Our Security

We scan other people's security. So ours has to be right. Here's what we run, how we protect your data, and what our own scan looks like.

secureless.ai security grade

A

Scanned with our own tool. Updated monthly.

Security controls in place

HSTS with preload and includeSubDomains
Content Security Policy (CSP)
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy restricting camera, microphone, geolocation
DMARC policy at reject
SPF with hard fail
DKIM signing enabled
CAA records restricting certificate issuance
Rate limiting on all API endpoints
security.txt with contact and disclosure policy
No source maps in production
UUIDs for all identifiers (no sequential IDs)
All secrets in environment variables, never in code

Where your data is processed

  • Application hosting: Railway (EU)
  • Database: PostgreSQL on Railway (EU)
  • Scan processing: Hetzner Cloud (Frankfurt, Germany)
  • Email: Resend (EU, Ireland)
  • Authentication: Clerk
  • Payments: Stripe

Data retention

Scan results are retained for 13 months to support trend analysis. After 13 months, raw scan data is deleted and only aggregate scores and finding counts are kept. You can request deletion of your data at any time.

Responsible disclosure

Found a security issue in secureless.ai? Please report it to security@secureless.ai. Our security.txt is at /.well-known/security.txt.

Read our Privacy Policy