Back to home

Security

Last updated: May 13, 2026

We sell security. We’d be hypocrites if we didn’t take it seriously ourselves. This page explains how we protect customer data and how to report a vulnerability you find in Pentry.ai.

Reporting a Vulnerability

If you discover a vulnerability in Pentry.ai itself, please email [email protected]. We treat all reports confidentially and aim to:

  • Acknowledge within 24 hours.
  • Validate and triage within 72 hours.
  • Fix critical issues within 7 days; less severe issues within 30.
  • Credit you in our security changelog (with your consent).

Machine-readable details are at /.well-known/security.txt per RFC 9116.

Scope

In scope:

  • The Pentry.ai application (auth, scans, billing, dashboards).
  • The Pentry.ai API.
  • The marketing site.

Out of scope:

  • Findings about customers’ targets — those belong to the customer, not us.
  • Social engineering, physical attacks, DoS.
  • Issues already publicly known and being remediated.
  • Rate-limit bypasses without a meaningful impact path.

Safe Harbor

We won’t pursue legal action against researchers who:

  • Disclose responsibly to [email protected].
  • Don’t access, modify, or delete other users’ data.
  • Don’t disrupt the service.
  • Give us reasonable time to fix before public disclosure (typically 90 days).

Encryption

  • In transit: TLS 1.3 everywhere (HSTS preload, no plaintext fallback).
  • At rest: Postgres data on disk encryption. Sensitive fields (target authentication credentials, integration tokens, affiliate payout details) additionally encrypted with Fernet (AES-128-CBC + HMAC-SHA256).
  • Passwords: bcrypt (cost 12). We never see your plaintext password.
  • API keys: bcrypt-hashed; the full key is shown once at creation.

Authentication

  • Email/password via JWT access tokens (short-lived) + refresh tokens.
  • Sign in with Google (OIDC).
  • Per-account API tokens for CI/CD use.
  • 2FA — coming soon.

Authorization

  • Row-level access checks on every API endpoint (membership-scoped queries).
  • Verified-target requirement before any active scan.
  • Admin role is separate; admin actions are logged.

Infrastructure

  • Production hosted on EU-resident infrastructure by default.
  • Background scan workers isolated in containers; no shared state across orgs.
  • Database backups: encrypted, nightly, retained 30 days, restores tested.
  • Secrets via environment variables; no secrets in source control. Vault integration on roadmap.

Application Practices

  • SQL: parameterized via SQLAlchemy ORM — no string concatenation against user input.
  • XSS: React auto-escapes; we don’t use dangerouslySetInnerHTML on user input.
  • CSRF: cookie-bound tokens use SameSite=Strict + double-submit pattern.
  • Rate limiting on auth endpoints (5 requests/min/IP), password change (5/min/user), account deletion (3/hour/user).
  • Dependency vulnerability scanning via Dependabot (planned: Snyk).

Scan Engine Safety

Every scan against your targets is non-destructive:

  • No payloads that modify or exploit (no SQLi inserts, no destructive XSS, no DoS).
  • Templates with intrusive nuclei tags are excluded.
  • AI analysis never auto-submits exploits; it suggests remediations only.
  • You can whitelist our scanner IPs (under each target’s settings) so your WAF doesn’t see it as an attack.

Privacy

See our Privacy Policy for the full breakdown of what we collect, retain, and share.

Compliance Roadmap

  • GDPR + CCPA — compliant today (see Privacy Policy).
  • SOC 2 Type II — in progress.
  • ISO 27001 — planned 12 months out.

Operations & Incident Response

  • On-call coverage 7 days a week. Critical alerts page within 5 minutes.
  • Status announcements live on status.pentryai.com.
  • Customer notification within 72 hours for any incident affecting their data.

Questions

For anything not covered here, email [email protected].

Questions? Email [email protected].