sniffedsniffed

Security

How we protect your data and secure our platform

As a security testing platform, we hold ourselves to the same standard we apply to our customers' systems. Protecting your data isn't just a feature — it's foundational to how we build and operate sniffed.

This page outlines the key technical and organisational measures we have in place. For the full legal framework, refer to our Privacy Policy and Data Processing Agreement.

Encryption

All data in transit is encrypted via TLS. Credentials you provide for authenticated testing are encrypted at rest using AES-256-GCM and are never displayed back in the UI after storage. Passwords are salted and hashed — we never store them in plain text.

Isolated Execution

Every security scan runs inside an isolated, ephemeral Docker sandbox container. These containers are created on demand, have no access to other customers' data, and are destroyed immediately after the scan completes. No scan artifacts persist outside of the structured results we store for you.

Domain Verification

Before any scanning can begin, you must verify ownership of each target domain through a DNS TXT record. This prevents unauthorised scanning and ensures the Service is only used against systems you own or have explicit permission to test.

Access Controls

Account access is protected by session-based authentication with secure, HTTP-only cookies. Credential material is encrypted before storage and only decrypted within sandboxed scan environments. Internal administrative access is restricted to authorised personnel with elevated permissions.

Infrastructure Security

Our application is hosted on Vercel with automatic TLS and edge delivery. Worker infrastructure runs on DigitalOcean with firewalled access. Our database is hosted on Supabase with encrypted connections and managed backups. All infrastructure providers maintain SOC 2 compliance or equivalent certifications.

Incident Response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware of the breach, in accordance with our Data Processing Agreement and UK GDPR requirements. Notifications will include the nature of the incident, the data affected, and the steps being taken to resolve it.

Questions or Concerns?

If you have questions about our security practices, need to report a vulnerability, or would like to discuss specific compliance requirements, contact us at hello@sniffed.ai.