We build security tools — so we take security seriously. Here's how we protect your data and the practices we follow.
All data is encrypted in transit using TLS 1.2+. Database storage is encrypted at rest via Supabase's infrastructure (AES-256). API keys are hashed with SHA-256 before storage — we never store raw API keys.
Database access is governed by Row-Level Security (RLS) policies. Users can only read and modify their own data. Service role access is restricted to server-side operations (webhooks, admin functions) and is never exposed to the client.
Authentication is managed by Supabase Auth with secure session tokens. We support email/password and Google OAuth. Sessions are stored in HttpOnly cookies with Secure and SameSite attributes.
All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. We never see or store your credit card number. Webhook signatures are verified using Stripe's signing secret to prevent tampering.
Layer 1 scanning via the CLI runs entirely on your machine. No file content, scan results, or metadata are transmitted to our servers. Layer 2 analysis requires sending content over HTTPS to our API or directly to Anthropic's API.
Layer 2 LLM analysis sends file content to Anthropic's Claude API over HTTPS. Anthropic does not use API inputs for model training. See Anthropic's privacy policy.
If you discover a security vulnerability in Scandar, we appreciate responsible disclosure. Please report vulnerabilities to security@scandar.ai. We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.
Please include:
We will not take legal action against researchers who follow responsible disclosure practices.
We are committed to transparency about our security posture. Our current status:
We will publish our first transparency report in Q3 2026 covering vulnerability statistics, incident history, and certification milestones.
Security inquiries: security@scandar.ai