Responsible disclosure
If you find a vulnerability, email [email protected]. Please give us 48 hours to acknowledge before public disclosure. We don't run a bug bounty — we do send thank-you notes, shout-outs, and stickers.
Encrypt sensitive details with our PGP key if needed.
Please do
Pentest against your own account. Don't scan or attempt to exploit other customers' data or infrastructure — we'll share test domains if you need them.
Transport
- All traffic is TLS 1.2+ with modern ciphers. HTTP is 301'd to HTTPS.
- HSTS with
max-age=31536000andincludeSubDomains. - Certificates issued by Let's Encrypt; auto-renewed > 30 days before expiry.
Authentication
- API keys are 40-character random strings (tc_live_… / tc_test_…) — hashed and stored with at-rest encryption.
- Each key supports an IP allowlist; once set, non-matching IPs return
403. - Dashboard auth uses Laravel's stock bcrypt + session cookies (SameSite=Lax, HttpOnly, Secure).
- Email verification is required before any paid billing.
SSRF protection
Every URL-fetching endpoint (screenshot, PDF, scrape, SEO, diff, broken-links, link-preview) validates the target:
- Only
http(s)schemes allowed — nofile:,gopher:, etc. - DNS resolution is checked against RFC-1918 / link-local / loopback ranges; private IPs return
403. - Redirects re-validate each hop; headless browser instances run in a sandbox.
Data retention
- Screenshots & PDFs: stored on our CDN for 24–72 hours depending on plan, then purged. Signed URLs expire at the same time.
- Scraped content: never persisted beyond the response. Cache-memoized for up to 15 minutes if the same URL is requested twice.
- API logs: request-id, endpoint, status, latency, timestamp — 90 days. No request bodies.
- Payment data: handled by Stripe. We only store the customer ID and last 4 of the card.
Vendors & subprocessors
- Stripe — billing. SOC 2 Type II, PCI DSS Level 1.
- Cloudflare — CDN + DDoS. No logs retained past 7 days.
- Hetzner — VPS hosting (Germany / Finland). GDPR-compliant.
- Bunny CDN — screenshot/PDF asset delivery.
- Resend — transactional email.
Compliance
- GDPR-compliant by design (EU-hosted data, minimal collection, deletion-on-request).
- Not SOC 2 certified. If you need it, email us — we're happy to share our infra posture.
- Privacy policy: /privacy. Terms: /terms.
Contact
Security issues: [email protected]. Everything else: [email protected].