Security & Privacy at VIOscan
We design our platform with privacy and security in mind. This page summarizes how we protect your data and how to contact us for security matters.
Data we collect, purpose and retention
What you provide
- Account: Email address for authentication and account communications.
- Payments: Processed by Stripe. We do not store card data.
- Support: Content of messages you voluntarily send us.
Automatically collected
- Usage: Basic event data to operate and improve the Service.
- Device: Browser and IP address for security and abuse prevention.
- Cookies: Essential cookies for authentication and preferences.
Retention and deletion
- Retention: For as long as your account is active, needed to provide the Service, or required by law.
- Deletion: You can request account deletion at any time. We will remove or irreversibly anonymize personal data unless legal obligations apply.
Encryption
- In transit: HTTPS with TLS 1.2+.
- At rest: Provider‑managed encryption for storage and databases.
Backups & continuity
- Backups: Automated periodic backups of critical data.
- Testing: Restoration procedures are periodically tested.
- Objectives: Target RPO ≤ 24h and RTO ≤ 24h for core services.
Access management
- MFA: Required for critical systems and administration consoles.
- Least privilege: Role‑based access; production access restricted.
- Reviews: Regular access reviews; immediate offboarding on exit.
Vulnerability management
- Patching: Regular dependency and OS updates.
- Scanning: Automated security scans on key assets.
- Pentest: External penetration testing periodically.
- Remediation targets: Critical ≤ 1 day, High ≤ 3 days, Medium ≤ 30 days, Low ≤ 90 days.
Security operations
- Application security: Multi-layered security middleware with request validation and automated threat mitigation.
- Session management: Secure session handling with enterprise-grade storage and expiration policies.
- Request filtering: Advanced rate limiting and abuse prevention mechanisms to maintain service quality.
- Data protection: Comprehensive input sanitization and output encoding to prevent common attack vectors.
Payments and checkout security
- We use Stripe to process payments. Card data never touches our servers.
- Stripe is PCI DSS compliant. Strong Customer Authentication (SCA) and 3D Secure (3DS) are supported when applicable.
Subprocessors
| Provider |
Purpose |
Notes |
| Stripe |
Payment processing |
PCI DSS compliant |
| Plausible |
Privacy‑friendly analytics |
Cookie‑less, GDPR‑friendly |
Infrastructure architecture
- Application layer: Modern server architecture with process management and automatic recovery mechanisms.
- Database tier: Enterprise-class relational database with connection pooling and transaction integrity.
- Web security: Content security policies with header-based protection and cross-origin request management.
- Traffic management: Intelligent request handling with proxy configuration and secure communication channels.
Monitoring and observability
- Application logging: Structured request and error logging with configurable verbosity levels for operational insights.
- Performance tracking: Response time monitoring and resource utilization analysis for optimal user experience.
- Security events: Automated logging of authentication attempts and security-relevant activities.
- Service health: Continuous availability monitoring with automated alerting for critical system components.
Compliance framework
- Data governance: Structured data handling policies with clear retention and deletion procedures.
- Privacy controls: Purpose-built data collection practices with user consent management and transparency.
- Transaction integrity: Comprehensive audit logging with tamper-evident record keeping for accountability.
- Regulatory readiness: Privacy-first design principles aligned with modern data protection standards.
Status and uptime
We monitor infrastructure performance and availability. Our systems are designed with redundancy and failover mechanisms to ensure reliable service availability and maintain optimal uptime for our users.
Vulnerability Disclosure Policy
If you believe you have found a security vulnerability, we appreciate responsible disclosure. Please contact us with details sufficient to reproduce the issue.
Guidelines
- Do not access, modify, or exfiltrate data that is not yours.
- Avoid actions that could degrade service (e.g., DDoS, spam, brute force, automated scanning against production).
- Give us reasonable time to investigate and fix before public disclosure.
- Testing must respect applicable laws and terms.
We do not operate a paid bug bounty at this time. Good‑faith reports will receive acknowledgement. Our security.txt is available at /.well-known/security.txt.
Security contact: Contact us
Last updated: August 14, 2025