Third-Party Services

Clerk: Authentication (SOC 2 Type II certified)

Security info: https://clerk.com/security

9. User Security Best Practices

While we implement robust security measures, your cooperation is essential. Please follow these best practices:

🔐 Strong Passwords

• Use unique passwords for each service
• Minimum 12+ characters with mixed case, numbers, symbols
• Consider using a password manager
• Never share your password with anyone

🛡️ Enable Multi-Factor Authentication

Add an extra layer of security by enabling MFA in your account settings. Even if your password is compromised, MFA prevents unauthorized access.

🚨 Recognize Phishing Attempts

• We will NEVER ask for your password via email
• Verify sender email addresses carefully
• Hover over links to check URLs before clicking
• Report suspicious emails to security@yourcompany.com

💻 Secure Your Devices

• Keep operating systems and browsers updated
• Use reputable antivirus software
• Avoid public Wi-Fi when accessing sensitive accounts
• Log out after each session on shared devices

👀 Monitor Account Activity

• Review your account activity regularly
• Report any unauthorized access immediately
• Check for unexpected password reset emails

10. Compliance and Certifications

We comply with industry standards and regulations:

GDPR: Full compliance with EU data protection regulations
CCPA/CPRA: Compliance with California privacy laws
OWASP Top 10: Protection against most critical web application security risks
PCI DSS: While we don't store card data, cryptocurrency payments follow security best practices

11. Security Updates and Transparency

We are committed to transparency about our security practices:

Regular Updates: This page is reviewed and updated at least annually
Security Advisories: Major security updates communicated via email to affected users
Public Disclosure: After remediation, we may publish details of significant vulnerabilities to help the broader community

12. Reporting Security Vulnerabilities

We encourage responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us immediately.

🔒 Responsible Disclosure Process

Email detailed information to: security@yourcompany.com
Include steps to reproduce the vulnerability
Allow us reasonable time to investigate and remediate (typically 90 days)
Do not publicly disclose the vulnerability until we confirm it is resolved
We will acknowledge receipt within 48 hours and provide status updates

Scope: Our bug bounty program covers vulnerabilities in our production systems. Out of scope: social engineering, physical attacks, third-party services.

Recognition: We appreciate security researchers and, with your permission, will acknowledge your contribution on our security hall of fame.

13. Contact Information

For security-related inquiries or to report incidents:

Security Team: security@yourcompany.com

Vulnerability Reports: security@yourcompany.com (PGP key available on request)

General Privacy: privacy@yourcompany.com

Emergency Contact: Available 24/7 for critical security incidents

✓ Security Commitment Summary

✓ TLS 1.3 encryption for all data in transit
✓ AES-256 encryption for data at rest
✓ Multi-factor authentication available
✓ Regular security audits and penetration testing
✓ 24/7 security monitoring and incident response
✓ GDPR and CCPA compliant data protection
✓ Transparent breach notification within 72 hours
✓ Responsible vulnerability disclosure program

← Back to Home